Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:21.0.0
Analysis ID:491
Start time:21:07:28
Joe Sandbox Product:Cloud
Start date:23.01.2018
Overall analysis duration:0h 11m 24s
Hypervisor based Inspection enabled:true
Report type:full
Sample file name:dnscart.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 x64 HVM (Office 2010, IE8, FF 50.1, Chrome 54.0, Java 1.8.0_111, Adobe Reader DC 2015.02)
Number of analysed new started processes analysed:10
Number of new started drivers analysed:1
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • GSI enabled (VBA)
  • GSI enabled (Javascript)
Detection:MAL
Classification:mal56.troj.winEXE@11/1@0/3
HCA Information:
  • Successful, ratio: 94%
  • Number of executed functions: 81
  • Number of non-executed functions: 152
EGA Information:
  • Successful, ratio: 80%
Cookbook Comments:
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): spsys.sys, dllhost.exe
  • Execution Graph export aborted for target sppsvc.exe, PID 2868 because there are no executed function
  • Report size getting too big, too many NtEnumerateKey calls found.
  • Report size getting too big, too many NtEnumerateValueKey calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryDirectoryFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: mscorsvw.exe, mscorsvw.exe


Detection

StrategyScoreRangeReportingDetection
Threshold560 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Signature Overview

Click to jump to signature section


Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\dnscart.exeCode function: 2_2_0022914E _snwprintf,GetProcessHeap,HeapFree,_snwprintf,GetProcessHeap,HeapFree,CreateMutexW,CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,2_2_0022914E
Source: C:\Users\user\Desktop\dnscart.exeCode function: 2_2_002290BE memset,_snwprintf,GetProcessHeap,HeapFree,CreateMutexW,WaitForSingleObject,CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,2_2_002290BE
Source: C:\Users\user\Desktop\dnscart.exeCode function: 2_2_002291F0 CreateEventW,SignalObjectAndWait,ResetEvent,ReleaseMutex,CloseHandle,GetTickCount,CreateTimerQueueTimer,WaitForSingleObject,DeleteTimerQueueTimer,CloseHandle,CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,2_2_002291F0
Source: C:\Users\user\Desktop\dnscart.exeCode function: 2_2_0022259B RtlAllocateHeap,CryptDuplicateHash,memcpy,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,GetProcessHeap,HeapFree,2_2_0022259B
Source: C:\Users\user\Desktop\dnscart.exeCode function: 2_2_00222505 CryptGetHashParam,CryptDestroyHash,GetProcessHeap,HeapFree,2_2_00222505
Source: C:\Users\user\Desktop\dnscart.exeCode function: 2_2_00222447 GetProcessHeap,RtlAllocateHeap,CryptDuplicateHash,memcpy,CryptEncrypt,CryptDestroyHash,GetProcessHeap,HeapFree,2_2_00222447
Source: C:\Users\user\Desktop\dnscart.exeCode function: 2_2_002224C8 CryptExportKey,CryptDestroyHash,GetProcessHeap,HeapFree,2_2_002224C8
Source: C:\Windows\SysWOW64\certcache.exeCode function: 4_2_00132447 GetProcessHeap,RtlAllocateHeap,CryptDuplicateHash,memcpy,CryptEncrypt,CryptDestroyHash,GetProcessHeap,HeapFree,4_2_00132447
Source: C:\Windows\SysWOW64\certcache.exeCode function: 4_2_001391F0 CreateEventW,SignalObjectAndWait,ResetEvent,ReleaseMutex,CloseHandle,GetTickCount,CreateTimerQueueTimer,WaitForSingleObject,DeleteTimerQueueTimer,CloseHandle,CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,4_2_001391F0
Source: C:\Windows\SysWOW64\certcache.exeCode function: 4_2_0013914E _snwprintf,GetProcessHeap,HeapFree,_snwprintf,GetProcessHeap,HeapFree,CreateMutexW,CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,4_2_0013914E
Source: C:\Windows\SysWOW64\certcache.exeCode function: 4_2_001324C8 CryptExportKey,CryptDestroyHash,GetProcessHeap,HeapFree,4_2_001324C8
Source: C:\Windows\SysWOW64\certcache.exeCode function: 4_2_001390BE memset,_snwprintf,GetProcessHeap,HeapFree,CreateMutexW,WaitForSingleObject,CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,4_2_001390BE
Source: C:\Windows\SysWOW64\certcache.exeCode function: 4_2_0013259B RtlAllocateHeap,CryptDuplicateHash,memcpy,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,GetProcessHeap,HeapFree,4_2_0013259B
Source: C:\Windows\SysWOW64\certcache.exeCode function: 4_2_00132505 CryptGetHashParam,CryptDestroyHash,GetProcessHeap,HeapFree,4_2_00132505

