Play interactive tour

Edit tour

Windows Analysis Report 60e40fb428612.dll

Overview

General Information

Sample Name:	60e40fb428612.dll
Analysis ID:	444548
MD5:	c6bfea479b46b9eb7a69667e0165179f
SHA1:	c7f449ab51a47791a8f3041f0a0dce7c6feb06c4
SHA256:	62dbfe723197430a3af1ec9262fcd2a5c2bfc8e81b97c313101f0a5388d587fc
Tags:	dllenelgeogoziisfbitaursnif
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Ursnif

Writes registry values via WMI

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6680 cmdline: loaddll32.exe 'C:\Users\user\Desktop\60e40fb428612.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 6708 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\60e40fb428612.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6760 cmdline: rundll32.exe 'C:\Users\user\Desktop\60e40fb428612.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6748 cmdline: rundll32.exe C:\Users\user\Desktop\60e40fb428612.dll,Clockcondition MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6792 cmdline: rundll32.exe C:\Users\user\Desktop\60e40fb428612.dll,Dogwhen MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6804 cmdline: rundll32.exe C:\Users\user\Desktop\60e40fb428612.dll,Sing MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6816 cmdline: rundll32.exe C:\Users\user\Desktop\60e40fb428612.dll,Wholegray MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

iexplore.exe (PID: 6312 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 1320 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6312 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 3176 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "ovNAU+HRorLZmwnDvbYFDY7UA+FTIAnF2uJSQd0M+N3ep6CVEhoDrEXACstP09QHK7cBl9nMAaFI1as0K4aXOQKngdScIQbDa3MQ98Ce9MYRMvxGUI05fSIRRFzMYffOXQr97vVUUUPjsYgfkDWS2eKPxSe5dz/pF0mjA0T8ibOLzHmVMs4vVv+nwVAw0xpD", "c2_domain": ["outlook.com", "auredosite.club", "vuredosite.club"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000004.00000003.375971100.00000000053D8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.375934102.00000000053D8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.375882980.00000000053D8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.375768564.00000000053D8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.375954554.00000000053D8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.375906864.00000000053D8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.375822644.00000000053D8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.375857537.00000000053D8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 6760	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 4 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000006.00000003.317332406.0000000003560000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"RSA Public Key": "ovNAU+HRorLZmwnDvbYFDY7UA+FTIAnF2uJSQd0M+N3ep6CVEhoDrEXACstP09QHK7cBl9nMAaFI1as0K4aXOQKngdScIQbDa3MQ98Ce9MYRMvxGUI05fSIRRFzMYffOXQr97vVUUUPjsYgfkDWS2eKPxSe5dz/pF0mjA0T8ibOLzHmVMs4vVv+nwVAw0xpD", "c2_domain": ["outlook.com", "auredosite.club", "vuredosite.club"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Source: 60e40fb428612.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source: 60e40fb428612.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: c:\393_Molecule\skin\depend\supply\Thick\Drive.pdb source: loaddll32.exe, 00000000.00000002.476685729.000000006E234000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.477751077.000000006E234000.00000002.00020000.sdmp, 60e40fb428612.dll

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49732 -> 40.97.116.82:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49732 -> 40.97.116.82:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49755 -> 37.120.222.6:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49755 -> 37.120.222.6:80

Source: Joe Sandbox View	IP Address: 40.101.18.18 40.101.18.18
Source: Joe Sandbox View	IP Address: 40.97.116.82 40.97.116.82

Source: global traffic

HTTP traffic detected: GET /grower/v6VaX2L98iQ9vNPqP6I1/s7YQ5JAQQXN9djD_2BP/oxHIXx6SfkQXQHWk5gYign/kG_2FSXB9uJKM/uw7wyHm_/2Bzvrq8q92GB9q04QVkch60/s8xolTUIEl/JiLJJpnHLtn3GR9k1/2H8tNCG7sbZq/z7aUK7NADvh/BA6FMpxvpSV9V3/bnPW_2FsZW9JkMS_2Bt_2/FS0OhP_2Bi7_2Fs_/2BndfgWaKsB4v7f/IedJmZ8N1/uc.grow HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: outlook.comConnection: Keep-Alive

Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: msapplication.xml0.22.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x75ae7464,0x01d7728a</date><accdate>0x75ae7464,0x01d7728a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.22.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x75ae7464,0x01d7728a</date><accdate>0x75ae7464,0x01d7728a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.22.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x75b61584,0x01d7728a</date><accdate>0x75b61584,0x01d7728a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.22.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x75b61584,0x01d7728a</date><accdate>0x75b61584,0x01d7728a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.22.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x75b61584,0x01d7728a</date><accdate>0x75b61584,0x01d7728a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.22.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x75b61584,0x01d7728a</date><accdate>0x75b61584,0x01d7728a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: outlook.com

Source: iexplore.exe, 0000001E.00000002.478655317.000001D554DB0000.00000002.00000001.sdmp	String found in binary or memory: http://%s.com
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: iexplore.exe, 0000001E.00000002.478655317.000001D554DB0000.00000002.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: iexplore.exe, 0000001E.00000002.480305506.000001D5557D6000.00000004.00000001.sdmp	String found in binary or memory: http://outlook.com/grower/v6VaX2L98iQ9vNPqP6I1/s7YQ5JAQQXN9djD_2BP/oxHIXx6SfkQXQHWk5gYign/kG_2FSXB9u
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: iexplore.exe, 0000001E.00000002.478655317.000001D554DB0000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.464931301.000001D552DD2000.00000004.00000020.sdmp	String found in binary or memory: http://vuredosite.club/grower/gjRpowobIXSobHjwI2Wv/_2Fg_2FVDgdI_2BsMGm/BfIb8NeDQ0u4hOXuLbcUki/fsX_2F
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: iexplore.exe, 0000001E.00000002.478655317.000001D554DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: msapplication.xml.22.dr	String found in binary or memory: http://www.amazon.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.docUrl.com/bar.htm
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: msapplication.xml1.22.dr	String found in binary or memory: http://www.google.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: msapplication.xml2.22.dr	String found in binary or memory: http://www.live.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: msapplication.xml3.22.dr	String found in binary or memory: http://www.nytimes.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: msapplication.xml4.22.dr	String found in binary or memory: http://www.reddit.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: msapplication.xml5.22.dr	String found in binary or memory: http://www.twitter.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: msapplication.xml6.22.dr	String found in binary or memory: http://www.wikipedia.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: msapplication.xml7.22.dr	String found in binary or memory: http://www.youtube.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: iexplore.exe, 0000001E.00000002.480305506.000001D5557D6000.00000004.00000001.sdmp	String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD3B6173
Source: iexplore.exe, 0000001E.00000002.480305506.000001D5557D6000.00000004.00000001.sdmp	String found in binary or memory: https://ei.rdtcdn.com/www-static/cdn_files/redtube/icons/favicon.png?v=855e9f26de79d21367b6ee4a42556
Source: iexplore.exe, 0000001E.00000002.464931301.000001D552DD2000.00000004.00000020.sdmp	String found in binary or memory: https://login.live.com
Source: iexplore.exe, 0000001E.00000002.480305506.000001D5557D6000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.com/grower/v6VaX2L98iQ9vNPqP6I1/s7YQ5JAQQXN9djD_2BP/oxHIXx6SfkQXQHWk5gYign/kG_2FSXB9
Source: iexplore.exe, 0000001E.00000002.480232372.000001D5557B2000.00000004.00000001.sdmp, ~DFC3C25805150DF731.TMP.22.dr, {9F4ECD46-DE7D-11EB-90E4-ECF4BB862DED}.dat.22.dr	String found in binary or memory: https://outlook.office365.com/grower/v6VaX2L98iQ9vNPqP6I1/s7YQ5JAQQXN9djD_2BP/oxHIXx6SfkQXQHWk5gYign
Source: iexplore.exe, 0000001E.00000002.480305506.000001D5557D6000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
Source: iexplore.exe, 0000001E.00000002.465171579.000001D552E17000.00000004.00000020.sdmp	String found in binary or memory: https://www.msn.com/spartan/ientp?locale=en-US&market=US&enableregulatorypsm=0&enablecpsm=0&NTLogo=1
Source: iexplore.exe, 0000001E.00000002.480232372.000001D5557B2000.00000004.00000001.sdmp, iexplore.exe, 0000001E.00000002.480283186.000001D5557CB000.00000004.00000001.sdmp	String found in binary or memory: https://www.outlook.com/grower/v6VaX2L98iQ9vNPqP6I1/s7YQ5JAQQXN9djD_2BP/oxHIXx6SfkQXQHWk5gYign/kG_2F
Source: iexplore.exe, 0000001E.00000002.480050763.000001D555720000.00000004.00000001.sdmp, iexplore.exe, 0000001E.00000002.466280522.000001D552E37000.00000004.00000020.sdmp, iexplore.exe, 0000001E.00000002.480201993.000001D55579D000.00000004.00000001.sdmp, iexplore.exe, 0000001E.00000002.479396698.000001D5550E0000.00000004.00000001.sdmp, iexplore.exe, 0000001E.00000002.480305506.000001D5557D6000.00000004.00000001.sdmp	String found in binary or memory: https://www.redtube.com/
Source: iexplore.exe, 0000001E.00000002.480201993.000001D55579D000.00000004.00000001.sdmp	String found in binary or memory: https://www.redtube.com/(
Source: iexplore.exe, 0000001E.00000002.480305506.000001D5557D6000.00000004.00000001.sdmp	String found in binary or memory: https://www.redtube.com/18=q
Source: iexplore.exe, 0000001E.00000002.480201993.000001D55579D000.00000004.00000001.sdmp	String found in binary or memory: https://www.redtube.com/3
Source: iexplore.exe, 0000001E.00000002.480201993.000001D55579D000.00000004.00000001.sdmp	String found in binary or memory: https://www.redtube.com/BbRR
Source: iexplore.exe, 0000001E.00000002.480232372.000001D5557B2000.00000004.00000001.sdmp	String found in binary or memory: https://www.redtube.com/V
Source: iexplore.exe, 0000001E.00000002.480201993.000001D55579D000.00000004.00000001.sdmp	String found in binary or memory: https://www.redtube.com/e
Source: iexplore.exe, 0000001E.00000002.480232372.000001D5557B2000.00000004.00000001.sdmp	String found in binary or memory: https://www.redtube.com/favicon.ico
Source: iexplore.exe, 0000001E.00000002.480232372.000001D5557B2000.00000004.00000001.sdmp	String found in binary or memory: https://www.redtube.com/favicon.icoW
Source: iexplore.exe, 0000001E.00000002.480232372.000001D5557B2000.00000004.00000001.sdmp	String found in binary or memory: https://www.redtube.com/mdll
Source: iexplore.exe, 0000001E.00000002.480201993.000001D55579D000.00000004.00000001.sdmp	String found in binary or memory: https://www.redtube.com/zO%F

Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000004.00000003.375971100.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375934102.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375882980.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375768564.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375954554.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375906864.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375822644.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375857537.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6760, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000004.00000003.375971100.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375934102.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375882980.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375768564.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375954554.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375906864.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375822644.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375857537.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6760, type: MEMORY

System Summary:

Writes registry values via WMI

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1F1996 GetProcAddress,NtCreateSection,memset,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1F1A44 NtMapViewOfSection,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1F23A5 NtQueryVirtualMemory,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02BA5A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02BAB1A5 NtQueryVirtualMemory,

