Loading ...

Play interactive tourEdit tour

Windows Analysis Report 60e40fb428612.dll

Overview

General Information

Sample Name:60e40fb428612.dll
Analysis ID:444548
MD5:c6bfea479b46b9eb7a69667e0165179f
SHA1:c7f449ab51a47791a8f3041f0a0dce7c6feb06c4
SHA256:62dbfe723197430a3af1ec9262fcd2a5c2bfc8e81b97c313101f0a5388d587fc
Tags:dllenelgeogoziisfbitaursnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ursnif
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6680 cmdline: loaddll32.exe 'C:\Users\user\Desktop\60e40fb428612.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 6708 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\60e40fb428612.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6760 cmdline: rundll32.exe 'C:\Users\user\Desktop\60e40fb428612.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6748 cmdline: rundll32.exe C:\Users\user\Desktop\60e40fb428612.dll,Clockcondition MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6792 cmdline: rundll32.exe C:\Users\user\Desktop\60e40fb428612.dll,Dogwhen MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6804 cmdline: rundll32.exe C:\Users\user\Desktop\60e40fb428612.dll,Sing MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6816 cmdline: rundll32.exe C:\Users\user\Desktop\60e40fb428612.dll,Wholegray MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 6312 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 1320 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6312 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 3176 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "ovNAU+HRorLZmwnDvbYFDY7UA+FTIAnF2uJSQd0M+N3ep6CVEhoDrEXACstP09QHK7cBl9nMAaFI1as0K4aXOQKngdScIQbDa3MQ98Ce9MYRMvxGUI05fSIRRFzMYffOXQr97vVUUUPjsYgfkDWS2eKPxSe5dz/pF0mjA0T8ibOLzHmVMs4vVv+nwVAw0xpD", "c2_domain": ["outlook.com", "auredosite.club", "vuredosite.club"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.375971100.00000000053D8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000004.00000003.375934102.00000000053D8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000004.00000003.375882980.00000000053D8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000004.00000003.375768564.00000000053D8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000004.00000003.375954554.00000000053D8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 4 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000006.00000003.317332406.0000000003560000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "ovNAU+HRorLZmwnDvbYFDY7UA+FTIAnF2uJSQd0M+N3ep6CVEhoDrEXACstP09QHK7cBl9nMAaFI1as0K4aXOQKngdScIQbDa3MQ98Ce9MYRMvxGUI05fSIRRFzMYffOXQr97vVUUUPjsYgfkDWS2eKPxSe5dz/pF0mjA0T8ibOLzHmVMs4vVv+nwVAw0xpD", "c2_domain": ["outlook.com", "auredosite.club", "vuredosite.club"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
            Source: 60e40fb428612.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: 60e40fb428612.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: c:\393_Molecule\skin\depend\supply\Thick\Drive.pdb source: loaddll32.exe, 00000000.00000002.476685729.000000006E234000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.477751077.000000006E234000.00000002.00020000.sdmp, 60e40fb428612.dll