Networking:

barindex
Found strings which match to known social media urlsShow sources
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: <SuggestionsURL>http://ie.search.yahoo.com/os?command={SearchTerms}</SuggestionsURL> equals www.yahoo.com (Yahoo)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: <FavoriteIcon>http://search.yahoo.co.jp/favicon.ico</FavoriteIcon> equals www.yahoo.com (Yahoo)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: <FavoriteIcon>http://search.yahoo.com/favicon.ico</FavoriteIcon> equals www.yahoo.com (Yahoo)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: <URL>http://br.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: <URL>http://de.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: <URL>http://es.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: <URL>http://espanol.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: <URL>http://fr.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: <URL>http://in.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: <URL>http://it.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: <URL>http://kr.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: <URL>http://ru.search.yahoo.com</URL> equals www.yahoo.com (Yahoo)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: <URL>http://sads.myspace.com/</URL> equals www.myspace.com (Myspace)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: <URL>http://search.cn.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: <URL>http://search.yahoo.co.jp</URL> equals www.yahoo.com (Yahoo)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: <URL>http://search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: <URL>http://tw.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: <URL>http://uk.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: Free Hotmail.url equals www.hotmail.com (Hotmail)
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 69.16.193.12:4143Content-Length: 308Connection: Keep-AliveCache-Control: no-cacheData Raw: 05 2b f7 5b e4 e5 98 1e 24 6e 6a 13 43 d7 1c ef dc 05 87 f3 14 9c 42 81 af 2b 78 ee 2c c5 67 27 99 36 95 3e d3 40 38 4c 3d 39 4e 44 7a 18 44 d1 32 f6 9a 86 2d 61 60 0b 9e 95 3a b4 d3 29 8e 40 57 82 6a d0 91 62 4a d1 83 f1 52 b2 ea 6e 7e 7f e1 b8 9c 3e c3 ed c3 5d af a9 8b 6c 23 2e df 14 6c ef c2 5f e7 5f 38 c9 2e ba c3 7c 0c db bd 28 14 7e de 48 1e d8 63 39 22 97 5a 81 a4 c8 a1 74 eb d3 74 6b ae 5d df 8e f0 72 0b 9a bf e0 ea 18 98 2e 9e 5a 78 d2 ef 27 62 ba b7 31 0d 3c 07 c9 9c 9a 45 15 f5 fb 20 b2 54 33 70 c8 1f f2 51 96 51 76 8d 6d f9 db 50 b6 93 c2 8e cd 63 2a 6a 81 0a 2f 85 8a 20 12 72 88 51 75 d0 26 33 57 24 19 af d3 8a d2 04 7a f3 2b 45 ca 0e bb bd 83 f7 79 cf fc 37 51 e7 27 c1 c3 e4 02 d4 23 9c
Urls found in memory or binary dataShow sources
Source: sppsvc.exeString found in binary or memory: http://
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://%s.com
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://amazon.fr/
Source: sppsvc.exeString found in binary or memory: http://api.bing.com/qsml.aspx?query=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://ariadna.elmundo.es/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://arianna.libero.it/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://arianna.libero.it/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://asp.usatoday.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://auone.jp/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://br.search.yahoo.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://browse.guardian.co.uk/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://busca.buscape.com.br/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://busca.igbusca.com.br/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://busca.orange.es/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://busca.uol.com.br/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://buscador.lycos.es/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://buscador.terra.com.br/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://buscador.terra.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://buscador.terra.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://buscador.terra.es/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://buscar.ozu.es/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://buscar.ya.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://busqueda.aol.com.mx/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://cerca.lycos.it/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://cn.bing.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://cn.bing.com/search?q=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://cnet.search.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://corp.naukri.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://corp.naukri.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://cs.wikipedia.org/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://cs.wikipedia.org/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://cs.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://de.search.yahoo.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://de.wikipedia.org/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://de.wikipedia.org/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://de.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://en.wikipedia.org/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://en.wikipedia.org/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://en.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://es.ask.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://es.search.yahoo.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://es.wikipedia.org/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://es.wikipedia.org/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://es.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://esearch.rakuten.co.jp/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://espanol.search.yahoo.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://espn.go.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://find.joins.com/
Source: svchost.exeString found in binary or memory: http://fontfabrik.comP
Source: svchost.exeString found in binary or memory: http://fontfabrik.comQ
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://fr.search.yahoo.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://fr.wikipedia.org/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://fr.wikipedia.org/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://fr.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://google.pchome.com.tw/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://home.altervista.org/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://home.altervista.org/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: sppsvc.exeString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://images.monster.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://img.atlas.cz/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://in.search.yahoo.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://it.search.dada.net/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://it.search.dada.net/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://it.search.yahoo.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://it.wikipedia.org/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://it.wikipedia.org/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://it.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://ja.wikipedia.org/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://ja.wikipedia.org/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://ja.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://jobsearch.monster.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://kr.search.yahoo.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://list.taobao.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://localhost
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://mail.live.com/
Source: sppsvc.exeString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://msk.afisha.ru/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://nl.wikipedia.org/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://nl.wikipedia.org/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://nl.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://p.zhongsou.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://pl.wikipedia.org/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://pl.wikipedia.org/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://pl.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://price.ru/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://price.ru/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://pt.wikipedia.org/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://pt.wikipedia.org/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://pt.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://recherche.linternaute.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://recherche.tf1.fr/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://rover.ebay.com
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://ru.search.yahoo.com