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1F2184
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02BA888E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02BA3EE1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02BAAF80
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E2117B0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E224E00
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E22BE61
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E220DB8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E2205E5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E2288B7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E2309C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E2117B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E224E00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E22BE61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E220DB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E2205E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E2288B7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E2309C8

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6E223290 appears 39 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E223290 appears 39 times

Source: 60e40fb428612.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: classification engine

Classification label: mal68.troj.winDLL@17/14@17/3

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_02BAA65C CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF1C465EC4A4AE6446.TMP

Jump to behavior

Source: 60e40fb428612.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\60e40fb428612.dll,Clockcondition

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\60e40fb428612.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\60e40fb428612.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\60e40fb428612.dll,Clockcondition
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\60e40fb428612.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\60e40fb428612.dll,Dogwhen
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\60e40fb428612.dll,Sing
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\60e40fb428612.dll,Wholegray
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6312 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\60e40fb428612.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\60e40fb428612.dll,Clockcondition
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\60e40fb428612.dll,Dogwhen
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\60e40fb428612.dll,Sing
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\60e40fb428612.dll,Wholegray
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\60e40fb428612.dll',#1
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6312 CREDAT:17410 /prefetch:2

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source: 60e40fb428612.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 60e40fb428612.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 60e40fb428612.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 60e40fb428612.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 60e40fb428612.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 60e40fb428612.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 60e40fb428612.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: 60e40fb428612.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: 60e40fb428612.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 60e40fb428612.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 60e40fb428612.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 60e40fb428612.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 60e40fb428612.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E1F1BAC LoadLibraryA,GetProcAddress,

Source: 60e40fb428612.dll

Static PE information: real checksum: 0x6292a should be: 0x6af68

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1F2120 push ecx; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1F2173 push ecx; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02BAABC0 push ecx; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02BAAF6F push ecx; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E21DE07 push ecx; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E203276 push ebx; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E203244 pushad ; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E2232D5 push ecx; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E202AD8 push edx; retf
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E20103D push cs; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E2050D4 push cs; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E21DE07 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E205DD6 push FFFFFFB7h; iretd
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E203276 push ebx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E203244 pushad ; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E2232D5 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E202AD8 push edx; retf
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E20103D push cs; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E2050D4 push cs; ret

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000004.00000003.375971100.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375934102.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375882980.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375768564.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375954554.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375906864.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375822644.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375857537.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6760, type: MEMORY

Source: C:\Windows\SysWOW64\rundll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed

Source: iexplore.exe, 0000001E.00000002.480400912.000001D556BD0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: iexplore.exe, 0000001E.00000002.480400912.000001D556BD0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: iexplore.exe, 0000001E.00000002.465171579.000001D552E17000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Wp
Source: iexplore.exe, 0000001E.00000002.480400912.000001D556BD0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: iexplore.exe, 0000001E.00000002.480201993.000001D55579D000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}F2
Source: iexplore.exe, 0000001E.00000002.480232372.000001D5557B2000.00000004.00000001.sdmp	Binary or memory string: dRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b};
Source: iexplore.exe, 0000001E.00000002.464773273.000001D552D7F000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: iexplore.exe, 0000001E.00000002.480400912.000001D556BD0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E22AFAC ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E1F1BAC LoadLibraryA,GetProcAddress,

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E24E2D8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E24E207 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E24DE0E push dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E24E2D8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E24E207 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E24DE0E push dword ptr fs:[00000030h]

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E223484 GetProcessHeap,

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E21FEBA SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E21FEBA SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\60e40fb428612.dll',#1

Source: loaddll32.exe, 00000000.00000002.466411899.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.474065564.0000000003340000.00000002.00000001.sdmp, iexplore.exe, 0000001E.00000002.474775486.000001D5532B0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.466411899.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.474065564.0000000003340000.00000002.00000001.sdmp, iexplore.exe, 0000001E.00000002.474775486.000001D5532B0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.466411899.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.474065564.0000000003340000.00000002.00000001.sdmp, iexplore.exe, 0000001E.00000002.474775486.000001D5532B0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.466411899.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.474065564.0000000003340000.00000002.00000001.sdmp, iexplore.exe, 0000001E.00000002.474775486.000001D5532B0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_02BA9135 cpuid

Source: C:\Windows\System32\loaddll32.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,
Source: C:\Windows\System32\loaddll32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,
Source: C:\Windows\System32\loaddll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\System32\loaddll32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,
Source: C:\Windows\System32\loaddll32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,
Source: C:\Windows\System32\loaddll32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\System32\loaddll32.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Windows\System32\loaddll32.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,
Source: C:\Windows\System32\loaddll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,
Source: C:\Windows\System32\loaddll32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\System32\loaddll32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E1F1ADA GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_02BAA199 wsprintfA,GetUserNameW,GetComputerNameW,GetUserNameW,GetComputerNameW,WideCharToMultiByte,

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E1F1F0E CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000004.00000003.375971100.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375934102.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375882980.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375768564.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375954554.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375906864.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375822644.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375857537.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6760, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000004.00000003.375971100.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375934102.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375882980.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375768564.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375954554.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375906864.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375822644.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.375857537.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6760, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Path Interception	Process Injection12	Masquerading1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Query Registry1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Security Account Manager	Security Software Discovery31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Rundll321	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery23	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.loaddll32.exe.2ba0000.0.unpack	100%	Avira	HEUR/AGEN.1108168		Download File
4.2.rundll32.exe.c20000.1.unpack	100%	Avira	HEUR/AGEN.1108168		Download File