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49732 -> 40.97.116.82:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49732 -> 40.97.116.82:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49755 -> 37.120.222.6:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49755 -> 37.120.222.6:80
            Source: Joe Sandbox ViewIP Address: 40.101.18.18 40.101.18.18
            Source: Joe Sandbox ViewIP Address: 40.97.116.82 40.97.116.82
            Source: global trafficHTTP traffic detected: GET /grower/v6VaX2L98iQ9vNPqP6I1/s7YQ5JAQQXN9djD_2BP/oxHIXx6SfkQXQHWk5gYign/kG_2FSXB9uJKM/uw7wyHm_/2Bzvrq8q92GB9q04QVkch60/s8xolTUIEl/JiLJJpnHLtn3GR9k1/2H8tNCG7sbZq/z7aUK7NADvh/BA6FMpxvpSV9V3/bnPW_2FsZW9JkMS_2Bt_2/FS0OhP_2Bi7_2Fs_/2BndfgWaKsB4v7f/IedJmZ8N1/uc.grow HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: outlook.comConnection: Keep-Alive
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
            Source: msapplication.xml0.22.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x75ae7464,0x01d7728a</date><accdate>0x75ae7464,0x01d7728a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml0.22.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x75ae7464,0x01d7728a</date><accdate>0x75ae7464,0x01d7728a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml5.22.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x75b61584,0x01d7728a</date><accdate>0x75b61584,0x01d7728a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml5.22.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x75b61584,0x01d7728a</date><accdate>0x75b61584,0x01d7728a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml7.22.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x75b61584,0x01d7728a</date><accdate>0x75b61584,0x01d7728a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml7.22.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x75b61584,0x01d7728a</date><accdate>0x75b61584,0x01d7728a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: outlook.com
            Source: iexplore.exe, 0000001E.00000002.478655317.000001D554DB0000.00000002.00000001.sdmpString found in binary or memory: http://%s.com
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://amazon.fr/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.478655317.000001D554DB0000.00000002.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://busca.orange.es/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://cnet.search.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://es.ask.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://find.joins.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
            Source: iexplore.exe, 0000001E.00000002.480305506.000001D5557D6000.00000004.00000001.sdmpString found in binary or memory: http://outlook.com/grower/v6VaX2L98iQ9vNPqP6I1/s7YQ5JAQQXN9djD_2BP/oxHIXx6SfkQXQHWk5gYign/kG_2FSXB9u
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://rover.ebay.com
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.about.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.in/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.auone.jp/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.de/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.es/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.in/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.it/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.interpark.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.nate.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.nifty.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.sify.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search.yam.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://suche.aol.de/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.478655317.000001D554DB0000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.464931301.000001D552DD2000.00000004.00000020.sdmpString found in binary or memory: http://vuredosite.club/grower/gjRpowobIXSobHjwI2Wv/_2Fg_2FVDgdI_2BsMGm/BfIb8NeDQ0u4hOXuLbcUki/fsX_2F
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://web.ask.com/
            Source: iexplore.exe, 0000001E.00000002.478655317.000001D554DB0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.com
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
            Source: msapplication.xml.22.drString found in binary or memory: http://www.amazon.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.de/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.ask.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.docUrl.com/bar.htm
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.in/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.br/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
            Source: msapplication.xml1.22.drString found in binary or memory: http://www.google.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.cz/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.de/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.es/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.fr/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.it/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.pl/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.ru/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.si/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
            Source: msapplication.xml2.22.drString found in binary or memory: http://www.live.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
            Source: msapplication.xml3.22.drString found in binary or memory: http://www.nytimes.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.orange.fr/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
            Source: msapplication.xml4.22.drString found in binary or memory: http://www.reddit.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
            Source: msapplication.xml5.22.drString found in binary or memory: http://www.twitter.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
            Source: msapplication.xml6.22.drString found in binary or memory: http://www.wikipedia.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
            Source: msapplication.xml7.22.drString found in binary or memory: http://www.youtube.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
            Source: iexplore.exe, 0000001E.00000002.479158594.000001D554EA3000.00000002.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico
            Source: iexplore.exe, 0000001E.00000002.480305506.000001D5557D6000.00000004.00000001.sdmpString found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD3B6173
            Source: iexplore.exe, 0000001E.00000002.480305506.000001D5557D6000.00000004.00000001.sdmpString found in binary or memory: https://ei.rdtcdn.com/www-static/cdn_files/redtube/icons/favicon.png?v=855e9f26de79d21367b6ee4a42556
            Source: iexplore.exe, 0000001E.00000002.464931301.000001D552DD2000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com
            Source: iexplore.exe, 0000001E.00000002.480305506.000001D5557D6000.00000004.00000001.sdmpString found in binary or memory: https://outlook.com/grower/v6VaX2L98iQ9vNPqP6I1/s7YQ5JAQQXN9djD_2BP/oxHIXx6SfkQXQHWk5gYign/kG_2FSXB9
            Source: iexplore.exe, 0000001E.00000002.480232372.000001D5557B2000.00000004.00000001.sdmp, ~DFC3C25805150DF731.TMP.22.dr, {9F4ECD46-DE7D-11EB-90E4-ECF4BB862DED}.dat.22.drString found in binary or memory: https://outlook.office365.com/grower/v6VaX2L98iQ9vNPqP6I1/s7YQ5JAQQXN9djD_2BP/oxHIXx6SfkQXQHWk5gYign
            Source: iexplore.exe, 0000001E.00000002.480305506.000001D5557D6000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
            Source: iexplore.exe, 0000001E.00000002.465171579.000001D552E17000.00000004.00000020.sdmpString found in binary or memory: https://www.msn.com/spartan/ientp?locale=en-US&market=US&enableregulatorypsm=0&enablecpsm=0&NTLogo=1
            Source: iexplore.exe, 0000001E.00000002.480232372.000001D5557B2000.00000004.00000001.sdmp, iexplore.exe, 0000001E.00000002.480283186.000001D5557CB000.00000004.00000001.sdmpString found in binary or memory: https://www.outlook.com/grower/v6VaX2L98iQ9vNPqP6I1/s7YQ5JAQQXN9djD_2BP/oxHIXx6SfkQXQHWk5gYign/kG_2F
            Source: iexplore.exe, 0000001E.00000002.480050763.000001D555720000.00000004.00000001.sdmp, iexplore.exe, 0000001E.00000002.466280522.000001D552E37000.00000004.00000020.sdmp, iexplore.exe, 0000001E.00000002.480201993.000001D55579D000.00000004.00000001.sdmp, iexplore.exe, 0000001E.00000002.479396698.000001D5550E0000.00000004.00000001.sdmp, iexplore.exe, 0000001E.00000002.480305506.000001D5557D6000.00000004.00000001.sdmpString found in binary or memory: https://www.redtube.com/
            Source: iexplore.exe, 0000001E.00000002.480201993.000001D55579D000.00000004.00000001.sdmpString found in binary or memory: https://www.redtube.com/(
            Source: iexplore.exe, 0000001E.00000002.480305506.000001D5557D6000.00000004.00000001.sdmpString found in binary or memory: https://www.redtube.com/18=q
            Source: iexplore.exe, 0000001E.00000002.480201993.000001D55579D000.00000004.00000001.sdmpString found in binary or memory: https://www.redtube.com/3
            Source: iexplore.exe, 0000001E.00000002.480201993.000001D55579D000.00000004.00000001.sdmpString found in binary or memory: https://www.redtube.com/BbRR
            Source: iexplore.exe, 0000001E.00000002.480232372.000001D5557B2000.00000004.00000001.sdmpString found in binary or memory: https://www.redtube.com/V
            Source: iexplore.exe, 0000001E.00000002.480201993.000001D55579D000.00000004.00000001.sdmpString found in binary or memory: https://www.redtube.com/e
            Source: iexplore.exe, 0000001E.00000002.480232372.000001D5557B2000.00000004.00000001.sdmpString found in binary or memory: https://www.redtube.com/favicon.ico
            Source: iexplore.exe, 0000001E.00000002.480232372.000001D5557B2000.00000004.00000001.sdmpString found in binary or memory: https://www.redtube.com/favicon.icoW
            Source: iexplore.exe, 0000001E.00000002.480232372.000001D5557B2000.00000004.00000001.sdmpString found in binary or memory: https://www.redtube.com/mdll
            Source: iexplore.exe, 0000001E.00000002.480201993.000001D55579D000.00000004.00000001.sdmpString found in binary or memory: https://www.redtube.com/zO%F
            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
            Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
            Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.375971100.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.375934102.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.375882980.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.375768564.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.375954554.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.375906864.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.375822644.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.375857537.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6760, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.375971100.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.375934102.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.375882980.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.375768564.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.375954554.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.375906864.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.375822644.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.375857537.00000000053D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6760, type: MEMORY