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://ru.wikipedia.org/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://ru.wikipedia.org/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://ru.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://sads.myspace.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search-dyn.tiscali.it/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.about.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.alice.it/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.alice.it/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.aol.co.uk/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.aol.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.aol.in/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.atlas.cz/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.auction.co.kr/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.auone.jp/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.books.com.tw/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.books.com.tw/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.centrum.cz/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.centrum.cz/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.chol.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.chol.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.cn.yahoo.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.daum.net/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.daum.net/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.dreamwiz.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.ebay.co.uk/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.ebay.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.ebay.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.ebay.de/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.ebay.es/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.ebay.fr/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.ebay.in/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.ebay.it/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.empas.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.empas.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.espn.go.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.gamer.com.tw/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.gismeteo.ru/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.goo.ne.jp/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.hanafos.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.hanafos.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.interpark.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.ipop.co.kr/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: sppsvc.exeString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
Source: sppsvc.exeString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
Source: sppsvc.exeString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
Source: sppsvc.exeString found in binary or memory: http://search.live.com/results.aspx?q=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.livedoor.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.livedoor.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.lycos.co.uk/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.lycos.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.lycos.com/favicon.ico
Source: sppsvc.exeString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: sppsvc.exeString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: sppsvc.exeString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: sppsvc.exeString found in binary or memory: http://search.msn.com/results.aspx?q=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.nate.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.naver.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.naver.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.nifty.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.orange.co.uk/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.rediff.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.rediff.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.seznam.cz/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.seznam.cz/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.sify.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.yahoo.co.jp
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.yahoo.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.yahoo.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search.yam.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search1.taobao.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://search2.estadao.com.br/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://searchresults.news.com.au/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://service2.bfast.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://si.wikipedia.org/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://si.wikipedia.org/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://si.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://so-net.search.goo.ne.jp/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://spaces.live.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://spaces.live.com/BlogIt.aspx
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://suche.aol.de/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://suche.freenet.de/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://suche.freenet.de/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://suche.lycos.de/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://suche.t-online.de/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://suche.web.de/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://suche.web.de/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://treyresearch.net
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://tw.search.yahoo.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://udn.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://udn.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://uk.ask.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://uk.ask.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://uk.search.yahoo.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://vachercher.lycos.fr/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://video.globo.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://video.globo.com/favicon.ico
Source: svchost.exeString found in binary or memory: http://w
Source: sppsvc.exeString found in binary or memory: http://wC
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://web.ask.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.%s.com
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.%s.comPA
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.abril.com.br/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.abril.com.br/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.alarabiya.net/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.amazon.co.jp/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.amazon.co.uk/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.amazon.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.amazon.de/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.aol.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.arrakis.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.arrakis.com/favicon.ico
Source: svchost.exeString found in binary or memory: http://www.ascendercorp.com/
Source: svchost.exeString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: svchost.exeString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlt
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.asharqalawsat.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.ask.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.auction.co.kr/auction.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.baidu.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.baidu.com/favicon.ico
Source: svchost.exeString found in binary or memory: http://www.bethmardutho.org.
Source: svchost.exeString found in binary or memory: http://www.bethmardutho.org.P
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.bing.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.bing.com/maps/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.bing.com/maps/default.aspx
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.bing.com/maps/geotager.aspx
Source: sppsvc.exeString found in binary or memory: http://www.bing.com/search?q=
Source: svchost.exeString found in binary or memory: http://www.c-and-g.co.jp
Source: svchost.exeString found in binary or memory: http://www.c-and-g.co.jpim.
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.cdiscount.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.ceneo.pl/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.cjmall.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.cjmall.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.clarin.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.cnet.co.uk/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.cnet.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.dailymail.co.uk/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.etmall.com.tw/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.excite.co.jp/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.expedia.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.expedia.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.facebook.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.facebook.com/favicon.ico
Source: svchost.exeString found in binary or memory: http://www.fontbureau.com
Source: svchost.exeString found in binary or memory: http://www.fontbureau.com/designers
Source: svchost.exeString found in binary or memory: http://www.fontbureau.com/designers/