Domains

Source	Detection	Scanner	Link
vip0x055.ssl.rncdn5.com	0%	Virustotal	Browse
cs733.wpc.rncdn4.com	0%	Virustotal	Browse
vip0x04f.ssl.rncdn5.com	0%	Virustotal	Browse
ei.rdtcdn.com.sds.rncdn7.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://cgi.search.biglobe.ne.jp/favicon.ico	0%	Avira URL Cloud	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://buscar.ozu.es/	0%	URL Reputation	safe
http://buscar.ozu.es/	0%	URL Reputation	safe
http://buscar.ozu.es/	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://www.ozu.es/favicon.ico	0%	URL Reputation	safe
http://www.ozu.es/favicon.ico	0%	URL Reputation	safe
http://www.ozu.es/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://search.orange.co.uk/favicon.ico	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://www.iask.com/	0%	URL Reputation	safe
http://cgi.search.biglobe.ne.jp/	0%	Avira URL Cloud	safe
http://search.ipop.co.kr/favicon.ico	0%	URL Reputation	safe
http://search.ipop.co.kr/favicon.ico	0%	URL Reputation	safe
http://search.ipop.co.kr/favicon.ico	0%	URL Reputation	safe
http://p.zhongsou.com/favicon.ico	0%	URL Reputation	safe
http://p.zhongsou.com/favicon.ico	0%	URL Reputation	safe
http://p.zhongsou.com/favicon.ico	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.google.de	142.250.201.195	true	false		high
stats.l.doubleclick.net	142.250.102.155	true	false		high
redtube.com	66.254.114.238	true	false		high
vip0x055.ssl.rncdn5.com	205.185.208.85	true	false	0%, Virustotal, Browse	unknown
cs733.wpc.rncdn4.com	192.229.221.206	true	false	0%, Virustotal, Browse	unknown
HHN-efz.ms-acdc.office.com	52.97.201.18	true	false		high
vip0x04f.ssl.rncdn5.com	205.185.208.79	true	false	0%, Virustotal, Browse	unknown
hubtraffic.com	66.254.114.32	true	false		high
outlook.com	40.97.116.82	true	false		high
ei.rdtcdn.com.sds.rncdn7.com	64.210.135.68	true	false	0%, Virustotal, Browse	unknown
ads.trafficjunky.net	66.254.114.38	true	false		high
vuredosite.club	37.120.222.6	true	true		unknown
FRA-efz.ms-acdc.office.com	40.101.18.18	true	false		high
vip0x08e.ssl.rncdn5.com	205.185.208.142	true	false		unknown
static.trafficjunky.com	unknown	unknown	false		high
www.redtube.com	unknown	unknown	false		high
ci-ph.rdtcdn.com	unknown	unknown	false		high
cdn1d-static-shared.phncdn.com	unknown	unknown	false		high
outlook.office365.com	unknown	unknown	false		high
stats.g.doubleclick.net	unknown	unknown	false		high
ht.redtube.com	unknown	unknown	false		high
hw-cdn.trafficjunky.net	unknown	unknown	false		high
www.outlook.com	unknown	unknown	false		high
ei.rdtcdn.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://search.chol.com/favicon.ico	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://www.mercadolivre.com.br/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.merlin.com.pl/favicon.ico	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.ebay.de/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://www.mtv.com/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://www.rambler.ru/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://www.nifty.com/favicon.ico	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://www.dailymail.co.uk/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www3.fnac.com/favicon.ico	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://buscar.ya.com/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://search.yahoo.com/favicon.ico	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://www.sogou.com/favicon.ico	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://asp.usatoday.com/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://fr.search.yahoo.com/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://rover.ebay.com	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://in.search.yahoo.com/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://img.shopzilla.com/shopzilla/shopzilla.ico	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://search.ebay.in/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://image.excite.co.jp/jp/favicon/lep.ico	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://%s.com	iexplore.exe, 0000001E.00000002.478655317.000001D554DB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://msk.afisha.ru/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
https://www.redtube.com/	iexplore.exe, 0000001E.00000002.480050763.000001D555720000.00000004.00000001.sdmp, iexplore.exe, 0000001E.00000002.466280522.000001D552E37000.00000004.00000020.sdmp, iexplore.exe, 0000001E.00000002.480201993.000001D55579D000.00000004.00000001.sdmp, iexplore.exe, 0000001E.00000002.479396698.000001D5550E0000.00000004.00000001.sdmp, iexplore.exe, 0000001E.00000002.480305506.000001D5557D6000.00000004.00000001.sdmp	false		high
http://www.reddit.com/	msapplication.xml4.22.dr	false		high
http://busca.igbusca.com.br//app/static/images/favicon.ico	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.rediff.com/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://www.ya.com/favicon.ico	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://www.etmall.com.tw/favicon.ico	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://it.search.dada.net/favicon.ico	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.naver.com/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://www.google.ru/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://search.hanafos.com/favicon.ico	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cgi.search.biglobe.ne.jp/favicon.ico	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.abril.com.br/favicon.ico	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.daum.net/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://search.naver.com/favicon.ico	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://search.msn.co.jp/results.aspx?q=	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.clarin.com/favicon.ico	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://buscar.ozu.es/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://kr.search.yahoo.com/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://search.about.com/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://busca.igbusca.com.br/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://www.ask.com/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://www.priceminister.com/favicon.ico	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://www.cjmall.com/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://search.centrum.cz/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://suche.t-online.de/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://www.google.it/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://search.auction.co.kr/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.ceneo.pl/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://www.amazon.de/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://outlook.com/grower/v6VaX2L98iQ9vNPqP6I1/s7YQ5JAQQXN9djD_2BP/oxHIXx6SfkQXQHWk5gYign/kG_2FSXB9u	iexplore.exe, 0000001E.00000002.480305506.000001D5557D6000.00000004.00000001.sdmp	false		high
http://sads.myspace.com/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://busca.buscape.com.br/favicon.ico	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.pchome.com.tw/favicon.ico	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://browse.guardian.co.uk/favicon.ico	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.redtube.com/favicon.ico	iexplore.exe, 0000001E.00000002.480232372.000001D5557B2000.00000004.00000001.sdmp	false		high
http://google.pchome.com.tw/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://list.taobao.com/browse/search_visual.htm?n=15&q=	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://www.rambler.ru/favicon.ico	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://uk.search.yahoo.com/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
https://ei.rdtcdn.com/www-static/cdn_files/redtube/icons/favicon.png?v=855e9f26de79d21367b6ee4a42556	iexplore.exe, 0000001E.00000002.480305506.000001D5557D6000.00000004.00000001.sdmp	false		high
http://espanol.search.yahoo.com/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://www.ozu.es/favicon.ico	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.sify.com/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://openimage.interpark.com/interpark.ico	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://search.yahoo.co.jp/favicon.ico	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.ebay.com/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://www.gmarket.co.kr/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.nifty.com/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://searchresults.news.com.au/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.google.si/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://www.google.cz/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://www.soso.com/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://www.univision.com/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://search.ebay.it/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://www.amazon.com/	msapplication.xml.22.dr	false		high
http://images.joins.com/ui_c/fvc_joins.ico	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://www.asharqalawsat.com/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://busca.orange.es/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://cnweb.search.live.com/results.aspx?q=	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://www.twitter.com/	msapplication.xml5.22.dr	false		high
http://auto.search.msn.com/response.asp?MT=	iexplore.exe, 0000001E.00000002.478655317.000001D554DB0000.00000002.00000001.sdmp	false		high
http://search.yahoo.co.jp	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.target.com/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://buscador.terra.es/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.orange.co.uk/favicon.ico	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.iask.com/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.tesco.com/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://cgi.search.biglobe.ne.jp/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.seznam.cz/favicon.ico	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://suche.freenet.de/favicon.ico	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://search.interpark.com/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://search.ipop.co.kr/favicon.ico	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.redtube.com/BbRR	iexplore.exe, 0000001E.00000002.480201993.000001D55579D000.00000004.00000001.sdmp	false		high
http://search.espn.go.com/	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://www.myspace.com/favicon.ico	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
http://search.centrum.cz/favicon.ico	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false		high
https://www.redtube.com/18=q	iexplore.exe, 0000001E.00000002.480305506.000001D5557D6000.00000004.00000001.sdmp	false		high
http://p.zhongsou.com/favicon.ico	iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
40.101.18.18	FRA-efz.ms-acdc.office.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
40.97.116.82	outlook.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.97.201.18	HHN-efz.ms-acdc.office.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	444548
Start date:	06.07.2021
Start time:	10:12:25
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 58s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	60e40fb428612.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.troj.winDLL@17/14@17/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 18.7% (good quality ratio 17.9%) Quality average: 79.9% Quality standard deviation: 28%
HCA Information:	Successful, ratio: 58% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, RuntimeBroker.exe, backgroundTaskHost.exe, UsoClient.exe, audiodg.exe, BackgroundTransferHost.exe, ielowutil.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe Excluded IPs from analysis (whitelisted): 168.61.161.212, 131.253.33.200, 13.107.22.200, 13.64.90.137, 23.211.4.86, 173.222.108.226, 173.222.108.210, 51.103.5.159, 52.255.188.83, 20.82.210.154, 104.43.139.144, 23.203.80.193, 13.88.21.125, 40.112.88.60, 20.82.209.183, 152.199.19.161, 142.250.180.238, 172.217.19.100 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, wns.notify.trafficmanager.net, go.microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, www.google.com, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.google-analytics.com, www.bing.com, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, www-google-analytics.l.google.com, ie9comview.vo.msecnd.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcolcus16.cloudapp.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus15.cloudapp.net, cs9.wpc.v0cdn.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:14:14	API Interceptor	1x Sleep call for process: rundll32.exe modified
10:14:24	API Interceptor	1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
40.101.18.18	PURCHASE ORDER#34556558.exe	Get hash	malicious	Browse
	https://r0qp15r0b1rq05rrpbqbrpq5.s3-eu-west-1.amazonaws.com/Ap3dX.html#joetorre@gmail.com	Get hash	malicious	Browse
	SS21 order IN644.exe	Get hash	malicious	Browse
	https://sammsung055.z13.web.core.windows.net/#sandra.leung@bms.com	Get hash	malicious	Browse
	https://techingcode22.z19.web.core.windows.net/#christoph.metzger@dufry.ch	Get hash	malicious	Browse
	Payment_Remittance_Copy_pdf.html	Get hash	malicious	Browse
	https://normal777.z19.web.core.windows.net/#joao.dias@novobanco.pt	Get hash	malicious	Browse
	https://conectivait.com/t3med/proposal	Get hash	malicious	Browse
	http://blog.ploytrip.com/z9cr/Pages/UxiQlIomnGiGKODewvEaBYLyCJh/	Get hash	malicious	Browse
	https://sap-my.sharepoint.com/:f:/p/matthew_shaw/Ehpzmgu3VfZAsMu8vLvBrCQBHVyLMMbSpZvaMqHdiTvV9A?e=QO7ALe	Get hash	malicious	Browse
40.97.116.82	zHUScMPOlZ.dll	Get hash	malicious	Browse
	nT5pUwoJSS.dll	Get hash	malicious	Browse
	.exe	Get hash	malicious	Browse
	82attachmen.exe	Get hash	malicious	Browse
	62lette.exe	Get hash	malicious	Browse
	5transcrip.exe	Get hash	malicious	Browse
	1message.exe	Get hash	malicious	Browse
	49instructio.exe	Get hash	malicious	Browse
	.exe	Get hash	malicious	Browse
	52DOCUMEN.exe	Get hash	malicious	Browse
	25messag.exe	Get hash	malicious	Browse
	fuck.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
stats.l.doubleclick.net	TestTakerSBBrowser.exe	Get hash	malicious	Browse	74.125.133.155
	vNiyRd4GcH.exe	Get hash	malicious	Browse	108.177.15.154
	sf0X1hMF0g.doc	Get hash	malicious	Browse	74.125.140.157
	sf0X1hMF0g.doc	Get hash	malicious	Browse	74.125.140.155
	DocuSign-June-SOA-Dues.261.htm	Get hash	malicious	Browse	74.125.140.157
	XqnM8G36Ih.exe	Get hash	malicious	Browse	74.125.140.157
	bmaphis@cardinaltek.com_16465506 AMDocAtt.HTML	Get hash	malicious	Browse	74.125.140.154
	Global _Transport NZ..xlsx	Get hash	malicious	Browse	74.125.140.157
	Global _Transport NZ..xlsx	Get hash	malicious	Browse	74.125.140.156
	VM_5823_05_24_2-2.html	Get hash	malicious	Browse	74.125.140.157
	HRXoZLG4ym.exe	Get hash	malicious	Browse	74.125.140.155
	MacKeeper.5.4.pkg	Get hash	malicious	Browse	142.250.27.154
	Hngx5CdG2D.exe	Get hash	malicious	Browse	74.125.140.154
	5474_-_Test_Call_Procedure_4.2.docx	Get hash	malicious	Browse	74.125.140.154
	E1a92ARmPw.exe	Get hash	malicious	Browse	142.251.5.154
	crt9O3URua.exe	Get hash	malicious	Browse	142.250.102.154
	E1a92ARmPw.exe	Get hash	malicious	Browse	142.250.102.157
	Ref#Doc30504871 Wyg.htm	Get hash	malicious	Browse	173.194.76.156
	ManyToOneMailMerge Ver 18.2.dotm	Get hash	malicious	Browse	74.125.140.157
	Sleek_Free.exe	Get hash	malicious	Browse	74.125.140.155
www.google.de	vNiyRd4GcH.exe	Get hash	malicious	Browse	142.250.186.35
	DocuSign-June-SOA-Dues.261.htm	Get hash	malicious	Browse	142.250.184.227
	XqnM8G36Ih.exe	Get hash	malicious	Browse	142.250.184.195
	bmaphis@cardinaltek.com_16465506 AMDocAtt.HTML	Get hash	malicious	Browse	142.250.184.195
	VM_5823_05_24_2-2.html	Get hash	malicious	Browse	142.250.184.195
	HRXoZLG4ym.exe	Get hash	malicious	Browse	142.250.184.195
	Hngx5CdG2D.exe	Get hash	malicious	Browse	142.250.181.227
	muestra6999.exe	Get hash	malicious	Browse	142.250.181.227
	E1a92ARmPw.exe	Get hash	malicious	Browse	172.217.16.99
	crt9O3URua.exe	Get hash	malicious	Browse	172.217.16.99
	E1a92ARmPw.exe	Get hash	malicious	Browse	172.217.16.99
	Ref#Doc30504871 Wyg.htm	Get hash	malicious	Browse	172.217.16.99
	ManyToOneMailMerge Ver 18.2.dotm	Get hash	malicious	Browse	216.58.207.131
	Sleek_Free.exe	Get hash	malicious	Browse	216.58.207.131
	wzdu53.exe	Get hash	malicious	Browse	216.58.207.131
	teX5sUCWAg.exe	Get hash	malicious	Browse	142.251.36.227
	teX5sUCWAg.exe	Get hash	malicious	Browse	142.251.36.227
	SetupFA.exe	Get hash	malicious	Browse	172.217.20.3
	aydrxnitvo.exe	Get hash	malicious	Browse	172.217.23.67
	sP2AXSWC73.exe	Get hash	malicious	Browse	172.217.16.99

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	9cYXsscTTT.exe	Get hash	malicious	Browse	104.42.151.234
	TestTakerSBBrowser.exe	Get hash	malicious	Browse	137.117.66.167
	mJSDCeNxFi.exe	Get hash	malicious	Browse	40.88.32.150
	oEE058tCoG.exe	Get hash	malicious	Browse	40.93.212.0
	zHUScMPOlZ.dll	Get hash	malicious	Browse	40.97.116.82
	hsIF8b0YX1.msi	Get hash	malicious	Browse	191.235.71.131
	x86_x64_setup.exe	Get hash	malicious	Browse	104.43.193.48
	h3hlbLDpl8.exe	Get hash	malicious	Browse	13.64.90.137
	PAYMENT.HTML	Get hash	malicious	Browse	13.71.84.154
	JOB-in.line e.K.- Purchase Order 19600396 & 19600397.xlsx.exe	Get hash	malicious	Browse	13.82.24.228
	y3sBoQe6u7.exe	Get hash	malicious	Browse	52.170.189.162
	NC46O8xw5Z.exe	Get hash	malicious	Browse	52.170.189.162
	input.06.21.doc	Get hash	malicious	Browse	52.109.32.41
	PaymentConfirmation.pdf.exe	Get hash	malicious	Browse	13.90.75.180
	iaxfO8uzGB.exe	Get hash	malicious	Browse	20.184.2.45
	lumion.pro.v11-cgp-tpc.exe	Get hash	malicious	Browse	52.142.114.176
	ContactocelqnxthGOOwgjC%mu_NtgaG3(76852891932Contacto.bat	Get hash	malicious	Browse	52.167.55.56
	kvA3VL7NNB.exe	Get hash	malicious	Browse	40.118.53.192
	Tkl2kVaz5o.exe	Get hash	malicious	Browse	13.82.24.228
	Gnqavfhmcsecxlwdiltkkverstraextmrm.exe	Get hash	malicious	Browse	20.98.18.253
MICROSOFT-CORP-MSN-AS-BLOCKUS	9cYXsscTTT.exe	Get hash	malicious	Browse	104.42.151.234
	TestTakerSBBrowser.exe	Get hash	malicious	Browse	137.117.66.167
	mJSDCeNxFi.exe	Get hash	malicious	Browse	40.88.32.150
	oEE058tCoG.exe	Get hash	malicious	Browse	40.93.212.0
	zHUScMPOlZ.dll	Get hash	malicious	Browse	40.97.116.82
	hsIF8b0YX1.msi	Get hash	malicious	Browse	191.235.71.131
	x86_x64_setup.exe	Get hash	malicious	Browse	104.43.193.48
	h3hlbLDpl8.exe	Get hash	malicious	Browse	13.64.90.137
	PAYMENT.HTML	Get hash	malicious	Browse	13.71.84.154
	JOB-in.line e.K.- Purchase Order 19600396 & 19600397.xlsx.exe	Get hash	malicious	Browse	13.82.24.228
	y3sBoQe6u7.exe	Get hash	malicious	Browse	52.170.189.162
	NC46O8xw5Z.exe	Get hash	malicious	Browse	52.170.189.162
	input.06.21.doc	Get hash	malicious	Browse	52.109.32.41
	PaymentConfirmation.pdf.exe	Get hash	malicious	Browse	13.90.75.180
	iaxfO8uzGB.exe	Get hash	malicious	Browse	20.184.2.45
	lumion.pro.v11-cgp-tpc.exe	Get hash	malicious	Browse	52.142.114.176
	ContactocelqnxthGOOwgjC%mu_NtgaG3(76852891932Contacto.bat	Get hash	malicious	Browse	52.167.55.56
	kvA3VL7NNB.exe	Get hash	malicious	Browse	40.118.53.192
	Tkl2kVaz5o.exe	Get hash	malicious	Browse	13.82.24.228
	Gnqavfhmcsecxlwdiltkkverstraextmrm.exe	Get hash	malicious	Browse	20.98.18.253