            System Summary:

            barindex
            Writes registry values via WMIShow sources
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1F1996 GetProcAddress,NtCreateSection,memset,0_2_6E1F1996
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1F1A44 NtMapViewOfSection,0_2_6E1F1A44
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1F23A5 NtQueryVirtualMemory,0_2_6E1F23A5
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02BA5A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,0_2_02BA5A27
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02BAB1A5 NtQueryVirtualMemory,0_2_02BAB1A5
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1F21840_2_6E1F2184
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02BA888E0_2_02BA888E
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02BA3EE10_2_02BA3EE1
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02BAAF800_2_02BAAF80
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2117B00_2_6E2117B0
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E224E000_2_6E224E00
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E22BE610_2_6E22BE61
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E220DB80_2_6E220DB8
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2205E50_2_6E2205E5
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2288B70_2_6E2288B7
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2309C80_2_6E2309C8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E2117B04_2_6E2117B0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E224E004_2_6E224E00
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E22BE614_2_6E22BE61
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E220DB84_2_6E220DB8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E2205E54_2_6E2205E5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E2288B74_2_6E2288B7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E2309C84_2_6E2309C8
            Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E223290 appears 39 times
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E223290 appears 39 times
            Source: 60e40fb428612.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: classification engineClassification label: mal68.troj.winDLL@17/14@17/3
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02BAA65C CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_02BAA65C
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF1C465EC4A4AE6446.TMPJump to behavior
            Source: 60e40fb428612.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\60e40fb428612.dll,Clockcondition
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\60e40fb428612.dll'
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\60e40fb428612.dll',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\60e40fb428612.dll,Clockcondition
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\60e40fb428612.dll',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\60e40fb428612.dll,Dogwhen
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\60e40fb428612.dll,Sing
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\60e40fb428612.dll,Wholegray
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6312 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\60e40fb428612.dll',#1Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\60e40fb428612.dll,ClockconditionJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\60e40fb428612.dll,DogwhenJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\60e40fb428612.dll,SingJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\60e40fb428612.dll,WholegrayJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\60e40fb428612.dll',#1Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6312 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: 60e40fb428612.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: 60e40fb428612.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: 60e40fb428612.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: 60e40fb428612.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: 60e40fb428612.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: 60e40fb428612.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: 60e40fb428612.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
            Source: 60e40fb428612.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: c:\393_Molecule\skin\depend\supply\Thick\Drive.pdb source: loaddll32.exe, 00000000.00000002.476685729.000000006E234000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.477751077.000000006E234000.00000002.00020000.sdmp, 60e40fb428612.dll
            Source: 60e40fb428612.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: 60e40fb428612.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: 60e40fb428612.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: 60e40fb428612.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: 60e40fb428612.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1F1BAC LoadLibraryA,GetProcAddress,0_2_6E1F1BAC
            Source: 60e40fb428612.dllStatic PE information: real checksum: 0x6292a should be: 0x6af68
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1F2120 push ecx; ret 0_2_6E1F2129
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1F2173 push ecx; ret 0_2_6E1F2183
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02BAABC0 push ecx; ret 0_2_02BAABC9
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02BAAF6F push ecx; ret 0_2_02BAAF7F
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E21DE07 push ecx; ret 0_2_6E21DE1A
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E203276 push ebx; ret