Source: svchost.exeString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: svchost.exeString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: svchost.exeString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: svchost.exeString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmln.N
Source: svchost.exeString found in binary or memory: http://www.fontbureau.com/designers?
Source: svchost.exeString found in binary or memory: http://www.fontbureau.comce
Source: svchost.exeString found in binary or memory: http://www.fonts.com
Source: svchost.exeString found in binary or memory: http://www.founder.com.cn/cn/
Source: svchost.exeString found in binary or memory: http://www.founder.com.cn/cnm
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.gmarket.co.kr/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.google.co.in/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.google.co.jp/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.google.co.uk/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.google.com.br/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.google.com.sa/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.google.com.tw/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.google.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.google.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.google.cz/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.google.de/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.google.es/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.google.fr/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.google.it/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.google.pl/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.google.ru/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.google.si/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.iask.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.iask.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.kkbox.com.tw/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.linternaute.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.maktoob.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.mercadolibre.com.mx/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.mercadolivre.com.br/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.merlin.com.pl/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: sppsvc.exeString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.mtv.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.mtv.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.myspace.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.najdi.si/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.najdi.si/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.nate.com/favicon.ico
Source: svchost.exeString found in binary or memory: http://www.ncst.ernet.in/~rkjoshi
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.neckermann.de/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.neckermann.de/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.news.com.au/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.nifty.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.orange.fr/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.otto.de/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.ozon.ru/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.ozon.ru/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.ozu.es/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.paginasamarillas.es/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.priceminister.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.priceminister.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.rambler.ru/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.rambler.ru/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.recherche.aol.fr/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.rtl.de/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.rtl.de/favicon.ico
Source: svchost.exeString found in binary or memory: http://www.sakkal.com
Source: svchost.exeString found in binary or memory: http://www.sakkal.com:
Source: svchost.exeString found in binary or memory: http://www.sandoll.co.kr
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.servicios.clarin.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.shopzilla.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.sify.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.sogou.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.sogou.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.soso.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.soso.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.t-online.de/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.taobao.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.taobao.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.target.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.target.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.tchibo.de/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.tchibo.de/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.tesco.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.tesco.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: svchost.exeString found in binary or memory: http://www.tiro.com#8H
Source: svchost.exeString found in binary or memory: http://www.tiro.com;Copyright
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.tiscali.it/favicon.ico
Source: svchost.exeString found in binary or memory: http://www.typography.net
Source: svchost.exeString found in binary or memory: http://www.typography.netD
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.univision.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.univision.com/favicon.ico
Source: svchost.exeString found in binary or memory: http://www.urwpp.de
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.walmart.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.walmart.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.weather.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.weather.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.ya.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.yam.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.yandex.ru/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www.yandex.ru/favicon.ico
Source: svchost.exeString found in binary or memory: http://www.zhongyicts.com.cn
Source: svchost.exeString found in binary or memory: http://www.zhongyicts.com.cno.kKH
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www3.fnac.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://www3.fnac.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
Source: svchost.exeString found in binary or memory: http://y
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://yellowpages.superpages.com/
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://yellowpages.superpages.com/favicon.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: http://z.about.com/m/a08.ico
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: https://
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: https://example.com
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: https://localhost
Source: certcache.exe, mscorsvw.exe, svchost.exe, sppsvc.exeString found in binary or memory: https://www.example.com.
Social media urls found in memory dataShow sources
Source: sppsvc.exe, mscorsvw.exe, svchost.exe, dnscart.exe, certcache.exeString found in binary or memory: http://www.facebook.com/
Source: sppsvc.exe, mscorsvw.exe, svchost.exe, dnscart.exe, certcache.exeString found in binary or memory: http://www.facebook.com/favicon.ico
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 69.16.193.12:4143Content-Length: 308Connection: Keep-AliveCache-Control: no-cacheData Raw: 05 2b f7 5b e4 e5 98 1e 24 6e 6a 13 43 d7 1c ef dc 05 87 f3 14 9c 42 81 af 2b 78 ee 2c c5 67 27 99 36 95 3e d3 40 38 4c 3d 39 4e 44 7a 18 44 d1 32 f6 9a 86 2d 61 60 0b 9e 95 3a b4 d3 29 8e 40 57 82 6a d0 91 62 4a d1 83 f1 52 b2 ea 6e 7e 7f e1 b8 9c 3e c3 ed c3 5d af a9 8b 6c 23 2e df 14 6c ef c2 5f e7 5f 38 c9 2e ba c3 7c 0c db bd 28 14 7e de 48 1e d8 63 39 22 97 5a 81 a4 c8 a1 74 eb d3 74 6b ae 5d df 8e f0 72 0b 9a bf e0 ea 18 98 2e 9e 5a 78 d2 ef 27 62 ba b7 31 0d 3c 07 c9 9c 9a 45 15 f5 fb 20 b2 54 33 70 c8 1f f2 51 96 51 76 8d 6d f9 db 50 b6 93 c2 8e cd 63 2a 6a 81 0a 2f 85 8a 20 12 72 88 51 75 d0 26 33 57 24 19 af d3 8a d2 04 7a f3 2b 45 ca 0e bb bd 83 f7 79 cf fc 37 51 e7 27 c1 c3 e4 02 d4 23 9c
Source: global trafficHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 178.32.255.132:7080Content-Length: 308Connection: Keep-AliveCache-Control: no-cacheData Raw: 95 73 06 ac 88 ab 6d 88 1c 42 8b 42 cc fe 00 d8 b2 75 14 4f 5e 86 02 fb e1 ee 3c ac eb ad bd 9c a7 a9 2f 7d 11 2b 58 78 52 fb c0 9a 7d 6d 86 ed f1 e4 b5 49 16 26 4d 18 e6 56 39 2a 6d b6 0a 29 8a 5c fc 58 bd de f7 ef df 89 c0 35 9c a5 ea 14 c7 e3 31 55 cd 15 41 f7 b0 a5 11 2c eb 9e f3 ec 26 7a d3 9b bb 09 89 f4 a6 8e 67 8f 41 55 b5 90 b8 25 69 18 54 86 d2 24 7a 3d c2 0d 20 f6 a1 1a 68 47 09 78 33 21 ea 2e e1 62 dd e8 1b e8 7f 18 be cb 9b 0c 90 4a f3 11 45 b6 43 8e 2b 93 b7 82 76 af df fb b3 95 9e 81 b1 de 43 27 d1 b0 f6 9e 85 a8 b5 27 dc ec 3e bf 18 15 f5 26 3f 37 26 69 58 fa ea 53 c2 b9 64 e2 55 d6 ac 08 c1 14 66 cd 82 97 a2 1a 5c b9 b1 5d 0a fc 0c 38 82 f2 17 30 81 16 27 e4 11 75 c1 3e 44 fc 39 91 0
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.2:49158 -> 69.16.193.12:4143
Source: global trafficTCP traffic: 192.168.2.2:49159 -> 178.32.255.132:7080
Uses known network protocols on non-standard portsShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49158 -> 4143
Source: unknownNetwork traffic detected: HTTP traffic on port 49159 -> 7080