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9F4ECD44-DE7D-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	29272
Entropy (8bit):	1.772924635523489
Encrypted:	false
SSDEEP:	96:rIZDZ+21jWaQOtaQkjNfaQkJjJb1MaPJWxTTm+PJqDB:rIZDZ+21jWpOtpmfpaxMrvcB
MD5:	7C8C1828F92E6CBAE509B37492922C2B
SHA1:	5EE8D6D94E12F48FAD9A2525022E45FAF0AED6F3
SHA-256:	78DE3376B09D44F1856E233DB1AAC58F16694D92B0F583A2D688F8B60CA5E7F6
SHA-512:	81E018F7A9615498834CACCDABD80C27263253BA0C716791E9359D4E1760C4DE3676C30441957934EF73242FD73CB55F1EB10BBC660C6D4DC7F43604C26DCB9F
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9F4ECD46-DE7D-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27440
Entropy (8bit):	1.8685329661065735
Encrypted:	false
SSDEEP:	192:rsZXQ765kIbjh2ISWZMJ6QMcm85DxxQMcm85DLcm81A:rsA+KIHQIRik2NP2NIW
MD5:	A8283B1F89E8FE3D9516A5879CF22529
SHA1:	0C0D464DC572D4DFE01E8A61A40AD2D7A169F2F3
SHA-256:	5A4DB801F0CFC7D341D131116E6694AD8DB16C00B0FB9EB9B3323998F79ED86F
SHA-512:	553912B4860BE810CC086F9F54BD6F92009533A259005E38E555FD60DD01AC4AF16BC70F8787CFD7A1959831A4CBCE33B32FDC82AB563B40729AD47F6054D3AF
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.1370133199807855
Encrypted:	false
SSDEEP:	12:TMHdNMNxOE+loYlow4nWimI002EtM3MHdNMNxOE+loYlow4nWimI00ObVbkEtMb:2d6NxOnoMoJSZHKd6NxOnoMoJSZ76b
MD5:	8CDDF656C19A8FE75BE2FB5242BECF8B
SHA1:	8AF0738E35451565919735590D77CDA9BC9D5877
SHA-256:	01FCEF5F8E8210E98053200C15DCC267A37915731B47B8476229C0A7D8963018
SHA-512:	ABF67CAFAE3E2C57487997A125950BE678740F41BBE1D77114EDA032CDDBAB75CB508E1687AC5326BEF4E4F15B577CED840B14DCD8493730ECD36F733CD7FA8B
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x75b61584,0x01d7728a</date><accdate>0x75b61584,0x01d7728a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x75b61584,0x01d7728a</date><accdate>0x75b61584,0x01d7728a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.141239430132834
Encrypted:	false
SSDEEP:	12:TMHdNMNxe2k2E4Ew4nWimI002EtM3MHdNMNxe2k2Esw4nWimI00Obkak6EtMb:2d6Nxr8TJSZHKd6Nxr8sJSZ7Aa7b
MD5:	C18FB96A2677A8AD21264174E9B5D06C
SHA1:	144F2CE5723B6062136BD6A688C103FCDD1381E1
SHA-256:	58D3BC4C56E6C3CE9CFB2B854D7939E4BEA51E6473A0FEC1E2F1DDE9B3473039
SHA-512:	E307AB54B10810092B08E2B883020339B71C4122C5B14225E7CCB02A934C695EF756DE71CDCE529AFAE6129455005A1B6074BD8227199AC5F1C52141BE832C91
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x75a6d344,0x01d7728a</date><accdate>0x75a6d344,0x01d7728a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x75a6d344,0x01d7728a</date><accdate>0x75ae7464,0x01d7728a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	662
Entropy (8bit):	5.155771814519474
Encrypted:	false
SSDEEP:	12:TMHdNMNxvL+loYlow4nWimI002EtM3MHdNMNxvL+loYlow4nWimI00ObmZEtMb:2d6NxveoMoJSZHKd6NxveoMoJSZ7mb
MD5:	10E1BB06FA11954027983BE655C1DE90
SHA1:	CD0EB6F6E72AD63AF7564AE8186D05329BC3910D
SHA-256:	5CDD7685923D3845E70F06DA25FC27423CF7A16BA753A325B09E5B565227A41B
SHA-512:	4794D67ADE225AB3CF101428475CBF2D5959A018931274FDD9393B51F5AB664DE906F41D9F9A344DCAE472F58B7CCDBD4435B47306057B3FCDF4FCDAC9C39C70
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x75b61584,0x01d7728a</date><accdate>0x75b61584,0x01d7728a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x75b61584,0x01d7728a</date><accdate>0x75b61584,0x01d7728a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	647
Entropy (8bit):	5.126076628714451
Encrypted:	false
SSDEEP:	12:TMHdNMNxiysw4nWimI002EtM3MHdNMNxiysw4nWimI00Obd5EtMb:2d6NxFsJSZHKd6NxFsJSZ7Jjb
MD5:	67F23DD4BD5B4AC91CDEB4AD19EF1383
SHA1:	D9BEDAA2208FAFC9A2028F1A019B85C598DB1225
SHA-256:	F95BDD163A8A27AAD36E89BC3EEEADFE2FC4B4477BAE1874D3A7821220D6BA83
SHA-512:	66BC54AECD9BD78AC57A43E6FE848A7BA83A86E7C02ACE825AF06BFEAC42932740C520E073588A5F087E661488B1CB3B98896D021AA3DEB785E1FD004F8DFADB
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x75ae7464,0x01d7728a</date><accdate>0x75ae7464,0x01d7728a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x75ae7464,0x01d7728a</date><accdate>0x75ae7464,0x01d7728a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.168113819529659
Encrypted:	false
SSDEEP:	12:TMHdNMNxhGw+loYlow4nWimI002EtM3MHdNMNxhGw+loYlow4nWimI00Ob8K075t:2d6NxQzoMoJSZHKd6NxQzoMoJSZ7YKa/
MD5:	BC732ADD8E3E3417EAA611F9E7FCCF9D
SHA1:	D572BA10272A9099184EA2FF1CD59A3054B11E66
SHA-256:	6F218251411D737BCEB92E403637ACE6859C4868659EB7EB34BED735A0C9722A
SHA-512:	AD7ABC77A5BC674E4B083C0F95D8C45AB4D75086CF0B430C0ECCBDD8237328DCFD373FD2B3F341D2E5BBCBDF4DE9B1D1AF2385D1A97A65ADB86CDA7D8BE794AD
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x75b61584,0x01d7728a</date><accdate>0x75b61584,0x01d7728a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x75b61584,0x01d7728a</date><accdate>0x75b61584,0x01d7728a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.122691731433799
Encrypted:	false
SSDEEP:	12:TMHdNMNx0nysw4nWimI002EtM3MHdNMNx0nyYlow4nWimI00ObxEtMb:2d6Nx0ysJSZHKd6Nx0yMoJSZ7nb
MD5:	9373F79A947760C9CEFCA656E1A755AA
SHA1:	AEAE50D2928951B78741F9629C58E595D2C18DFB
SHA-256:	FDF2AF93747CCD74C4FD3BEA2B4D8D4109D2FAA33DC5786359B562DE27F2E9B6
SHA-512:	72A0FBA2E8FE19B731DB087C509B0F3F17C43EED6B83144C1C1BDC8F61AD9A04E4815217DA766062E465BF3A91600365123636DA44D359422BF22E90D999D368
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x75ae7464,0x01d7728a</date><accdate>0x75ae7464,0x01d7728a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x75ae7464,0x01d7728a</date><accdate>0x75b61584,0x01d7728a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	656
Entropy (8bit):	5.150522085625073
Encrypted:	false
SSDEEP:	12:TMHdNMNxxysw4nWimI002EtM3MHdNMNxxysw4nWimI00Ob6Kq5EtMb:2d6NxwsJSZHKd6NxwsJSZ7ob
MD5:	1B603D219A9EE1A601FB90A6F99E3020
SHA1:	6AF87033C2BF262B43C2BD788BC0E5ECD4A51538
SHA-256:	E957E32B11A1A3628E389262FDAC37F676D93C7BA1CE1A260713C802FDDEC00B
SHA-512:	70938D2AEEFCD35F830D70F7A7ACE4640EE3204202500082363D4B5D523F4AAF58CAFCEE57FBAFF4D73D1C6630D5DC18DBB57BF393C2ADE360F44359F9B092BD
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x75ae7464,0x01d7728a</date><accdate>0x75ae7464,0x01d7728a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x75ae7464,0x01d7728a</date><accdate>0x75ae7464,0x01d7728a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.130028839755316
Encrypted:	false
SSDEEP:	12:TMHdNMNxcysw4nWimI002EtM3MHdNMNxcysw4nWimI00ObVEtMb:2d6NxTsJSZHKd6NxTsJSZ7Db
MD5:	8C15E261BD350519B068797A0AA6B0A1
SHA1:	58E8845D8BEE59243E2D9A7439709CE82B795C90
SHA-256:	4F4289FB852430851C279E6B212F03DE22111AE236328CAEFFDE46C12F9CBB37
SHA-512:	7FD2535AB0EB34DEE45430B653BD362D7C3D2BDD7EB8178FD71D1B3E9EEB55E1D412AEF45CF1F61A9E398A015535143FB7BAF581C004F78448ACD321A5F39A79
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x75ae7464,0x01d7728a</date><accdate>0x75ae7464,0x01d7728a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x75ae7464,0x01d7728a</date><accdate>0x75ae7464,0x01d7728a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	653
Entropy (8bit):	5.111602801743394
Encrypted:	false
SSDEEP:	12:TMHdNMNxfnysw4nWimI002EtM3MHdNMNxfnysw4nWimI00Obe5EtMb:2d6NxasJSZHKd6NxasJSZ7ijb
MD5:	095286053DFE08A9048F59187130C671
SHA1:	EC18C9E731C770057A3E9AB28EBD0BF65646E9A5
SHA-256:	10753B1D07A0270419982E614D34B5F1B3EEDE2F10C4F9498CF39B8AAF492368
SHA-512:	5A7373872D50AE0395FF1DCEC8245FFF1BB61248BE4846705BB24EB880EF9D42C391E4ACFD84FF57DAFC4199F0A53193A858FFA6D99801A7B44C85E5B8E8528A
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x75ae7464,0x01d7728a</date><accdate>0x75ae7464,0x01d7728a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x75ae7464,0x01d7728a</date><accdate>0x75ae7464,0x01d7728a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	89
Entropy (8bit):	4.456558184868483
Encrypted:	false
SSDEEP:	3:oVXUoHFQ4ImW8JOGXnEoHFQ4mn:o9UolQdHqEolQB
MD5:	91D290BAECADD68327326320765FA8AC
SHA1:	EF4BE826977032F459D30059B9E511A73A8D0168
SHA-256:	DC9A8FE16024DB2B0FCEF83F274A9482FFFBCFD023D459155159000CE616693C
SHA-512:	3DCE051F08D5FEA0318A60276EF2C275D5009067CCCF0F0A82644B023D68766A925DA1490C77E4E014EE3DA016BA503BA02177265C5C3CEEDFDA5E7666C704A5
Malicious:	false
Preview:	[2021/07/06 10:14:31.195] Latest deploy version: ..[2021/07/06 10:14:31.195] 11.211.2 ..

C:\Users\user\AppData\Local\Temp\~DF1C465EC4A4AE6446.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12933
Entropy (8bit):	0.4123024469502063
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loxF9loT9lW6Q2jW:kBqoIUK6Q2jW
MD5:	ECC7DD9AEB22ED33DC2B310B6B0F9A4D
SHA1:	C9E6FC777EB4D58A95015DB2514D4BFAC89313DE
SHA-256:	DC21DE8B040CB34995FB62AA46457058596F521098D3B2CAC095A08FCEC92A98
SHA-512:	5FE904FD43B835659A4B1F07E9BC0877E3A8F27FBD7C4582C1F4D2B9154CEB2C7EDF63DB0DC8D77A1D29326B832BE5C605049250ABDA5CC62661CC9281C75368
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFC3C25805150DF731.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39777
Entropy (8bit):	0.5995582754387802
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR++4y7o2QMcm85DYQMcm85DwQMcm85DB:kBqoxKAuqR++4y7o22NY2Nw2NB
MD5:	B2095C2C316721060BE01F421B27C9DD
SHA1:	9465DF8F9B01A5E81B64595BB1AD251F15BAFB1F
SHA-256:	E047BEE7B9EBBEBFCFA2A048AB19A4DD7B3D7E992E933C4819976B3F29A344EC
SHA-512:	EE366AB60267ECADFDEEDB502249F9E9C4F1865C59D135811DAE83CFDF86C843256745BE9C8389E05CA34EE0FC345906B325070705AF4F789A932DB1EEAF6771
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.657199882496558
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	60e40fb428612.dll
File size:	381440
MD5:	c6bfea479b46b9eb7a69667e0165179f
SHA1:	c7f449ab51a47791a8f3041f0a0dce7c6feb06c4
SHA256:	62dbfe723197430a3af1ec9262fcd2a5c2bfc8e81b97c313101f0a5388d587fc
SHA512:	0ab64d469f20237833da030fce03b44be339e63fc2c3b4a667d1aaa22cf8f6b64cfcf9a2e9314b06fe538ca63ba89465141324ddd603d53971395bc35d6b8ab6
SSDEEP:	6144:vC8nRa6tXFOspzA7n6NZVeC8i795fubASK9beZTX3l8Eo:J0SVOsphVWi7PWoBeZTX36
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........~@........................................D...................................................Rich............PE..L......S...

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x102cd58
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x1000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5396CBB2 [Tue Jun 10 09:11:14 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	4c29865e356872ef0757b58734cbbb11

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F7454C1BA77h
call 00007F7454C26C5Fh
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F7454C1BA7Ch
add esp, 0Ch
pop ebp
retn 000Ch
push 0000000Ch
push 010591A8h
call 00007F7454C21F7Eh
xor eax, eax
inc eax
mov esi, dword ptr [ebp+0Ch]
test esi, esi
jne 00007F7454C1BA7Eh
cmp dword ptr [010F11A4h], esi
je 00007F7454C1BB5Ah
and dword ptr [ebp-04h], 00000000h
cmp esi, 01h
je 00007F7454C1BA77h
cmp esi, 02h
jne 00007F7454C1BAA7h
mov ecx, dword ptr [01052870h]
test ecx, ecx
je 00007F7454C1BA7Eh
push dword ptr [ebp+10h]
push esi
push dword ptr [ebp+08h]
call ecx
mov dword ptr [ebp-1Ch], eax
test eax, eax
je 00007F7454C1BB27h
push dword ptr [ebp+10h]
push esi
push dword ptr [ebp+08h]
call 00007F7454C1B886h
mov dword ptr [ebp-1Ch], eax
test eax, eax
je 00007F7454C1BB10h
mov ebx, dword ptr [ebp+10h]
push ebx
push esi
push dword ptr [ebp+08h]
call 00007F7454C10438h
mov edi, eax
mov dword ptr [ebp-1Ch], edi
cmp esi, 01h
jne 00007F7454C1BA9Ah
test edi, edi
jne 00007F7454C1BA96h
push ebx
push eax
push dword ptr [ebp+08h]
call 00007F7454C10420h
push ebx
push edi
push dword ptr [ebp+08h]
call 00007F7454C1B84Ch
mov eax, dword ptr [01052870h]
test eax, eax
je 00007F7454C1BA79h
push ebx
push edi
push dword ptr [ebp+08h]
call eax

Rich Headers

Programming Language:

[EXP] VS2013 UPD3 build 30723
[LNK] VS2013 UPD3 build 30723
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ASM] VS2013 build 21005
[C++] VS2013 UPD3 build 30723
[RES] VS2013 build 21005
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x597e0	0x80	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x59860	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf4000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf5000	0x2b1c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x44220	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x57c58	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x44000	0x18c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4211f	0x42200	False	0.619812588611	data	6.63194807603	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x44000	0x16172	0x16200	False	0.578919491525	data	5.90225736165	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5b000	0x980ec	0x1c00	False	0.316824776786	data	3.9217328811	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xf4000	0x1e0	0x200	False	0.529296875	data	4.724728912	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf5000	0x2b1c	0x2c00	False	0.760919744318	data	6.67218651592	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0xf4060	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	CreateProcessA, GetSystemDirectoryA, GetTempPathA, GetWindowsDirectoryA, GetCurrentDirectoryA, SetSystemPowerState, SetConsoleCP, SetConsoleOutputCP, GetModuleHandleA, CreateFileW, ReadConsoleW, WriteConsoleW, SetStdHandle, OutputDebugStringW, LoadLibraryExW, GetTimeZoneInformation, GetModuleFileNameA, FormatMessageA, GetSystemTimeAsFileTime, GetProcessHeap, VirtualProtect, WideCharToMultiByte, MultiByteToWideChar, GetStringTypeW, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, EncodePointer, DecodePointer, GetLastError, HeapFree, HeapAlloc, RaiseException, RtlUnwind, GetCommandLineA, GetCurrentThreadId, GetCPInfo, UnhandledExceptionFilter, SetUnhandledExceptionFilter, SetLastError, InitializeCriticalSectionAndSpinCount, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetModuleHandleW, GetProcAddress, IsProcessorFeaturePresent, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, ExitProcess, GetModuleHandleExW, HeapSize, GetStdHandle, WriteFile, GetModuleFileNameW, IsDebuggerPresent, IsValidCodePage, GetACP, GetOEMCP, GetFileType, QueryPerformanceCounter, GetCurrentProcessId, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, CloseHandle, FlushFileBuffers, GetConsoleCP, GetConsoleMode, ReadFile, SetFilePointerEx, SetEnvironmentVariableA
USER32.dll	GetWindowThreadProcessId, GetSysColorBrush, GetWindowRect, GetClientRect, GetForegroundWindow, CreatePopupMenu, DialogBoxIndirectParamA, CreateDialogIndirectParamA
GDI32.dll	SetPixel, SelectObject, PatBlt, GetTextExtentPoint32A, StretchBlt

Exports

Name	Ordinal	Address
Clockcondition	1	0x1021070
Dogwhen	2	0x1021fa0
Sing	3	0x1022080
Wholegray	4	0x1022270

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/06/21-10:14:32.857922	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49732	80	192.168.2.3	40.97.116.82
07/06/21-10:14:32.857922	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49732	80	192.168.2.3	40.97.116.82
07/06/21-10:15:16.513525	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49755	80	192.168.2.3	37.120.222.6
07/06/21-10:15:16.513525	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49755	80	192.168.2.3	37.120.222.6