Boot Survival:

barindex
Contains functionality to start windows servicesShow sources
Source: C:\Users\user\Desktop\dnscart.exeCode function: 2_2_00229960 StartServiceW,CloseServiceHandle,CloseServiceHandle,2_2_00229960

Stealing of Sensitive Information:

barindex
Encrypts process informationShow sources
Source: C:\Windows\SysWOW64\certcache.exeData encrypted: 216554_6C0D37D2%*WmiApSrv.exe,conhost.exe,WmiPrvSE.exe,explorer.exe,taskeng.exe,dwm.exe,taskhost.exe,spoolsv.exe,audiodg.exe,svchost.exe,lsm.exe,lsass.exe,services.exe,winlogon.exe,wininit.exe,csrss.exe,smss.exe,System,[System Process],2:
Source: C:\Windows\SysWOW64\certcache.exeData encrypted: 216554_6C0D37D2%*mscorsvw.exe,WmiApSrv.exe,conhost.exe,WmiPrvSE.exe,explorer.exe,taskeng.exe,dwm.exe,taskhost.exe,spoolsv.exe,audiodg.exe,svchost.exe,lsm.exe,lsass.exe,services.exe,winlogon.exe,wininit.exe,csrss.exe,smss.exe,System,[System Process],2:

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\Desktop\dnscart.exePE file moved: C:\Windows\SysWOW64\certcache.exe
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Windows\SysWOW64\certcache.exeExecutable created and started: C:\Windows\SysWOW64\certcache.exe

Data Obfuscation:

barindex
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 7.10790918737
PE file contains an invalid checksumShow sources
Source: dnscart.exeStatic PE information: real checksum: 0x1 should be: 0x2d77f
PE file contains sections with non-standard namesShow sources
Source: dnscart.exeStatic PE information: section name: 6xOsN5y
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\dnscart.exeCode function: 1_2_00A1572F push ebp; retf 1_2_00A15738
Source: C:\Users\user\Desktop\dnscart.exeCode function: 1_2_00A14ABA push ebp; ret 1_2_00A14AC4
Source: C:\Users\user\Desktop\dnscart.exeCode function: 1_2_00A147E4 push 00000048h; iretd 1_2_00A147E6
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_00320116 push ebp; iretd 8_2_00320118
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_00328C69 push ss; retf 0018h8_2_00328C6C
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_00331FAA pushad ; retn 0035h8_2_003323D1
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_003256E8 pushad ; retf 8_2_003256E9
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_0033C968 push eax; iretd 8_2_0033C9B1
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_0033CB42 push eax; retf 0033h8_2_0033CC39
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_0033C95A push eax; retf 0033h8_2_0033C961
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_00326AE8 pushad ; retf 8_2_00326AE9
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_0032F218 pushad ; retf 8_2_0032F219
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_0032E5A8 pushad ; retf 8_2_0032E5A9
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_00356558 pushad ; retf 8_2_00356559
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_0035B54A pushad ; iretd 8_2_0035B881
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_003520B0 pushad ; iretd 8_2_003521D9
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_003521DA push ebp; iretd 8_2_00352289
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_00392989 push E9448A66h; retf 8_2_0039298E
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_003BA01D pushad ; retf 003Bh8_2_003BA0A9
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_003A294A pushfd ; ret 8_2_003A2C72

System Summary:

barindex
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: dnscart.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: dnscart.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: FntCache.pdb source: svchost.exe
Source: Binary string: wow64win.pdb source: certcache.exe, mscorsvw.exe
Source: Binary string: sppwinob.pdb source: sppsvc.exe
Source: Binary string: FntCache.pdbH source: svchost.exe
Source: Binary string: wow64cpu.pdb source: certcache.exe, mscorsvw.exe
Source: Binary string: wow64.pdbH source: certcache.exe, mscorsvw.exe
Source: Binary string: wow64win.pdbH source: certcache.exe, mscorsvw.exe
Source: Binary string: sppobjs.pdb source: sppsvc.exe
Source: Binary string: !!22ewW.pdb source: certcache.exe, dnscart.exe
Source: Binary string: sppsvc.pdb source: sppsvc.exe
Source: Binary string: wow64.pdb source: certcache.exe, mscorsvw.exe
Classification labelShow sources
Source: classification engineClassification label: mal56.troj.winEXE@11/1@0/3
Contains functionality to create servicesShow sources
Source: C:\Users\user\Desktop\dnscart.exeCode function: CreateServiceW,2_2_002297B3
Source: C:\Windows\SysWOW64\certcache.exeCode function: CreateServiceW,4_2_001397B3
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\dnscart.exeCode function: 1_2_001F214F CreateToolhelp32Snapshot,1_2_001F214F
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Users\user\Desktop\dnscart.exeCode function: 2_2_00229960 StartServiceW,CloseServiceHandle,CloseServiceHandle,2_2_00229960
PE file has an executable .text section and no other executable sectionShow sources
Source: dnscart.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Users\user\Desktop\dnscart.exeFile read: C:\Users\desktop.ini
Reads software policiesShow sources
Source: C:\Users\user\Desktop\dnscart.exeKey opened: HKEY_USERS\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\dnscart.exe 'C:\Users\user\Desktop\dnscart.exe'
Source: unknownProcess created: C:\Users\user\Desktop\dnscart.exe C:\Users\user\Desktop\dnscart.exe
Source: unknownProcess created: C:\Windows\SysWOW64\certcache.exe C:\Windows\SysWOW64\certcache.exe
Source: unknownProcess created: C:\Windows\SysWOW64\certcache.exe C:\Windows\SysWOW64\certcache.exe
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
Source: unknownProcess created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
Source: unknownProcess created: C:\Windows\System32\wbem\WmiApSrv.exe C:\Windows\system32\wbem\WmiApSrv.exe
Source: C:\Users\user\Desktop\dnscart.exeProcess created: C:\Users\user\Desktop\dnscart.exe C:\Users\user\Desktop\dnscart.exe
Source: C:\Windows\SysWOW64\certcache.exeProcess created: C:\Windows\SysWOW64\certcache.exe C:\Windows\SysWOW64\certcache.exe
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\dnscart.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)Show sources
Source: C:\Users\user\Desktop\dnscart.exeMemory allocated: 77290000 page execute and read and write
Source: C:\Users\user\Desktop\dnscart.exeMemory allocated: 77190000 page execute and read and write
Source: C:\Users\user\Desktop\dnscart.exeMemory allocated: 77290000 page execute and read and write
Source: C:\Users\user\Desktop\dnscart.exeMemory allocated: 77190000 page execute and read and write
Source: C:\Windows\SysWOW64\certcache.exeMemory allocated: 77290000 page execute and read and write
Source: C:\Windows\SysWOW64\certcache.exeMemory allocated: 77190000 page execute and read and write
Source: C:\Windows\SysWOW64\certcache.exeMemory allocated: 77290000 page execute and read and write
Source: C:\Windows\SysWOW64\certcache.exeMemory allocated: 77190000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeMemory allocated: 77290000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeMemory allocated: 77190000 page execute and read and write
Contains functionality to launch a process as a different userShow sources
Source: C:\Users\user\Desktop\dnscart.exeCode function: 2_2_00222220 CreateProcessAsUserW,2_2_00222220
Creates files inside the system directoryShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFile created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
Creates mutexesShow sources
Source: C:\Windows\SysWOW64\certcache.exeMutant created: \BaseNamedObjects\M49C95F14
Source: C:\Users\user\Desktop\dnscart.exeMutant created: \Sessions\1\BaseNamedObjects\Global\I6C0D37D2
Source: C:\Users\user\Desktop\dnscart.exeMutant created: \Sessions\1\BaseNamedObjects\Global\M6C0D37D2
Source: C:\Windows\SysWOW64\certcache.exeMutant created: \BaseNamedObjects\Global\I6C0D37D2
Source: C:\Users\user\Desktop\dnscart.exeMutant created: \Sessions\1\BaseNamedObjects\M7DE44FFE
Deletes Windows filesShow sources
Source: C:\Users\user\Desktop\dnscart.exeFile deleted: C:\Windows\SysWOW64\certcache.exe:Zone.Identifier
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\dnscart.exeCode function: 1_2_001F2E6A1_2_001F2E6A
Source: C:\Users\user\Desktop\dnscart.exeCode function: 1_2_001F2E6A1_2_001F2E6A
Source: C:\Users\user\Desktop\dnscart.exeCode function: 2_2_00222E6A2_2_00222E6A
Source: C:\Users\user\Desktop\dnscart.exeCode function: 2_2_00222E6A2_2_00222E6A
Source: C:\Windows\SysWOW64\certcache.exeCode function: 3_2_001A2E6A3_2_001A2E6A
Source: C:\Windows\SysWOW64\certcache.exeCode function: 3_2_001A2E6A3_2_001A2E6A
Source: C:\Windows\SysWOW64\certcache.exeCode function: 4_2_00132E6A4_2_00132E6A
Source: C:\Windows\SysWOW64\certcache.exeCode function: 4_2_00132E6A4_2_00132E6A
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_003323D88_2_003323D8
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_00320F778_2_00320F77
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_00336DC28_2_00336DC2
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_0033C9B28_2_0033C9B2
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_00336D268_2_00336D26
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_0033CB428_2_0033CB42
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_00336D2E8_2_00336D2E
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_0033B2F88_2_0033B2F8
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_003573C88_2_003573C8
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_0035228A8_2_0035228A
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_003520B08_2_003520B0
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_0035307E8_2_0035307E
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_0035551A8_2_0035551A
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_00362D7D8_2_00362D7D
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_0038DB608_2_0038DB60
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_0038D3648_2_0038D364
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_0038D3298_2_0038D329
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_0038D3788_2_0038D378
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_003AE8488_2_003AE848
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_003AE8388_2_003AE838
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_003AE8888_2_003AE888
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_003A294A8_2_003A294A
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_00332AE48_2_00332AE4
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_003329248_2_00332924
Source: C:\Windows\System32\sppsvc.exeCode function: 8_2_00332AEC8_2_00332AEC
PE file contains executable resources (Code or Archives)Show sources
Source: dnscart.exeStatic PE information: Resource name: RT_VERSION type: ump; VAX COFF executable not stripped - version 79
Reads the hosts fileShow sources
Source: C:\Windows\SysWOW64\certcache.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\certcache.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\certcache.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\certcache.exeFile read: C:\Windows\System32\drivers\etc\hosts
Sample file is different than original file name gathered from version infoShow sources
Source: dnscart.exeBinary or memory string: OriginalFilenamewow64.dllj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamewow64lg2.dllj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamewow64cpu.dllj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameCSRSS.Exe.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamewinsrv.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameWinInit.exe.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameWINLOGON.EXE.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameuser32j% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameservices.exe.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamelsasrv.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamesvchost.exe.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamewshtcpip.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamewship6.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamewshqos.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameAUTHUI.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenametzres.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamesppsvc.exe.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameInput.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameTipTsf.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameSpTip.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameTableTextService.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamegpsvc.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameaero.msstyles.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenametaskcomp.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamespoolsv.exe.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameBFE.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameFirewallAPI.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenametaskhost.exe.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameUSERINIT.EXE.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: originalfilename vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameEXPLORER.EXE.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameMSCMS.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamej% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameMsCtfMonitor.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamesnmptrap.exe.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamelmhsvc.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamedwm.exe.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamedhcpcore.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamepeerdistsh.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameNetLogon.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamesstpsvc.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamelocalspl.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamenetmsg.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameFXSRESM.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenametaskeng.exe.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameWsdMon.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamevsstrace.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameWLDAP32.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamenetprofm.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameThemeUI.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameExplorerFrame.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameesrb.dll.muiH vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamexpsrchvw.exe.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamestobject.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamerasdlg.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameAltTab.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamewscui.cpl.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameHCPROVIDERS.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameSearchIndexer.exe.mui@ vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamePNIDUI.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenametquery.dll.mui@ vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameesent.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamesidebar.EXE.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameMsMpRes.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenametwext.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamempr.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameschedsvc.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameFDResPub.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameFunDisc.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamerpcrt4.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameFDPrint.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameBASEBRD.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameimageres.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameWINMM.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameDocumentPerformanceEvents.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameWerConCpl.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameMSHTML.DLL.MUIV vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameSHSVCS.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenametaskmgr.exe.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameSndVolSSO.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamewin32spl.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameinetpp.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameadvapi32.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameprovsvc.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameIEFRAME.DLL.MUIV vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamep2pcollab.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameQAgentRT.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameDhcpQEC.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamenlasvc.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamenapinsp.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamepnrpnsp.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameFVEUI.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamews2_32.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameiphlpapi.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamewow64.dllj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamewow64lg2.dllj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamewow64cpu.dllj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: System.OriginalFileName vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameCSRSS.Exe.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamewinsrv.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameWinInit.exe.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameWINLOGON.EXE.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameuser32j% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameservices.exe.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamelsasrv.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamesvchost.exe.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamewshtcpip.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamewship6.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamewshqos.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameAUTHUI.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenametzres.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamesppsvc.exe.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameInput.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameTipTsf.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameSpTip.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameTableTextService.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamegpsvc.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameaero.msstyles.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenametaskcomp.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamespoolsv.exe.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameBFE.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameFirewallAPI.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenametaskhost.exe.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameUSERINIT.EXE.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: originalfilename vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameEXPLORER.EXE.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameMSCMS.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamej% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameMsCtfMonitor.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamesnmptrap.exe.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamelmhsvc.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamedwm.exe.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamedhcpcore.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamepeerdistsh.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameNetLogon.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamesstpsvc.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamelocalspl.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamenetmsg.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameFXSRESM.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenametaskeng.exe.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameWsdMon.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamevsstrace.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameWLDAP32.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamenetprofm.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameThemeUI.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameExplorerFrame.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameesrb.dll.muiH vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamexpsrchvw.exe.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamestobject.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamerasdlg.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameAltTab.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamewscui.cpl.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameHCPROVIDERS.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameSearchIndexer.exe.mui@ vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamePNIDUI.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenametquery.dll.mui@ vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameesent.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamesidebar.EXE.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameMsMpRes.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenametwext.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamempr.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameschedsvc.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameFDResPub.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameFunDisc.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamerpcrt4.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameFDPrint.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameBASEBRD.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameimageres.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameWINMM.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameDocumentPerformanceEvents.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameWerConCpl.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameMSHTML.DLL.MUIV vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameSHSVCS.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenametaskmgr.exe.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameSndVolSSO.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamewin32spl.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameinetpp.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameadvapi32.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameprovsvc.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameIEFRAME.DLL.MUIV vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamep2pcollab.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameQAgentRT.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameDhcpQEC.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamenlasvc.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamenapinsp.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamepnrpnsp.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameFVEUI.DLL.MUIj% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenamews2_32.dll.muij% vs dnscart.exe
Source: dnscart.exeBinary or memory string: OriginalFilenameiphlpapi.dll.muij% vs dnscart.exe

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\dnscart.exeProcess created: C:\Users\user\Desktop\dnscart.exe C:\Users\user\Desktop\dnscart.exe
Source: C:\Windows\SysWOW64\certcache.exeProcess created: C:\Windows\SysWOW64\certcache.exe C:\Windows\SysWOW64\certcache.exe

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\dnscart.exeSystem information queried: KernelDebuggerInformation
Checks if the current process is being debuggedShow sources
Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\dnscart.exeCode function: 1_2_001F1BE0 mov eax, dword ptr fs:[00000030h]1_2_001F1BE0
Source: C:\Users\user\Desktop\dnscart.exeCode function: 2_2_00221BE0 mov eax, dword ptr fs:[00000030h]2_2_00221BE0
Source: C:\Windows\SysWOW64\certcache.exeCode function: 3_2_001A1BE0 mov eax, dword ptr fs:[00000030h]3_2_001A1BE0
Source: C:\Windows\SysWOW64\certcache.exeCode function: 4_2_00131BE0 mov eax, dword ptr fs:[00000030h]4_2_00131BE0
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\dnscart.exeCode function: 1_2_001E2088 GetLastError,GetProcessHeap,RtlAllocateHeap,lstrcmp,GetProcessHeap,HeapFree,SetLastError,GetCurrentProcess,GetLastError,wsprintfA,SetLastError,GetCurrentProcessId,1_2_001E2088

Malware Analysis System Evasion:

barindex
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: sppsvc.exeBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: sppsvc.exeBinary or memory string: SCSI\DISK&VEN_VMWARE_&PROD_VMWARE_VIRTUAL_S\5&22BE343F&0&000000
Program exit pointsShow sources
Source: C:\Windows\SysWOW64\certcache.exeAPI call chain: ExitProcess graph end nodegraph_4-6574
Source: C:\Windows\SysWOW64\certcache.exeAPI call chain: ExitProcess graph end nodegraph_4-6648
Queries a list of all running processesShow sources
Source: C:\Windows\SysWOW64\certcache.exeProcess information queried: ProcessInformation
Checks the free space of harddrivesShow sources
Source: C:\Users\user\Desktop\dnscart.exeFile Volume queried: C:\ FullSizeInformation
Contains functionality to enumerate running servicesShow sources
Source: C:\Users\user\Desktop\dnscart.exeCode function: EnumServicesStatusExW,OpenServiceW,2_2_0022985F
Source: C:\Users\user\Desktop\dnscart.exeCode function: EnumServicesStatusExW,GetLastError,2_2_002297F3
Source: C:\Windows\SysWOW64\certcache.exeCode function: EnumServicesStatusExW,OpenServiceW,4_2_0013985F
Source: C:\Windows\SysWOW64\certcache.exeCode function: EnumServicesStatusExW,GetLastError,4_2_001397F3
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\dnscart.exeAPI coverage: 6.2 %
Source: C:\Windows\SysWOW64\certcache.exeAPI coverage: 5.1 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\dnscart.exe TID: 2284Thread sleep time: -60000s >= -60000s
Source: C:\Windows\SysWOW64\certcache.exe TID: 2700Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\wbem\WmiApSrv.exe TID: 2576Thread sleep time: -120000s >= -60000s

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Uses known network protocols on non-standard portsShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49158 -> 4143
Source: unknownNetwork traffic detected: HTTP traffic on port 49159 -> 7080

Language, Device and Operating System Detection:

barindex
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\dnscart.exeCode function: 1_2_001F8DA0 RtlGetVersion,GetNativeSystemInfo,1_2_001F8DA0
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\dnscart.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\dnscart.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\certcache.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\Fonts\modern.fon VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\Fonts\roman.fon VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\Fonts\script.fon VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\Fonts\coure.fon VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\Fonts\serife.fon VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\Fonts\sserife.fon VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\Fonts\smalle.fon VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\Fonts\smallf.fon VolumeInformation

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491 Sample: dnscart.exe Startdate: 23/01/2018 Architecture: WINDOWS Score: 56 27 Detected TCP or UDP traffic on non-standard ports 2->27 29 Uses known network protocols on non-standard ports 2->29 6 certcache.exe 2->6         started        9 dnscart.exe 2->9         started        11 svchost.exe 2->11         started        13 4 other processes 2->13 process3 signatures4 35 Drops executables to the windows directory (C:\Windows) and starts them 6->35 15 certcache.exe 15 6 6->15         started        19 dnscart.exe 1 9->19         started        process5 dnsIp6 21 178.32.255.132, 49159, 7080 OVHFR France 15->21 23 69.16.193.12, 4143, 49158 LIQUID-WEB-INC-LiquidWebLLCUS United States 15->23 25 192.168.2.255 unknown unknown 15->25 31 Encrypts process information 15->31 signatures7 33 Detected TCP or UDP traffic on non-standard ports 23->33

Simulations

Behavior and APIs

TimeTypeDescription
21:07:28API Interceptor1x Sleep call for process: dnscart.exe modified from: 60000ms to: 1000ms
21:07:46API Interceptor1x Sleep call for process: certcache.exe modified from: 60000ms to: 1000ms
21:09:25API Interceptor2x Sleep call for process: WmiApSrv.exe modified from: 60000ms to: 1000ms

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Screenshot