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 6, 2021 10:14:32.679692984 CEST	49732	80	192.168.2.3	40.97.116.82
Jul 6, 2021 10:14:32.679855108 CEST	49733	80	192.168.2.3	40.97.116.82
Jul 6, 2021 10:14:32.857115984 CEST	80	49732	40.97.116.82	192.168.2.3
Jul 6, 2021 10:14:32.857297897 CEST	49732	80	192.168.2.3	40.97.116.82
Jul 6, 2021 10:14:32.857922077 CEST	49732	80	192.168.2.3	40.97.116.82
Jul 6, 2021 10:14:32.860918045 CEST	80	49733	40.97.116.82	192.168.2.3
Jul 6, 2021 10:14:32.861130953 CEST	49733	80	192.168.2.3	40.97.116.82
Jul 6, 2021 10:14:33.038372993 CEST	80	49732	40.97.116.82	192.168.2.3
Jul 6, 2021 10:14:33.038541079 CEST	49732	80	192.168.2.3	40.97.116.82
Jul 6, 2021 10:14:33.038781881 CEST	49732	80	192.168.2.3	40.97.116.82
Jul 6, 2021 10:14:33.047230005 CEST	49734	443	192.168.2.3	40.97.116.82
Jul 6, 2021 10:14:33.217641115 CEST	80	49732	40.97.116.82	192.168.2.3
Jul 6, 2021 10:14:33.228092909 CEST	443	49734	40.97.116.82	192.168.2.3
Jul 6, 2021 10:14:33.228327990 CEST	49734	443	192.168.2.3	40.97.116.82
Jul 6, 2021 10:14:33.234067917 CEST	49734	443	192.168.2.3	40.97.116.82
Jul 6, 2021 10:14:33.414740086 CEST	443	49734	40.97.116.82	192.168.2.3
Jul 6, 2021 10:14:33.414947033 CEST	443	49734	40.97.116.82	192.168.2.3
Jul 6, 2021 10:14:33.414973974 CEST	49734	443	192.168.2.3	40.97.116.82
Jul 6, 2021 10:14:33.415021896 CEST	443	49734	40.97.116.82	192.168.2.3
Jul 6, 2021 10:14:33.415045023 CEST	49734	443	192.168.2.3	40.97.116.82
Jul 6, 2021 10:14:33.415091991 CEST	49734	443	192.168.2.3	40.97.116.82
Jul 6, 2021 10:14:33.470065117 CEST	49734	443	192.168.2.3	40.97.116.82
Jul 6, 2021 10:14:33.476227045 CEST	49734	443	192.168.2.3	40.97.116.82
Jul 6, 2021 10:14:33.650742054 CEST	443	49734	40.97.116.82	192.168.2.3
Jul 6, 2021 10:14:33.654561996 CEST	49734	443	192.168.2.3	40.97.116.82
Jul 6, 2021 10:14:33.658566952 CEST	443	49734	40.97.116.82	192.168.2.3
Jul 6, 2021 10:14:33.660784960 CEST	49734	443	192.168.2.3	40.97.116.82
Jul 6, 2021 10:14:33.661149025 CEST	49734	443	192.168.2.3	40.97.116.82
Jul 6, 2021 10:14:33.732243061 CEST	49736	443	192.168.2.3	52.97.201.18
Jul 6, 2021 10:14:33.732850075 CEST	49737	443	192.168.2.3	52.97.201.18
Jul 6, 2021 10:14:33.778862000 CEST	443	49736	52.97.201.18	192.168.2.3
Jul 6, 2021 10:14:33.779082060 CEST	49736	443	192.168.2.3	52.97.201.18
Jul 6, 2021 10:14:33.779428005 CEST	443	49737	52.97.201.18	192.168.2.3
Jul 6, 2021 10:14:33.779624939 CEST	49737	443	192.168.2.3	52.97.201.18
Jul 6, 2021 10:14:33.780896902 CEST	49736	443	192.168.2.3	52.97.201.18
Jul 6, 2021 10:14:33.782485008 CEST	49737	443	192.168.2.3	52.97.201.18
Jul 6, 2021 10:14:33.828136921 CEST	443	49736	52.97.201.18	192.168.2.3
Jul 6, 2021 10:14:33.828176975 CEST	443	49736	52.97.201.18	192.168.2.3
Jul 6, 2021 10:14:33.828206062 CEST	443	49736	52.97.201.18	192.168.2.3
Jul 6, 2021 10:14:33.828216076 CEST	49736	443	192.168.2.3	52.97.201.18
Jul 6, 2021 10:14:33.828244925 CEST	49736	443	192.168.2.3	52.97.201.18
Jul 6, 2021 10:14:33.828248978 CEST	49736	443	192.168.2.3	52.97.201.18
Jul 6, 2021 10:14:33.829750061 CEST	443	49737	52.97.201.18	192.168.2.3
Jul 6, 2021 10:14:33.829778910 CEST	443	49737	52.97.201.18	192.168.2.3
Jul 6, 2021 10:14:33.829803944 CEST	443	49737	52.97.201.18	192.168.2.3
Jul 6, 2021 10:14:33.829857111 CEST	49737	443	192.168.2.3	52.97.201.18
Jul 6, 2021 10:14:33.829899073 CEST	49737	443	192.168.2.3	52.97.201.18
Jul 6, 2021 10:14:33.839167118 CEST	49737	443	192.168.2.3	52.97.201.18
Jul 6, 2021 10:14:33.839174032 CEST	49736	443	192.168.2.3	52.97.201.18
Jul 6, 2021 10:14:33.839570999 CEST	49737	443	192.168.2.3	52.97.201.18
Jul 6, 2021 10:14:33.842262030 CEST	443	49734	40.97.116.82	192.168.2.3
Jul 6, 2021 10:14:33.885915041 CEST	443	49737	52.97.201.18	192.168.2.3
Jul 6, 2021 10:14:33.886610985 CEST	443	49736	52.97.201.18	192.168.2.3
Jul 6, 2021 10:14:33.886646986 CEST	443	49737	52.97.201.18	192.168.2.3
Jul 6, 2021 10:14:33.886708975 CEST	49736	443	192.168.2.3	52.97.201.18
Jul 6, 2021 10:14:33.886797905 CEST	49737	443	192.168.2.3	52.97.201.18
Jul 6, 2021 10:14:33.889224052 CEST	443	49737	52.97.201.18	192.168.2.3
Jul 6, 2021 10:14:33.889365911 CEST	49737	443	192.168.2.3	52.97.201.18
Jul 6, 2021 10:14:33.889837980 CEST	49737	443	192.168.2.3	52.97.201.18
Jul 6, 2021 10:14:33.936193943 CEST	443	49737	52.97.201.18	192.168.2.3
Jul 6, 2021 10:14:33.952986956 CEST	49738	443	192.168.2.3	40.101.18.18
Jul 6, 2021 10:14:33.953524113 CEST	49739	443	192.168.2.3	40.101.18.18
Jul 6, 2021 10:14:33.998193979 CEST	443	49738	40.101.18.18	192.168.2.3
Jul 6, 2021 10:14:33.998354912 CEST	49738	443	192.168.2.3	40.101.18.18
Jul 6, 2021 10:14:33.998629093 CEST	443	49739	40.101.18.18	192.168.2.3
Jul 6, 2021 10:14:33.998760939 CEST	49739	443	192.168.2.3	40.101.18.18
Jul 6, 2021 10:14:33.999792099 CEST	49739	443	192.168.2.3	40.101.18.18
Jul 6, 2021 10:14:34.000386000 CEST	49738	443	192.168.2.3	40.101.18.18
Jul 6, 2021 10:14:34.046736956 CEST	443	49739	40.101.18.18	192.168.2.3
Jul 6, 2021 10:14:34.046786070 CEST	443	49739	40.101.18.18	192.168.2.3
Jul 6, 2021 10:14:34.046835899 CEST	443	49739	40.101.18.18	192.168.2.3
Jul 6, 2021 10:14:34.046915054 CEST	49739	443	192.168.2.3	40.101.18.18
Jul 6, 2021 10:14:34.046971083 CEST	49739	443	192.168.2.3	40.101.18.18
Jul 6, 2021 10:14:34.047349930 CEST	443	49738	40.101.18.18	192.168.2.3
Jul 6, 2021 10:14:34.047401905 CEST	443	49738	40.101.18.18	192.168.2.3
Jul 6, 2021 10:14:34.047451019 CEST	443	49738	40.101.18.18	192.168.2.3
Jul 6, 2021 10:14:34.047461033 CEST	49738	443	192.168.2.3	40.101.18.18
Jul 6, 2021 10:14:34.047488928 CEST	49738	443	192.168.2.3	40.101.18.18
Jul 6, 2021 10:14:34.047511101 CEST	49738	443	192.168.2.3	40.101.18.18
Jul 6, 2021 10:14:34.069289923 CEST	49738	443	192.168.2.3	40.101.18.18
Jul 6, 2021 10:14:34.069888115 CEST	49738	443	192.168.2.3	40.101.18.18
Jul 6, 2021 10:14:34.070317984 CEST	49739	443	192.168.2.3	40.101.18.18
Jul 6, 2021 10:14:34.115628958 CEST	443	49738	40.101.18.18	192.168.2.3
Jul 6, 2021 10:14:34.116729975 CEST	443	49738	40.101.18.18	192.168.2.3
Jul 6, 2021 10:14:34.116848946 CEST	49738	443	192.168.2.3	40.101.18.18
Jul 6, 2021 10:14:34.116911888 CEST	443	49739	40.101.18.18	192.168.2.3
Jul 6, 2021 10:14:34.117012978 CEST	49739	443	192.168.2.3	40.101.18.18
Jul 6, 2021 10:14:34.135791063 CEST	443	49738	40.101.18.18	192.168.2.3
Jul 6, 2021 10:14:34.135828018 CEST	443	49738	40.101.18.18	192.168.2.3
Jul 6, 2021 10:14:34.135989904 CEST	49738	443	192.168.2.3	40.101.18.18
Jul 6, 2021 10:14:34.136013031 CEST	49738	443	192.168.2.3	40.101.18.18
Jul 6, 2021 10:14:35.479271889 CEST	49733	80	192.168.2.3	40.97.116.82
Jul 6, 2021 10:14:35.479321957 CEST	49736	443	192.168.2.3	52.97.201.18
Jul 6, 2021 10:14:35.479450941 CEST	49738	443	192.168.2.3	40.101.18.18
Jul 6, 2021 10:14:35.479507923 CEST	49739	443	192.168.2.3	40.101.18.18

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 6, 2021 10:13:03.616353035 CEST	60152	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:13:03.672595978 CEST	53	60152	8.8.8.8	192.168.2.3
Jul 6, 2021 10:13:03.927746058 CEST	57544	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:13:03.988266945 CEST	53	57544	8.8.8.8	192.168.2.3
Jul 6, 2021 10:13:04.643632889 CEST	55984	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:13:04.701376915 CEST	53	55984	8.8.8.8	192.168.2.3
Jul 6, 2021 10:13:05.706830025 CEST	64185	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:13:05.754601002 CEST	53	64185	8.8.8.8	192.168.2.3
Jul 6, 2021 10:13:06.618119955 CEST	65110	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:13:06.674112082 CEST	53	65110	8.8.8.8	192.168.2.3
Jul 6, 2021 10:13:10.602200031 CEST	58361	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:13:10.651422977 CEST	53	58361	8.8.8.8	192.168.2.3
Jul 6, 2021 10:13:57.341198921 CEST	63492	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:13:57.414719105 CEST	53	63492	8.8.8.8	192.168.2.3
Jul 6, 2021 10:14:00.686882973 CEST	60831	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:14:00.757929087 CEST	53	60831	8.8.8.8	192.168.2.3
Jul 6, 2021 10:14:01.988212109 CEST	60100	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:14:02.063062906 CEST	53	60100	8.8.8.8	192.168.2.3
Jul 6, 2021 10:14:11.333376884 CEST	53195	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:14:11.383974075 CEST	53	53195	8.8.8.8	192.168.2.3
Jul 6, 2021 10:14:16.557081938 CEST	50141	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:14:16.627860069 CEST	53	50141	8.8.8.8	192.168.2.3
Jul 6, 2021 10:14:25.475429058 CEST	53023	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:14:25.535197973 CEST	53	53023	8.8.8.8	192.168.2.3
Jul 6, 2021 10:14:26.490735054 CEST	49563	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:14:26.549185991 CEST	53	49563	8.8.8.8	192.168.2.3
Jul 6, 2021 10:14:29.915018082 CEST	51352	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:14:29.962378025 CEST	53	51352	8.8.8.8	192.168.2.3
Jul 6, 2021 10:14:31.168035030 CEST	59349	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:14:31.224670887 CEST	53	59349	8.8.8.8	192.168.2.3
Jul 6, 2021 10:14:31.578183889 CEST	57084	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:14:31.628283024 CEST	53	57084	8.8.8.8	192.168.2.3
Jul 6, 2021 10:14:32.613379955 CEST	58823	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:14:32.659415007 CEST	53	58823	8.8.8.8	192.168.2.3
Jul 6, 2021 10:14:33.064837933 CEST	57568	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:14:33.114031076 CEST	53	57568	8.8.8.8	192.168.2.3
Jul 6, 2021 10:14:33.669946909 CEST	50540	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:14:33.726041079 CEST	53	50540	8.8.8.8	192.168.2.3
Jul 6, 2021 10:14:33.904778957 CEST	54366	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:14:33.950735092 CEST	53	54366	8.8.8.8	192.168.2.3
Jul 6, 2021 10:14:33.964409113 CEST	53034	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:14:34.019156933 CEST	53	53034	8.8.8.8	192.168.2.3
Jul 6, 2021 10:14:35.056639910 CEST	57762	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:14:35.102746964 CEST	53	57762	8.8.8.8	192.168.2.3
Jul 6, 2021 10:14:36.761239052 CEST	55435	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:14:36.817509890 CEST	53	55435	8.8.8.8	192.168.2.3
Jul 6, 2021 10:14:37.663002968 CEST	50713	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:14:37.711383104 CEST	53	50713	8.8.8.8	192.168.2.3
Jul 6, 2021 10:14:39.049067974 CEST	56132	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:14:39.114485979 CEST	53	56132	8.8.8.8	192.168.2.3
Jul 6, 2021 10:14:45.803230047 CEST	58987	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:14:45.850330114 CEST	53	58987	8.8.8.8	192.168.2.3
Jul 6, 2021 10:14:46.929511070 CEST	56579	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:14:46.976053953 CEST	53	56579	8.8.8.8	192.168.2.3
Jul 6, 2021 10:14:48.000942945 CEST	60633	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:14:48.059129953 CEST	53	60633	8.8.8.8	192.168.2.3
Jul 6, 2021 10:14:48.917572021 CEST	61292	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:14:48.965244055 CEST	53	61292	8.8.8.8	192.168.2.3
Jul 6, 2021 10:14:51.896862984 CEST	63619	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:14:51.962089062 CEST	53	63619	8.8.8.8	192.168.2.3
Jul 6, 2021 10:15:01.596506119 CEST	64938	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:15:01.654493093 CEST	53	64938	8.8.8.8	192.168.2.3
Jul 6, 2021 10:15:02.592478037 CEST	64938	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:15:02.650181055 CEST	53	64938	8.8.8.8	192.168.2.3
Jul 6, 2021 10:15:03.603231907 CEST	64938	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:15:03.654736996 CEST	53	64938	8.8.8.8	192.168.2.3
Jul 6, 2021 10:15:05.618633032 CEST	64938	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:15:05.668678999 CEST	53	64938	8.8.8.8	192.168.2.3
Jul 6, 2021 10:15:06.177630901 CEST	61946	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:15:06.234972954 CEST	53	61946	8.8.8.8	192.168.2.3
Jul 6, 2021 10:15:06.685731888 CEST	64910	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:15:06.751279116 CEST	53	64910	8.8.8.8	192.168.2.3
Jul 6, 2021 10:15:09.618885994 CEST	64938	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:15:09.669483900 CEST	53	64938	8.8.8.8	192.168.2.3
Jul 6, 2021 10:15:16.097245932 CEST	52123	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:15:16.147475958 CEST	53	52123	8.8.8.8	192.168.2.3
Jul 6, 2021 10:15:16.411437035 CEST	56130	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:15:16.470443010 CEST	53	56130	8.8.8.8	192.168.2.3
Jul 6, 2021 10:15:16.598243952 CEST	56338	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:15:16.646888971 CEST	53	56338	8.8.8.8	192.168.2.3
Jul 6, 2021 10:15:17.103801012 CEST	59420	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:15:17.104545116 CEST	58784	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:15:17.106673956 CEST	63978	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:15:17.121890068 CEST	62938	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:15:17.149089098 CEST	55708	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:15:17.151671886 CEST	53	58784	8.8.8.8	192.168.2.3
Jul 6, 2021 10:15:17.153903961 CEST	53	63978	8.8.8.8	192.168.2.3
Jul 6, 2021 10:15:17.196300983 CEST	56803	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:15:17.198879004 CEST	53	55708	8.8.8.8	192.168.2.3
Jul 6, 2021 10:15:17.246303082 CEST	53	56803	8.8.8.8	192.168.2.3
Jul 6, 2021 10:15:17.394293070 CEST	53	59420	8.8.8.8	192.168.2.3
Jul 6, 2021 10:15:17.410007954 CEST	53	62938	8.8.8.8	192.168.2.3
Jul 6, 2021 10:15:17.790957928 CEST	57145	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:15:17.846556902 CEST	53	57145	8.8.8.8	192.168.2.3
Jul 6, 2021 10:15:17.936816931 CEST	55359	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:15:17.983450890 CEST	53	55359	8.8.8.8	192.168.2.3
Jul 6, 2021 10:15:18.986695051 CEST	58306	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:15:19.047332048 CEST	53	58306	8.8.8.8	192.168.2.3
Jul 6, 2021 10:15:19.189786911 CEST	64124	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:15:19.246262074 CEST	53	64124	8.8.8.8	192.168.2.3
Jul 6, 2021 10:15:19.472058058 CEST	49361	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:15:19.519728899 CEST	53	49361	8.8.8.8	192.168.2.3
Jul 6, 2021 10:15:20.643217087 CEST	63150	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:15:20.720418930 CEST	53	63150	8.8.8.8	192.168.2.3
Jul 6, 2021 10:15:20.762094975 CEST	53279	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:15:20.812123060 CEST	53	53279	8.8.8.8	192.168.2.3
Jul 6, 2021 10:15:20.847999096 CEST	56881	53	192.168.2.3	8.8.8.8
Jul 6, 2021 10:15:20.894500017 CEST	53	56881	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 6, 2021 10:14:32.613379955 CEST	192.168.2.3	8.8.8.8	0xf54d	Standard query (0)	outlook.com	A (IP address)	IN (0x0001)
Jul 6, 2021 10:14:33.669946909 CEST	192.168.2.3	8.8.8.8	0x8172	Standard query (0)	www.outlook.com	A (IP address)	IN (0x0001)
Jul 6, 2021 10:14:33.904778957 CEST	192.168.2.3	8.8.8.8	0x8288	Standard query (0)	outlook.office365.com	A (IP address)	IN (0x0001)
Jul 6, 2021 10:15:16.411437035 CEST	192.168.2.3	8.8.8.8	0x3f0f	Standard query (0)	vuredosite.club	A (IP address)	IN (0x0001)
Jul 6, 2021 10:15:16.598243952 CEST	192.168.2.3	8.8.8.8	0x198e	Standard query (0)	www.redtube.com	A (IP address)	IN (0x0001)
Jul 6, 2021 10:15:17.103801012 CEST	192.168.2.3	8.8.8.8	0xa924	Standard query (0)	ei.rdtcdn.com	A (IP address)	IN (0x0001)
Jul 6, 2021 10:15:17.104545116 CEST	192.168.2.3	8.8.8.8	0x48	Standard query (0)	cdn1d-static-shared.phncdn.com	A (IP address)	IN (0x0001)
Jul 6, 2021 10:15:17.106673956 CEST	192.168.2.3	8.8.8.8	0x26e6	Standard query (0)	static.trafficjunky.com	A (IP address)	IN (0x0001)
Jul 6, 2021 10:15:17.121890068 CEST	192.168.2.3	8.8.8.8	0x83b1	Standard query (0)	ei.rdtcdn.com	A (IP address)	IN (0x0001)
Jul 6, 2021 10:15:17.149089098 CEST	192.168.2.3	8.8.8.8	0x3e3b	Standard query (0)	ht.redtube.com	A (IP address)	IN (0x0001)
Jul 6, 2021 10:15:17.196300983 CEST	192.168.2.3	8.8.8.8	0x3388	Standard query (0)	static.trafficjunky.com	A (IP address)	IN (0x0001)
Jul 6, 2021 10:15:17.936816931 CEST	192.168.2.3	8.8.8.8	0x4d70	Standard query (0)	cdn1d-static-shared.phncdn.com	A (IP address)	IN (0x0001)
Jul 6, 2021 10:15:18.986695051 CEST	192.168.2.3	8.8.8.8	0xb8ee	Standard query (0)	stats.g.doubleclick.net	A (IP address)	IN (0x0001)
Jul 6, 2021 10:15:19.189786911 CEST	192.168.2.3	8.8.8.8	0xead2	Standard query (0)	ci-ph.rdtcdn.com	A (IP address)	IN (0x0001)
Jul 6, 2021 10:15:20.643217087 CEST	192.168.2.3	8.8.8.8	0x27a1	Standard query (0)	www.google.de	A (IP address)	IN (0x0001)
Jul 6, 2021 10:15:20.762094975 CEST	192.168.2.3	8.8.8.8	0x2150	Standard query (0)	hw-cdn.trafficjunky.net	A (IP address)	IN (0x0001)
Jul 6, 2021 10:15:20.847999096 CEST	192.168.2.3	8.8.8.8	0x45e6	Standard query (0)	ads.trafficjunky.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jul 6, 2021 10:14:32.659415007 CEST	8.8.8.8	192.168.2.3	0xf54d	No error (0)	outlook.com		40.97.116.82	A (IP address)	IN (0x0001)
Jul 6, 2021 10:14:32.659415007 CEST	8.8.8.8	192.168.2.3	0xf54d	No error (0)	outlook.com		40.97.161.50	A (IP address)	IN (0x0001)
Jul 6, 2021 10:14:32.659415007 CEST	8.8.8.8	192.168.2.3	0xf54d	No error (0)	outlook.com		40.97.160.2	A (IP address)	IN (0x0001)
Jul 6, 2021 10:14:32.659415007 CEST	8.8.8.8	192.168.2.3	0xf54d	No error (0)	outlook.com		40.97.148.226	A (IP address)	IN (0x0001)
Jul 6, 2021 10:14:32.659415007 CEST	8.8.8.8	192.168.2.3	0xf54d	No error (0)	outlook.com		40.97.164.146	A (IP address)	IN (0x0001)
Jul 6, 2021 10:14:32.659415007 CEST	8.8.8.8	192.168.2.3	0xf54d	No error (0)	outlook.com		40.97.128.194	A (IP address)	IN (0x0001)
Jul 6, 2021 10:14:32.659415007 CEST	8.8.8.8	192.168.2.3	0xf54d	No error (0)	outlook.com		40.97.156.114	A (IP address)	IN (0x0001)
Jul 6, 2021 10:14:32.659415007 CEST	8.8.8.8	192.168.2.3	0xf54d	No error (0)	outlook.com		40.97.153.146	A (IP address)	IN (0x0001)
Jul 6, 2021 10:14:33.726041079 CEST	8.8.8.8	192.168.2.3	0x8172	No error (0)	www.outlook.com	outlook.office365.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 10:14:33.726041079 CEST	8.8.8.8	192.168.2.3	0x8172	No error (0)	outlook.office365.com	outlook.ha.office365.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 10:14:33.726041079 CEST	8.8.8.8	192.168.2.3	0x8172	No error (0)	outlook.ha.office365.com	outlook.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 10:14:33.726041079 CEST	8.8.8.8	192.168.2.3	0x8172	No error (0)	outlook.ms-acdc.office.com	HHN-efz.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 10:14:33.726041079 CEST	8.8.8.8	192.168.2.3	0x8172	No error (0)	HHN-efz.ms-acdc.office.com		52.97.201.18	A (IP address)	IN (0x0001)
Jul 6, 2021 10:14:33.726041079 CEST	8.8.8.8	192.168.2.3	0x8172	No error (0)	HHN-efz.ms-acdc.office.com		52.97.201.2	A (IP address)	IN (0x0001)
Jul 6, 2021 10:14:33.726041079 CEST	8.8.8.8	192.168.2.3	0x8172	No error (0)	HHN-efz.ms-acdc.office.com		40.101.137.34	A (IP address)	IN (0x0001)
Jul 6, 2021 10:14:33.726041079 CEST	8.8.8.8	192.168.2.3	0x8172	No error (0)	HHN-efz.ms-acdc.office.com		52.97.201.34	A (IP address)	IN (0x0001)
Jul 6, 2021 10:14:33.950735092 CEST	8.8.8.8	192.168.2.3	0x8288	No error (0)	outlook.office365.com	outlook.ha.office365.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 10:14:33.950735092 CEST	8.8.8.8	192.168.2.3	0x8288	No error (0)	outlook.ha.office365.com	outlook.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 10:14:33.950735092 CEST	8.8.8.8	192.168.2.3	0x8288	No error (0)	outlook.ms-acdc.office.com	FRA-efz.ms-acdc.office.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 10:14:33.950735092 CEST	8.8.8.8	192.168.2.3	0x8288	No error (0)	FRA-efz.ms-acdc.office.com		40.101.18.18	A (IP address)	IN (0x0001)
Jul 6, 2021 10:14:33.950735092 CEST	8.8.8.8	192.168.2.3	0x8288	No error (0)	FRA-efz.ms-acdc.office.com		40.101.12.50	A (IP address)	IN (0x0001)
Jul 6, 2021 10:14:33.950735092 CEST	8.8.8.8	192.168.2.3	0x8288	No error (0)	FRA-efz.ms-acdc.office.com		40.101.83.18	A (IP address)	IN (0x0001)
Jul 6, 2021 10:15:16.470443010 CEST	8.8.8.8	192.168.2.3	0x3f0f	No error (0)	vuredosite.club		37.120.222.6	A (IP address)	IN (0x0001)
Jul 6, 2021 10:15:16.646888971 CEST	8.8.8.8	192.168.2.3	0x198e	No error (0)	www.redtube.com	redtube.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 10:15:16.646888971 CEST	8.8.8.8	192.168.2.3	0x198e	No error (0)	redtube.com		66.254.114.238	A (IP address)	IN (0x0001)
Jul 6, 2021 10:15:17.151671886 CEST	8.8.8.8	192.168.2.3	0x48	No error (0)	cdn1d-static-shared.phncdn.com	vip0x08e.ssl.rncdn5.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 10:15:17.151671886 CEST	8.8.8.8	192.168.2.3	0x48	No error (0)	vip0x08e.ssl.rncdn5.com		205.185.208.142	A (IP address)	IN (0x0001)
Jul 6, 2021 10:15:17.153903961 CEST	8.8.8.8	192.168.2.3	0x26e6	No error (0)	static.trafficjunky.com	vip0x04f.ssl.rncdn5.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 10:15:17.153903961 CEST	8.8.8.8	192.168.2.3	0x26e6	No error (0)	vip0x04f.ssl.rncdn5.com		205.185.208.79	A (IP address)	IN (0x0001)
Jul 6, 2021 10:15:17.198879004 CEST	8.8.8.8	192.168.2.3	0x3e3b	No error (0)	ht.redtube.com	hubtraffic.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 10:15:17.198879004 CEST	8.8.8.8	192.168.2.3	0x3e3b	No error (0)	hubtraffic.com		66.254.114.32	A (IP address)	IN (0x0001)
Jul 6, 2021 10:15:17.246303082 CEST	8.8.8.8	192.168.2.3	0x3388	No error (0)	static.trafficjunky.com	vip0x04f.ssl.rncdn5.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 10:15:17.246303082 CEST	8.8.8.8	192.168.2.3	0x3388	No error (0)	vip0x04f.ssl.rncdn5.com		205.185.208.79	A (IP address)	IN (0x0001)
Jul 6, 2021 10:15:17.394293070 CEST	8.8.8.8	192.168.2.3	0xa924	No error (0)	ei.rdtcdn.com	ei.rdtcdn.com.sds.rncdn7.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 10:15:17.394293070 CEST	8.8.8.8	192.168.2.3	0xa924	No error (0)	ei.rdtcdn.com.sds.rncdn7.com		64.210.135.68	A (IP address)	IN (0x0001)
Jul 6, 2021 10:15:17.394293070 CEST	8.8.8.8	192.168.2.3	0xa924	No error (0)	ei.rdtcdn.com.sds.rncdn7.com		64.210.135.70	A (IP address)	IN (0x0001)
Jul 6, 2021 10:15:17.394293070 CEST	8.8.8.8	192.168.2.3	0xa924	No error (0)	ei.rdtcdn.com.sds.rncdn7.com		64.210.135.72	A (IP address)	IN (0x0001)
Jul 6, 2021 10:15:17.410007954 CEST	8.8.8.8	192.168.2.3	0x83b1	No error (0)	ei.rdtcdn.com	ei.rdtcdn.com.sds.rncdn7.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 10:15:17.410007954 CEST	8.8.8.8	192.168.2.3	0x83b1	No error (0)	ei.rdtcdn.com.sds.rncdn7.com		64.210.135.72	A (IP address)	IN (0x0001)
Jul 6, 2021 10:15:17.410007954 CEST	8.8.8.8	192.168.2.3	0x83b1	No error (0)	ei.rdtcdn.com.sds.rncdn7.com		64.210.135.68	A (IP address)	IN (0x0001)
Jul 6, 2021 10:15:17.410007954 CEST	8.8.8.8	192.168.2.3	0x83b1	No error (0)	ei.rdtcdn.com.sds.rncdn7.com		64.210.135.70	A (IP address)	IN (0x0001)
Jul 6, 2021 10:15:17.983450890 CEST	8.8.8.8	192.168.2.3	0x4d70	No error (0)	cdn1d-static-shared.phncdn.com	vip0x08e.ssl.rncdn5.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 10:15:17.983450890 CEST	8.8.8.8	192.168.2.3	0x4d70	No error (0)	vip0x08e.ssl.rncdn5.com		205.185.208.142	A (IP address)	IN (0x0001)
Jul 6, 2021 10:15:19.047332048 CEST	8.8.8.8	192.168.2.3	0xb8ee	No error (0)	stats.g.doubleclick.net	stats.l.doubleclick.net		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 10:15:19.047332048 CEST	8.8.8.8	192.168.2.3	0xb8ee	No error (0)	stats.l.doubleclick.net		142.250.102.155	A (IP address)	IN (0x0001)
Jul 6, 2021 10:15:19.047332048 CEST	8.8.8.8	192.168.2.3	0xb8ee	No error (0)	stats.l.doubleclick.net		142.250.102.157	A (IP address)	IN (0x0001)
Jul 6, 2021 10:15:19.047332048 CEST	8.8.8.8	192.168.2.3	0xb8ee	No error (0)	stats.l.doubleclick.net		142.250.102.156	A (IP address)	IN (0x0001)
Jul 6, 2021 10:15:19.047332048 CEST	8.8.8.8	192.168.2.3	0xb8ee	No error (0)	stats.l.doubleclick.net		142.250.102.154	A (IP address)	IN (0x0001)
Jul 6, 2021 10:15:19.246262074 CEST	8.8.8.8	192.168.2.3	0xead2	No error (0)	ci-ph.rdtcdn.com	cs733.wpc.rncdn4.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 10:15:19.246262074 CEST	8.8.8.8	192.168.2.3	0xead2	No error (0)	cs733.wpc.rncdn4.com		192.229.221.206	A (IP address)	IN (0x0001)
Jul 6, 2021 10:15:20.720418930 CEST	8.8.8.8	192.168.2.3	0x27a1	No error (0)	www.google.de		142.250.201.195	A (IP address)	IN (0x0001)
Jul 6, 2021 10:15:20.812123060 CEST	8.8.8.8	192.168.2.3	0x2150	No error (0)	hw-cdn.trafficjunky.net	vip0x055.ssl.rncdn5.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 10:15:20.812123060 CEST	8.8.8.8	192.168.2.3	0x2150	No error (0)	vip0x055.ssl.rncdn5.com		205.185.208.85	A (IP address)	IN (0x0001)
Jul 6, 2021 10:15:20.894500017 CEST	8.8.8.8	192.168.2.3	0x45e6	No error (0)	ads.trafficjunky.net		66.254.114.38	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

outlook.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49732	40.97.116.82	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jul 6, 2021 10:14:32.857922077 CEST	1314	OUT	GET /grower/v6VaX2L98iQ9vNPqP6I1/s7YQ5JAQQXN9djD_2BP/oxHIXx6SfkQXQHWk5gYign/kG_2FSXB9uJKM/uw7wyHm_/2Bzvrq8q92GB9q04QVkch60/s8xolTUIEl/JiLJJpnHLtn3GR9k1/2H8tNCG7sbZq/z7aUK7NADvh/BA6FMpxvpSV9V3/bnPW_2FsZW9JkMS_2Bt_2/FS0OhP_2Bi7_2Fs_/2BndfgWaKsB4v7f/IedJmZ8N1/uc.grow HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: outlook.com Connection: Keep-Alive
Jul 6, 2021 10:14:33.038372993 CEST	1316	IN	HTTP/1.1 301 Moved Permanently Cache-Control: no-cache Pragma: no-cache Location: https://outlook.com/grower/v6VaX2L98iQ9vNPqP6I1/s7YQ5JAQQXN9djD_2BP/oxHIXx6SfkQXQHWk5gYign/kG_2FSXB9uJKM/uw7wyHm_/2Bzvrq8q92GB9q04QVkch60/s8xolTUIEl/JiLJJpnHLtn3GR9k1/2H8tNCG7sbZq/z7aUK7NADvh/BA6FMpxvpSV9V3/bnPW_2FsZW9JkMS_2Bt_2/FS0OhP_2Bi7_2Fs_/2BndfgWaKsB4v7f/IedJmZ8N1/uc.grow Server: Microsoft-IIS/10.0 request-id: 0c528c66-95f2-66ac-f096-bcb2bbf72a2e X-FEServer: MWHPR13CA0016 X-RequestId: 656c1daf-a33e-463d-94f3-340accd6ebc2 X-Powered-By: ASP.NET X-FEServer: MWHPR13CA0016 Date: Tue, 06 Jul 2021 08:14:32 GMT Connection: close Content-Length: 0

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6680 Parent PID: 5652

General

Start time:	10:13:09
Start date:	06/07/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\60e40fb428612.dll'
Imagebase:	0x80000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 6708 Parent PID: 6680

General

Start time:	10:13:09
Start date:	06/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\60e40fb428612.dll',#1
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 6748 Parent PID: 6680

General

Start time:	10:13:10
Start date:	06/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\60e40fb428612.dll,Clockcondition
Imagebase:	0x1320000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 6760 Parent PID: 6708

General

Start time:	10:13:10
Start date:	06/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\60e40fb428612.dll',#1
Imagebase:	0x1320000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.375971100.00000000053D8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.375934102.00000000053D8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.375882980.00000000053D8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.375768564.00000000053D8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.375954554.00000000053D8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.375906864.00000000053D8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.375822644.00000000053D8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.375857537.00000000053D8000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 6792 Parent PID: 6680

General

Start time:	10:13:14
Start date:	06/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\60e40fb428612.dll,Dogwhen
Imagebase:	0x1320000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 6804 Parent PID: 6680

General

Start time:	10:13:18
Start date:	06/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\60e40fb428612.dll,Sing
Imagebase:	0x1320000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 6816 Parent PID: 6680

General

Start time:	10:13:25
Start date:	06/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\60e40fb428612.dll,Wholegray
Imagebase:	0x1320000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 6312 Parent PID: 792

General

Start time:	10:14:29
Start date:	06/07/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff6ba990000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 1320 Parent PID: 6312

General

Start time:	10:14:30
Start date:	06/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6312 CREDAT:17410 /prefetch:2
Imagebase:	0x9e0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 3176 Parent PID: 792

General

Start time:	10:15:14
Start date:	06/07/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 60e40fb428612.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph