procMemory | ZeroBOX

Process memory dump for powershell.exe (PID 5096, dump 1)

Extracted/injected images (may contain unpacked executables)
Download #1


Yara signatures matches on process memory

Match: inject_thread

  • Q3JlYXRlUmVtb3RlVGhyZWFk (CreateRemoteThread)
  • Q3JlYXRlVGhyZWFk (CreateThread)
  • T3BlblByb2Nlc3M= (OpenProcess)
  • TnRXcml0ZVZpcnR1YWxNZW1vcnk= (NtWriteVirtualMemory)
  • V3JpdGVQcm9jZXNzTWVtb3J5 (WriteProcessMemory)
  • VmlydHVhbEFsbG9jRXg= (VirtualAllocEx)

Match: create_service

  • Q29udHJvbFNlcnZpY2U= (ControlService)
  • Q3JlYXRlU2VydmljZQ== (CreateService)
  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWR2YXBpMzIuZGxs (Advapi32.dll)
  • U3RhcnRTZXJ2aWNl (StartService)
  • UXVlcnlTZXJ2aWNlU3RhdHVz (QueryServiceStatus)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: create_com_service

  • RGxsQ2FuVW5sb2FkTm93 (DllCanUnloadNow)
  • RGxsR2V0Q2xhc3NPYmplY3Q= (DllGetClassObject)
  • RGxsSW5zdGFsbA== (DllInstall)
  • RGxsUmVnaXN0ZXJTZXJ2ZXI= (DllRegisterServer)
  • RGxsVW5yZWdpc3RlclNlcnZlcg== (DllUnregisterServer)

Match: network_udp_sock

  • U3lzdGVtLk5ldA== (System.Net)
  • V1MyXzMyLkRMTA== (WS2_32.DLL)
  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • V1NBU2VuZFRv (WSASendTo)
  • V1NBU3RhcnR1cA== (WSAStartup)
  • V1NBUmVjdkZyb20= (WSARecvFrom)
  • VWRwQ2xpZW50 (UdpClient)
  • c2VuZHRv (sendto)
  • c3lzdGVtLm5ldA== (system.net)
  • cmVjdmZyb20= (recvfrom)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: network_tcp_listen

  • QWNjZXB0RXg= (AcceptEx)
  • QWNjZXB0VGNwQ2xpZW50 (AcceptTcpClient)
  • R2V0QWNjZXB0RXhTb2NrYWRkcnM= (GetAcceptExSockaddrs)
  • U3lzdGVtLk5ldA== (System.Net)
  • V1MyXzMyLkRMTA== (WS2_32.DLL)
  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • V1NBQWNjZXB0 (WSAAccept)
  • V1NBU29ja2V0 (WSASocket)
  • V1NBU3RhcnR1cA== (WSAStartup)
  • VGNwTGlzdGVuZXI= (TcpListener)
  • YWNjZXB0 (accept)
  • YmluZA== (bind)
  • bGlzdGVu (listen)
  • bXN3c29jay5kbGw= (mswsock.dll)
  • c3lzdGVtLm5ldA== (system.net)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: network_smtp_dotNet

  • U210cENsaWVudA== (SmtpClient)
  • U3lzdGVtLk5ldC5NYWls (System.Net.Mail)
  • c210cGNsaWVudA== (smtpclient)
  • c3lzdGVtLm5ldC5tYWls (system.net.mail)

Match: network_p2p_win

  • UGVlckNvbGxhYkV4cG9ydENvbnRhY3Q= (PeerCollabExportContact)
  • UGVlckNvbGxhYkdldEFwcGxpY2F0aW9uUmVnaXN0cmF0aW9uSW5mbw== (PeerCollabGetApplicationRegistrationInfo)
  • UGVlckNvbGxhYkdldEV2ZW50RGF0YQ== (PeerCollabGetEventData)
  • UGVlckNvbGxhYkdldEVuZHBvaW50TmFtZQ== (PeerCollabGetEndpointName)
  • UGVlckNvbGxhYkdldEludml0YXRpb25SZXNwb25zZQ== (PeerCollabGetInvitationResponse)
  • UGVlckNvbGxhYkdldFByZXNlbmNlSW5mbw== (PeerCollabGetPresenceInfo)
  • UGVlckNvbGxhYkdldFNpZ25pbk9wdGlvbnM= (PeerCollabGetSigninOptions)
  • UGVlckNvbGxhYkludml0ZUNvbnRhY3Q= (PeerCollabInviteContact)
  • UGVlckNvbGxhYkludml0ZUVuZHBvaW50 (PeerCollabInviteEndpoint)
  • UGVlckNvbGxhYlBhcnNlQ29udGFjdA== (PeerCollabParseContact)
  • UGVlckNvbGxhYlF1ZXJ5Q29udGFjdERhdGE= (PeerCollabQueryContactData)
  • UGVlckNvbGxhYlJlZ2lzdGVyQXBwbGljYXRpb24= (PeerCollabRegisterApplication)
  • UGVlckNvbGxhYlJlZ2lzdGVyRXZlbnQ= (PeerCollabRegisterEvent)
  • UGVlckNvbGxhYlJlZnJlc2hFbmRwb2ludERhdGE= (PeerCollabRefreshEndpointData)
  • UGVlckNvbGxhYlNldE9iamVjdA== (PeerCollabSetObject)
  • UGVlckNvbGxhYlNldEVuZHBvaW50TmFtZQ== (PeerCollabSetEndpointName)
  • UGVlckNvbGxhYlNldFByZXNlbmNlSW5mbw== (PeerCollabSetPresenceInfo)
  • UGVlckNvbGxhYlNpZ25vdXQ= (PeerCollabSignout)
  • UGVlckNvbGxhYlVucmVnaXN0ZXJBcHBsaWNhdGlvbg== (PeerCollabUnregisterApplication)
  • UGVlckNvbGxhYlVwZGF0ZUNvbnRhY3Q= (PeerCollabUpdateContact)

Match: network_http

  • SHR0cE9wZW5SZXF1ZXN0 (HttpOpenRequest)
  • SHR0cFNlbmRSZXF1ZXN0 (HttpSendRequest)
  • SW50ZXJuZXRDb25uZWN0 (InternetConnect)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRPcGVuVXJs (InternetOpenUrl)
  • SW50ZXJuZXRSZWFkRmlsZQ== (InternetReadFile)
  • SW50ZXJuZXRXcml0ZUZpbGU= (InternetWriteFile)
  • V0lOSU5FVC5kbGw= (WININET.dll)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: network_dropper

  • VVJMRG93bmxvYWRUb0NhY2hlRmlsZQ== (URLDownloadToCacheFile)
  • VVJMRG93bmxvYWRUb0ZpbGU= (URLDownloadToFile)
  • dXJsbW9uLmRsbA== (urlmon.dll)

Match: network_ftp

  • RnRwQ3JlYXRlRGlyZWN0b3J5 (FtpCreateDirectory)
  • RnRwR2V0Q3VycmVudERpcmVjdG9yeQ== (FtpGetCurrentDirectory)
  • RnRwR2V0RmlsZQ== (FtpGetFile)
  • RnRwR2V0RmlsZVNpemU= (FtpGetFileSize)
  • RnRwRGVsZXRlRmlsZQ== (FtpDeleteFile)
  • RnRwT3BlbkZpbGU= (FtpOpenFile)
  • RnRwU2V0Q3VycmVudERpcmVjdG9yeQ== (FtpSetCurrentDirectory)
  • RnRwUHV0RmlsZQ== (FtpPutFile)
  • RnRwUmVtb3ZlRGlyZWN0b3J5 (FtpRemoveDirectory)
  • RnRwUmVuYW1lRmlsZQ== (FtpRenameFile)
  • V0lOSU5FVC5kbGw= (WININET.dll)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: network_tcp_socket

  • V1MyXzMyLkRMTA== (WS2_32.DLL)
  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • V1NBQ29ubmVjdA== (WSAConnect)
  • V1NBQ2xlYW51cA== (WSACleanup)
  • V1NBU29ja2V0 (WSASocket)
  • V1NBU2VuZA== (WSASend)
  • V1NBU3RhcnR1cA== (WSAStartup)
  • Y29ubmVjdA== (connect)
  • Y2xvc2Vzb2NrZXQ= (closesocket)
  • c29ja2V0 (socket)
  • c2VuZA== (send)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: network_dns

  • R2V0SG9zdEVudHJ5 (GetHostEntry)
  • RE5TQVBJLmRsbA== (DNSAPI.dll)
  • RG5zUXVlcnk= (DnsQuery)
  • RG5zYXBpLmRsbA== (Dnsapi.dll)
  • U3lzdGVtLk5ldA== (System.Net)
  • V1MyXzMyLkRMTA== (WS2_32.DLL)
  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • V1NBQXN5bmNHZXRIb3N0QnlOYW1l (WSAAsyncGetHostByName)
  • Z2V0YWRkcmluZm8= (getaddrinfo)
  • Z2V0aG9zdGJ5bmFtZQ== (gethostbyname)
  • ZG5zYXBpLmRsbA== (dnsapi.dll)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: network_dga

  • Q1JZUFQzMi5ETEw= (CRYPT32.DLL)
  • Q1JZUFQzMi5kbGw= (CRYPT32.dll)
  • Q3J5cHRBY3F1aXJlQ29udGV4dA== (CryptAcquireContext)
  • Q3J5cHRDcmVhdGVIYXNo (CryptCreateHash)
  • Q3J5cHRIYXNoRGF0YQ== (CryptHashData)
  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWR2YXBpMzIuZGxs (Advapi32.dll)
  • R2V0U3lzdGVtVGltZQ== (GetSystemTime)
  • R2V0U3lzdGVtVGltZUFzRmlsZVRpbWU= (GetSystemTimeAsFileTime)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRPcGVuVXJs (InternetOpenUrl)
  • U3lzdGVtVGltZVRvRmlsZVRpbWU= (SystemTimeToFileTime)
  • V0lOSU5FVC5kbGw= (WININET.dll)
  • Y3J5cHQzMi5kbGw= (crypt32.dll)
  • YWR2YXBpMzIuZGxs (advapi32.dll)
  • Z2V0YWRkcmluZm8= (getaddrinfo)
  • Z2V0aG9zdGJ5bmFtZQ== (gethostbyname)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: escalate_priv

  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWR2YXBpMzIuZGxs (Advapi32.dll)
  • QWRqdXN0VG9rZW5Qcml2aWxlZ2Vz (AdjustTokenPrivileges)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: screenshot

  • Qml0Qmx0 (BitBlt)
  • R0RJMzIuZGxs (GDI32.dll)
  • R2V0REM= (GetDC)
  • VVNFUjMyLkRMTA== (USER32.DLL)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • VXNlcjMyLmRsbA== (User32.dll)
  • Z2RpMzIuZGxs (gdi32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: keylogger

  • R2V0QXN5bmNLZXlTdGF0ZQ== (GetAsyncKeyState)
  • R2V0S2V5U3RhdGU= (GetKeyState)
  • R2V0S2V5Ym9hcmRUeXBl (GetKeyboardType)
  • TWFwVmlydHVhbEtleQ== (MapVirtualKey)
  • VVNFUjMyLkRMTA== (USER32.DLL)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • VXNlcjMyLmRsbA== (User32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: cred_local

  • Q3JlZEVudW1lcmF0ZUE= (CredEnumerateA)
  • Q3JlZEVudW1lcmF0ZVc= (CredEnumerateW)
  • THNhRW51bWVyYXRlTG9nb25TZXNzaW9ucw== (LsaEnumerateLogonSessions)
  • U2FtSUNvbm5lY3Q= (SamIConnect)
  • U2FtUXVlcnlJbmZvcm1hdGlvblVzZQ== (SamQueryInformationUse)

Match: sniff_audio

  • V0lOTU0uZGxs (WINMM.dll)
  • d2F2ZUluQ2xvc2U= (waveInClose)
  • d2F2ZUluQWRkQnVmZmVy (waveInAddBuffer)
  • d2F2ZUluT3Blbg== (waveInOpen)
  • d2F2ZUluU3RhcnQ= (waveInStart)
  • d2F2ZUluUmVzZXQ= (waveInReset)
  • d2lubW0uZGxs (winmm.dll)

Match: migrate_apc

  • T3BlblRocmVhZA== (OpenThread)
  • UXVldWVVc2VyQVBD (QueueUserAPC)

Match: spreading_file

  • RGVza3RvcC5sbms= (Desktop.lnk)
  • ZGVza3RvcC5pbmk= (desktop.ini)

Match: spreading_share

  • TmV0U2hhcmVFbnVt (NetShareEnum)
  • TmV0U2hhcmVHZXRJbmZv (NetShareGetInfo)
  • TmV0YXBpMzIuZGxs (Netapi32.dll)
  • bmV0YXBpMzIuZGxs (netapi32.dll)

Match: win_mutex

  • Q3JlYXRlTXV0ZXg= (CreateMutex)

Match: win_registry

  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWR2YXBpMzIuZGxs (Advapi32.dll)
  • UmVnQ2xvc2VLZXk= (RegCloseKey)
  • UmVnQ3JlYXRlS2V5QQ== (RegCreateKeyA)
  • UmVnT3BlbktleUV4QQ== (RegOpenKeyExA)
  • UmVnU2V0VmFsdWVFeEE= (RegSetValueExA)
  • UmVnUXVlcnlWYWx1ZUV4QQ== (RegQueryValueExA)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: win_token

  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWR2YXBpMzIuZGxs (Advapi32.dll)
  • QWRqdXN0VG9rZW5Qcml2aWxlZ2Vz (AdjustTokenPrivileges)
  • RHVwbGljYXRlVG9rZW5FeA== (DuplicateTokenEx)
  • T3BlblByb2Nlc3NUb2tlbg== (OpenProcessToken)
  • TG9va3VwUHJpdmlsZWdlVmFsdWVB (LookupPrivilegeValueA)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: win_private_profile

  • R2V0UHJpdmF0ZVByb2ZpbGVJbnRB (GetPrivateProfileIntA)
  • R2V0UHJpdmF0ZVByb2ZpbGVTdHJpbmdB (GetPrivateProfileStringA)
  • S0VSTkVMMzIuRExM (KERNEL32.DLL)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • S2VybmVsMzIuZGxs (Kernel32.dll)
  • V3JpdGVQcml2YXRlUHJvZmlsZVN0cmluZ0E= (WritePrivateProfileStringA)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: win_files_operation

  • Q29weUZpbGU= (CopyFile)
  • Q3JlYXRlRmlsZUE= (CreateFileA)
  • RGVsZXRlRmlsZUE= (DeleteFileA)
  • RmluZENsb3Nl (FindClose)
  • RmluZEZpcnN0RmlsZUE= (FindFirstFileA)
  • S0VSTkVMMzIuRExM (KERNEL32.DLL)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • S2VybmVsMzIuZGxs (Kernel32.dll)
  • TW92ZUZpbGVFeEE= (MoveFileExA)
  • U2V0RmlsZUF0dHJpYnV0ZXNB (SetFileAttributesA)
  • U2V0RmlsZVBvaW50ZXI= (SetFilePointer)
  • UmVhZEZpbGU= (ReadFile)
  • V3JpdGVGaWxl (WriteFile)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: Str_Win32_Winsock2_Library

  • V1MyXzMyLkRMTA== (WS2_32.DLL)
  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: Str_Win32_Wininet_Library

  • V0lOSU5FVC5kbGw= (WININET.dll)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: Str_Win32_Internet_API

  • SW50ZXJuZXRDb25uZWN0 (InternetConnect)
  • SW50ZXJuZXRDbG9zZUhhbmRsZQ== (InternetCloseHandle)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRSZWFkRmlsZQ== (InternetReadFile)

Match: Str_Win32_Http_API

  • SHR0cE9wZW5SZXF1ZXN0 (HttpOpenRequest)
  • SHR0cFF1ZXJ5SW5mbw== (HttpQueryInfo)
  • SHR0cFNlbmRSZXF1ZXN0 (HttpSendRequest)

Match: DebuggerCheck__GlobalFlags

  • TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

  • UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerCheck__RemoteAPI

  • Q2hlY2tSZW1vdGVEZWJ1Z2dlclByZXNlbnQ= (CheckRemoteDebuggerPresent)

Match: DebuggerHiding__Thread

  • U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: DebuggerException__ConsoleCtrl

  • R2VuZXJhdGVDb25zb2xlQ3RybEV2ZW50 (GenerateConsoleCtrlEvent)

Match: DebuggerException__SetConsoleCtrl

  • U2V0Q29uc29sZUN0cmxIYW5kbGVy (SetConsoleCtrlHandler)

Match: ThreadControl__Context

  • U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

  • QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
  • UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: Check_Dlls

  • RGJnSGVscC5kbGw= (DbgHelp.dll)
  • ZGJnaGVscC5kbGw= (dbghelp.dll)
  • cHN0b3JlYy5kbGw= (pstorec.dll)

Match: anti_dbg

  • Q29udGludWVEZWJ1Z0V2ZW50 (ContinueDebugEvent)
  • Q2hlY2tSZW1vdGVEZWJ1Z2dlclByZXNlbnQ= (CheckRemoteDebuggerPresent)
  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
  • S0VSTkVMMzIuRExM (KERNEL32.DLL)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • S2VybmVsMzIuZGxs (Kernel32.dll)
  • SXNEZWJ1Z2dlclByZXNlbnQ= (IsDebuggerPresent)
  • T3V0cHV0RGVidWdTdHJpbmc= (OutputDebugString)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: antisb_threatExpert

  • RGJnSGVscC5kbGw= (DbgHelp.dll)
  • ZGJnaGVscC5kbGw= (dbghelp.dll)

Match: disable_dep

  • TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
  • U2V0UHJvY2Vzc0RFUFBvbGljeQ== (SetProcessDEPPolicy)
  • WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

Match: win_hook

  • Q2FsbE5leHRIb29rRXg= (CallNextHookEx)
  • U2V0V2luZG93c0hvb2tFeEE= (SetWindowsHookExA)
  • VVNFUjMyLkRMTA== (USER32.DLL)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • VW5ob29rV2luZG93c0hvb2tFeA== (UnhookWindowsHookEx)
  • VXNlcjMyLmRsbA== (User32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)


URLs found in process memory
    http://crl.comodo.net/TrustedCertificateServices.crl0
    http://users.ocsp.d-trust.net03
    http://crl.ssc.lt/root-b/cacrl.crl0
    http://crl.securetrust.com/STCA.crl0
    http://crl.securetrust.com/SGCA.crl0
    http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
    http://www.ssc.lt/cps03
    http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
    http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
    http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
    http://www.microsoft.com/pki/certs/TrustListPCA.crt0
    https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
    http://www.pkioverheid.nl/policies/root-policy0
    http://cps.chambersign.org/cps/chambersroot.html0
    http://www.e-szigno.hu/SZSZ/0
    http://www.entrust.net/CRL/Client1.crl0
    http://crl.chambersign.org/publicnotaryroot.crl0
    http://crl.comodo.net/AAACertificateServices.crl0
    http://www.certplus.com/CRL/class3.crl0
    http://logo.verisign.com/vslogo.gif0
    http://www.acabogacia.org/doc0
    http://www.disig.sk/ca/crl/ca_disig.crl0
    https://www.catcert.net/verarrel
    http://www.sk.ee/cps/0
    http://www.quovadis.bm0
    https://www.catcert.net/verarrel05
    http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
    http://crl.chambersign.org/chambersroot.crl0
    http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
    http://crl.globalsign.net/root-r2.crl0
    http://certificates.starfieldtech.com/repository/1604
    http://www.d-trust.net0
    http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
    http://crl.ssc.lt/root-a/cacrl.crl0
    http://crl.usertrust.com/UTN-DATACorpSGC.crl0
    http://www.certicamara.com/certicamaraca.crl0
    http://www.d-trust.net/crl/d-trust_root_class_2_ca_2007.crl0
    http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
    http://www.post.trust.ie/reposit/cps.html0
    http://www.d-trust.net/crl/d-trust_qualified_root_ca_1_2007_pn.crl0
    http://www2.public-trust.com/crl/ct/ctroot.crl0
    http://www.certicamara.com0
    http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
    http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
    http://www.comsign.co.il/cps0
    http://crl.usertrust.com/UTN-USERFirst-NetworkApplications.crl0
    http://www.microsoft.com/pki/crl/products/TrustListPCA.crl
    http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0
    http://www.signatur.rtr.at/de/directory/cps.html0
    http://www.globaltrust.info0
    http://ca.sia.it/secsrv/repository/CRL.der0J
    http://support.microsoft.com/kb/9311250
    http://crl.usertrust.com/UTN-USERFirst-ClientAuthenticationandEmail.crl0
    https://secure.a-cert.at/cgi-bin/a-cert-advanced.cgi0
    http://www.certplus.com/CRL/class3TS.crl0
    http://crl.usertrust.com/UTN-USERFirst-Hardware.crl01
    http://crl.xrampsecurity.com/XGCA.crl0
    http://repository.infonotary.com/cps/qcps.html0
    http://www.firmaprofesional.com0
    http://www.disig.sk/ca0f
    http://www.acabogacia.org0
    http://www.usertrust.com1
    http://www.e-certchile.cl/html/productos/download/CPSv1.7.pdf01
    http://www.pki.gva.es/cps0
    http://www.certicamara.com/dpc/0Z
    http://www.e-me.lv/repository0
    http://www.dnie.es/dpc0
    http://fedir.comsign.co.il/crl/ComSignCA.crl0
    http://www.wellsfargo.com/certpolicy0
    http://repository.swisssign.com/0
    https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E
    http://crl.ssc.lt/root-c/cacrl.crl0
    http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
    http://www.microsoft.com/pki/certs/CSPCA.crt0
    https://www.netlock.hu/docs/
    http://www.quovadisglobal.com/cps0
    http://crl.pki.wellsfargo.com/wsprca.crl0
    http://www.a-cert.at0E
    http://www.e-szigno.hu/RootCA.crl
    http://www.e-szigno.hu/RootCA.crt0
    http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
    http://www.trustdst.com/certificates/policy/ACES-index.html0
    https://rca.e-szigno.hu/ocsp0-
    https://ca.sia.it/seccli/repository/CPS0
    http://www.chambersign.org1
    http://qual.ocsp.d-trust.net0
    http://www.ancert.com/cps0
    https://ca.sia.it/secsrv/repository/CPS0
    http://www.certifikat.dk/repository0
    http://www.entrust.net/CRL/net1.crl0
    http://www.trustcenter.de/guidelines0
    http://cps.chambersign.org/cps/publicnotaryroot.html0
    http://www.xmlspy.com
    http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
    https://ocsp.quovadisoffshore.com0
    http://www.e-trust.be/CPS/QNcerts
    http://www.certplus.com/CRL/class1.crl0
    http://ocsp.infonotary.com/responder.cgi0V
    http://ca.disig.sk/ca/crl/ca_disig.crl0
    http://www.registradores.org/scr/normativa/cp_f2.htm0
    http://crl.oces.certifikat.dk/oces.crl0
    http://ca.sia.it/seccli/repository/CRL.der0J
    http://www.signatur.rtr.at/current.crl0
    http://www.certplus.com/CRL/class2.crl0
    http://www.a-cert.at/certificate-policy.html0
    http://www.crc.bg0
    http://crl.chambersign.org/chambersignroot.crl0
    http://www.certplus.com/CRL/class3P.crl0
    https://www.netlock.net/docs
    http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
    http://www.microsoft.com/pki/certs/tspca.crt0
    http://ocsp.pki.gva.es0
    http://www.rootca.or.kr/rca/cps.html0
    http://crl.comodoca.com/TrustedCertificateServices.crl0:
    http://www.echoworx.com/ca/root2/cps.pdf0
    http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
    http://microsoft.com0
    http://www.valicert.com/1
    http://crl.comodoca.com/AAACertificateServices.crl06
    http://www.sk.ee/juur/crl/0
    http://www.usertrust.com1604
    http://cps.chambersign.org/cps/chambersignroot.html0
    http://crl.comodoca.com/COMODOCertificationAuthority.crl0
    http://www.d-trust.net/crl/d-trust_root_class_3_ca_2007.crl0
    
                                                

Process memory dump for timeout.exe (PID 6952, dump 1)

Extracted/injected images (may contain unpacked executables)
Download #1


Yara signatures matches on process memory

Match: inject_thread

  • Q3JlYXRlUmVtb3RlVGhyZWFk (CreateRemoteThread)
  • Q3JlYXRlVGhyZWFk (CreateThread)
  • T3BlblByb2Nlc3M= (OpenProcess)
  • TnRXcml0ZVZpcnR1YWxNZW1vcnk= (NtWriteVirtualMemory)
  • V3JpdGVQcm9jZXNzTWVtb3J5 (WriteProcessMemory)
  • VmlydHVhbEFsbG9jRXg= (VirtualAllocEx)

Match: create_service

  • Q29udHJvbFNlcnZpY2U= (ControlService)
  • Q3JlYXRlU2VydmljZQ== (CreateService)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • U3RhcnRTZXJ2aWNl (StartService)
  • UXVlcnlTZXJ2aWNlU3RhdHVz (QueryServiceStatus)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: network_udp_sock

  • V1MyXzMyLkRMTA== (WS2_32.DLL)
  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • V1NBU2VuZFRv (WSASendTo)
  • V1NBU3RhcnR1cA== (WSAStartup)
  • V1NBUmVjdkZyb20= (WSARecvFrom)
  • c2VuZHRv (sendto)
  • cmVjdmZyb20= (recvfrom)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: network_tcp_listen

  • V1MyXzMyLkRMTA== (WS2_32.DLL)
  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • V1NBQWNjZXB0 (WSAAccept)
  • V1NBU29ja2V0 (WSASocket)
  • V1NBU3RhcnR1cA== (WSAStartup)
  • YWNjZXB0 (accept)
  • YmluZA== (bind)
  • bGlzdGVu (listen)
  • bXN3c29jay5kbGw= (mswsock.dll)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: network_p2p_win

  • UGVlckNvbGxhYkV4cG9ydENvbnRhY3Q= (PeerCollabExportContact)
  • UGVlckNvbGxhYkdldEFwcGxpY2F0aW9uUmVnaXN0cmF0aW9uSW5mbw== (PeerCollabGetApplicationRegistrationInfo)
  • UGVlckNvbGxhYkdldEV2ZW50RGF0YQ== (PeerCollabGetEventData)
  • UGVlckNvbGxhYkdldEVuZHBvaW50TmFtZQ== (PeerCollabGetEndpointName)
  • UGVlckNvbGxhYkdldEludml0YXRpb25SZXNwb25zZQ== (PeerCollabGetInvitationResponse)
  • UGVlckNvbGxhYkdldFByZXNlbmNlSW5mbw== (PeerCollabGetPresenceInfo)
  • UGVlckNvbGxhYkdldFNpZ25pbk9wdGlvbnM= (PeerCollabGetSigninOptions)
  • UGVlckNvbGxhYkludml0ZUNvbnRhY3Q= (PeerCollabInviteContact)
  • UGVlckNvbGxhYkludml0ZUVuZHBvaW50 (PeerCollabInviteEndpoint)
  • UGVlckNvbGxhYlBhcnNlQ29udGFjdA== (PeerCollabParseContact)
  • UGVlckNvbGxhYlF1ZXJ5Q29udGFjdERhdGE= (PeerCollabQueryContactData)
  • UGVlckNvbGxhYlJlZ2lzdGVyQXBwbGljYXRpb24= (PeerCollabRegisterApplication)
  • UGVlckNvbGxhYlJlZ2lzdGVyRXZlbnQ= (PeerCollabRegisterEvent)
  • UGVlckNvbGxhYlJlZnJlc2hFbmRwb2ludERhdGE= (PeerCollabRefreshEndpointData)
  • UGVlckNvbGxhYlNldE9iamVjdA== (PeerCollabSetObject)
  • UGVlckNvbGxhYlNldEVuZHBvaW50TmFtZQ== (PeerCollabSetEndpointName)
  • UGVlckNvbGxhYlNldFByZXNlbmNlSW5mbw== (PeerCollabSetPresenceInfo)
  • UGVlckNvbGxhYlNpZ25vdXQ= (PeerCollabSignout)
  • UGVlckNvbGxhYlVucmVnaXN0ZXJBcHBsaWNhdGlvbg== (PeerCollabUnregisterApplication)
  • UGVlckNvbGxhYlVwZGF0ZUNvbnRhY3Q= (PeerCollabUpdateContact)

Match: network_http

  • SHR0cE9wZW5SZXF1ZXN0 (HttpOpenRequest)
  • SHR0cFNlbmRSZXF1ZXN0 (HttpSendRequest)
  • SW50ZXJuZXRDb25uZWN0 (InternetConnect)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRPcGVuVXJs (InternetOpenUrl)
  • SW50ZXJuZXRSZWFkRmlsZQ== (InternetReadFile)
  • SW50ZXJuZXRXcml0ZUZpbGU= (InternetWriteFile)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: network_dropper

  • VVJMRG93bmxvYWRUb0NhY2hlRmlsZQ== (URLDownloadToCacheFile)
  • VVJMRG93bmxvYWRUb0ZpbGU= (URLDownloadToFile)
  • dXJsbW9uLmRsbA== (urlmon.dll)

Match: network_ftp

  • RnRwQ3JlYXRlRGlyZWN0b3J5 (FtpCreateDirectory)
  • RnRwR2V0Q3VycmVudERpcmVjdG9yeQ== (FtpGetCurrentDirectory)
  • RnRwR2V0RmlsZQ== (FtpGetFile)
  • RnRwR2V0RmlsZVNpemU= (FtpGetFileSize)
  • RnRwRGVsZXRlRmlsZQ== (FtpDeleteFile)
  • RnRwT3BlbkZpbGU= (FtpOpenFile)
  • RnRwU2V0Q3VycmVudERpcmVjdG9yeQ== (FtpSetCurrentDirectory)
  • RnRwUHV0RmlsZQ== (FtpPutFile)
  • RnRwUmVtb3ZlRGlyZWN0b3J5 (FtpRemoveDirectory)
  • RnRwUmVuYW1lRmlsZQ== (FtpRenameFile)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: network_tcp_socket

  • V1MyXzMyLkRMTA== (WS2_32.DLL)
  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • V1NBQ29ubmVjdA== (WSAConnect)
  • V1NBQ2xlYW51cA== (WSACleanup)
  • V1NBU29ja2V0 (WSASocket)
  • V1NBU2VuZA== (WSASend)
  • V1NBU3RhcnR1cA== (WSAStartup)
  • Y29ubmVjdA== (connect)
  • Y2xvc2Vzb2NrZXQ= (closesocket)
  • c29ja2V0 (socket)
  • c2VuZA== (send)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: network_dns

  • RG5zUXVlcnk= (DnsQuery)
  • V1MyXzMyLkRMTA== (WS2_32.DLL)
  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • V1NBQXN5bmNHZXRIb3N0QnlOYW1l (WSAAsyncGetHostByName)
  • Z2V0YWRkcmluZm8= (getaddrinfo)
  • Z2V0aG9zdGJ5bmFtZQ== (gethostbyname)
  • ZG5zYXBpLmRsbA== (dnsapi.dll)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: network_dga

  • Q1JZUFQzMi5kbGw= (CRYPT32.dll)
  • Q3J5cHRBY3F1aXJlQ29udGV4dA== (CryptAcquireContext)
  • Q3J5cHRDcmVhdGVIYXNo (CryptCreateHash)
  • Q3J5cHRIYXNoRGF0YQ== (CryptHashData)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • R2V0U3lzdGVtVGltZQ== (GetSystemTime)
  • R2V0U3lzdGVtVGltZUFzRmlsZVRpbWU= (GetSystemTimeAsFileTime)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRPcGVuVXJs (InternetOpenUrl)
  • U3lzdGVtVGltZVRvRmlsZVRpbWU= (SystemTimeToFileTime)
  • Y3J5cHQzMi5kbGw= (crypt32.dll)
  • YWR2YXBpMzIuZGxs (advapi32.dll)
  • Z2V0YWRkcmluZm8= (getaddrinfo)
  • Z2V0aG9zdGJ5bmFtZQ== (gethostbyname)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: escalate_priv

  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWRqdXN0VG9rZW5Qcml2aWxlZ2Vz (AdjustTokenPrivileges)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: screenshot

  • Qml0Qmx0 (BitBlt)
  • R0RJMzIuZGxs (GDI32.dll)
  • R2V0REM= (GetDC)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • Z2RpMzIuZGxs (gdi32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: keylogger

  • R2V0QXN5bmNLZXlTdGF0ZQ== (GetAsyncKeyState)
  • R2V0S2V5U3RhdGU= (GetKeyState)
  • R2V0S2V5Ym9hcmRUeXBl (GetKeyboardType)
  • TWFwVmlydHVhbEtleQ== (MapVirtualKey)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: cred_local

  • Q3JlZEVudW1lcmF0ZUE= (CredEnumerateA)
  • Q3JlZEVudW1lcmF0ZVc= (CredEnumerateW)
  • THNhRW51bWVyYXRlTG9nb25TZXNzaW9ucw== (LsaEnumerateLogonSessions)
  • U2FtSUNvbm5lY3Q= (SamIConnect)
  • U2FtUXVlcnlJbmZvcm1hdGlvblVzZQ== (SamQueryInformationUse)

Match: sniff_audio

  • d2F2ZUluQ2xvc2U= (waveInClose)
  • d2F2ZUluQWRkQnVmZmVy (waveInAddBuffer)
  • d2F2ZUluT3Blbg== (waveInOpen)
  • d2F2ZUluU3RhcnQ= (waveInStart)
  • d2F2ZUluUmVzZXQ= (waveInReset)
  • d2lubW0uZGxs (winmm.dll)

Match: migrate_apc

  • T3BlblRocmVhZA== (OpenThread)
  • UXVldWVVc2VyQVBD (QueueUserAPC)

Match: spreading_file

  • ZGVza3RvcC5pbmk= (desktop.ini)

Match: spreading_share

  • TmV0U2hhcmVFbnVt (NetShareEnum)
  • TmV0U2hhcmVHZXRJbmZv (NetShareGetInfo)
  • bmV0YXBpMzIuZGxs (netapi32.dll)

Match: win_mutex

  • Q3JlYXRlTXV0ZXg= (CreateMutex)

Match: win_registry

  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • UmVnQ2xvc2VLZXk= (RegCloseKey)
  • UmVnQ3JlYXRlS2V5QQ== (RegCreateKeyA)
  • UmVnT3BlbktleUV4QQ== (RegOpenKeyExA)
  • UmVnU2V0VmFsdWVFeEE= (RegSetValueExA)
  • UmVnUXVlcnlWYWx1ZUV4QQ== (RegQueryValueExA)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: win_token

  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWRqdXN0VG9rZW5Qcml2aWxlZ2Vz (AdjustTokenPrivileges)
  • RHVwbGljYXRlVG9rZW5FeA== (DuplicateTokenEx)
  • T3BlblByb2Nlc3NUb2tlbg== (OpenProcessToken)
  • TG9va3VwUHJpdmlsZWdlVmFsdWVB (LookupPrivilegeValueA)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: win_private_profile

  • R2V0UHJpdmF0ZVByb2ZpbGVJbnRB (GetPrivateProfileIntA)
  • R2V0UHJpdmF0ZVByb2ZpbGVTdHJpbmdB (GetPrivateProfileStringA)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • V3JpdGVQcml2YXRlUHJvZmlsZVN0cmluZ0E= (WritePrivateProfileStringA)

Match: win_files_operation

  • Q29weUZpbGU= (CopyFile)
  • Q3JlYXRlRmlsZUE= (CreateFileA)
  • RGVsZXRlRmlsZUE= (DeleteFileA)
  • RmluZENsb3Nl (FindClose)
  • RmluZEZpcnN0RmlsZUE= (FindFirstFileA)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • TW92ZUZpbGVFeEE= (MoveFileExA)
  • U2V0RmlsZUF0dHJpYnV0ZXNB (SetFileAttributesA)
  • U2V0RmlsZVBvaW50ZXI= (SetFilePointer)
  • UmVhZEZpbGU= (ReadFile)
  • V3JpdGVGaWxl (WriteFile)

Match: Str_Win32_Winsock2_Library

  • V1MyXzMyLkRMTA== (WS2_32.DLL)
  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: Str_Win32_Wininet_Library

  • d2luaW5ldC5kbGw= (wininet.dll)

Match: Str_Win32_Internet_API

  • SW50ZXJuZXRDb25uZWN0 (InternetConnect)
  • SW50ZXJuZXRDbG9zZUhhbmRsZQ== (InternetCloseHandle)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRSZWFkRmlsZQ== (InternetReadFile)

Match: Str_Win32_Http_API

  • SHR0cE9wZW5SZXF1ZXN0 (HttpOpenRequest)
  • SHR0cFF1ZXJ5SW5mbw== (HttpQueryInfo)
  • SHR0cFNlbmRSZXF1ZXN0 (HttpSendRequest)

Match: DebuggerCheck__GlobalFlags

  • TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

  • UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerCheck__RemoteAPI

  • Q2hlY2tSZW1vdGVEZWJ1Z2dlclByZXNlbnQ= (CheckRemoteDebuggerPresent)

Match: DebuggerHiding__Thread

  • U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: DebuggerException__ConsoleCtrl

  • R2VuZXJhdGVDb25zb2xlQ3RybEV2ZW50 (GenerateConsoleCtrlEvent)

Match: DebuggerException__SetConsoleCtrl

  • U2V0Q29uc29sZUN0cmxIYW5kbGVy (SetConsoleCtrlHandler)

Match: ThreadControl__Context

  • U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

  • QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
  • UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: Check_Dlls

  • ZGJnaGVscC5kbGw= (dbghelp.dll)
  • cHN0b3JlYy5kbGw= (pstorec.dll)

Match: anti_dbg

  • Q29udGludWVEZWJ1Z0V2ZW50 (ContinueDebugEvent)
  • Q2hlY2tSZW1vdGVEZWJ1Z2dlclByZXNlbnQ= (CheckRemoteDebuggerPresent)
  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • SXNEZWJ1Z2dlclByZXNlbnQ= (IsDebuggerPresent)
  • T3V0cHV0RGVidWdTdHJpbmc= (OutputDebugString)

Match: antisb_threatExpert

  • ZGJnaGVscC5kbGw= (dbghelp.dll)

Match: disable_dep

  • TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
  • U2V0UHJvY2Vzc0RFUFBvbGljeQ== (SetProcessDEPPolicy)
  • WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

Match: win_hook

  • Q2FsbE5leHRIb29rRXg= (CallNextHookEx)
  • U2V0V2luZG93c0hvb2tFeEE= (SetWindowsHookExA)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • VW5ob29rV2luZG93c0hvb2tFeA== (UnhookWindowsHookEx)
  • dXNlcjMyLmRsbA== (user32.dll)


Process memory dump for shedyx.exe (PID 7132, dump 1)

Extracted/injected images (may contain unpacked executables)
Download #1
Download #2


Yara signatures matches on process memory

Match: inject_thread

  • Q3JlYXRlVGhyZWFk (CreateThread)
  • T3BlblByb2Nlc3M= (OpenProcess)
  • V3JpdGVQcm9jZXNzTWVtb3J5 (WriteProcessMemory)
  • VmlydHVhbEFsbG9jRXg= (VirtualAllocEx)

Match: create_com_service

  • RGxsQ2FuVW5sb2FkTm93 (DllCanUnloadNow)
  • RGxsR2V0Q2xhc3NPYmplY3Q= (DllGetClassObject)
  • RGxsSW5zdGFsbA== (DllInstall)
  • RGxsUmVnaXN0ZXJTZXJ2ZXI= (DllRegisterServer)
  • RGxsVW5yZWdpc3RlclNlcnZlcg== (DllUnregisterServer)

Match: network_udp_sock

  • U3lzdGVtLk5ldA== (System.Net)
  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • V1NBU2VuZFRv (WSASendTo)
  • V1NBU3RhcnR1cA== (WSAStartup)
  • V1NBUmVjdkZyb20= (WSARecvFrom)
  • VWRwQ2xpZW50 (UdpClient)
  • c2VuZHRv (sendto)
  • c3lzdGVtLm5ldA== (system.net)
  • cmVjdmZyb20= (recvfrom)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: network_tcp_listen

  • QWNjZXB0RXg= (AcceptEx)
  • QWNjZXB0VGNwQ2xpZW50 (AcceptTcpClient)
  • R2V0QWNjZXB0RXhTb2NrYWRkcnM= (GetAcceptExSockaddrs)
  • U3lzdGVtLk5ldA== (System.Net)
  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • V1NBU29ja2V0 (WSASocket)
  • V1NBU3RhcnR1cA== (WSAStartup)
  • VGNwTGlzdGVuZXI= (TcpListener)
  • YWNjZXB0 (accept)
  • YmluZA== (bind)
  • bGlzdGVu (listen)
  • bXN3c29jay5kbGw= (mswsock.dll)
  • c3lzdGVtLm5ldA== (system.net)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: network_smtp_dotNet

  • U210cENsaWVudA== (SmtpClient)
  • U3lzdGVtLk5ldC5NYWls (System.Net.Mail)

Match: network_dropper

  • VVJMRG93bmxvYWRUb0NhY2hlRmlsZQ== (URLDownloadToCacheFile)
  • VVJMRG93bmxvYWRUb0ZpbGU= (URLDownloadToFile)
  • dXJsbW9uLmRsbA== (urlmon.dll)

Match: network_tcp_socket

  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • V1NBQ29ubmVjdA== (WSAConnect)
  • V1NBU29ja2V0 (WSASocket)
  • V1NBU2VuZA== (WSASend)
  • V1NBU3RhcnR1cA== (WSAStartup)
  • Y29ubmVjdA== (connect)
  • Y2xvc2Vzb2NrZXQ= (closesocket)
  • c29ja2V0 (socket)
  • c2VuZA== (send)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: network_dns

  • R2V0SG9zdEVudHJ5 (GetHostEntry)
  • RE5TQVBJLmRsbA== (DNSAPI.dll)
  • RG5zUXVlcnk= (DnsQuery)
  • U3lzdGVtLk5ldA== (System.Net)
  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • Z2V0aG9zdGJ5bmFtZQ== (gethostbyname)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: network_dga

  • Q1JZUFQzMi5kbGw= (CRYPT32.dll)
  • Q3J5cHRBY3F1aXJlQ29udGV4dA== (CryptAcquireContext)
  • Q3J5cHRDcmVhdGVIYXNo (CryptCreateHash)
  • Q3J5cHRIYXNoRGF0YQ== (CryptHashData)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • R2V0U3lzdGVtVGltZQ== (GetSystemTime)
  • R2V0U3lzdGVtVGltZUFzRmlsZVRpbWU= (GetSystemTimeAsFileTime)
  • U3lzdGVtVGltZVRvRmlsZVRpbWU= (SystemTimeToFileTime)
  • V0lOSU5FVC5kbGw= (WININET.dll)
  • Y3J5cHQzMi5kbGw= (crypt32.dll)
  • YWR2YXBpMzIuZGxs (advapi32.dll)
  • Z2V0aG9zdGJ5bmFtZQ== (gethostbyname)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: escalate_priv

  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWRqdXN0VG9rZW5Qcml2aWxlZ2Vz (AdjustTokenPrivileges)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: screenshot

  • Qml0Qmx0 (BitBlt)
  • R0RJMzIuZGxs (GDI32.dll)
  • R2V0REM= (GetDC)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • VXNlcjMyLmRsbA== (User32.dll)
  • Z2RpMzIuZGxs (gdi32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: keylogger

  • R2V0QXN5bmNLZXlTdGF0ZQ== (GetAsyncKeyState)
  • R2V0S2V5U3RhdGU= (GetKeyState)
  • TWFwVmlydHVhbEtleQ== (MapVirtualKey)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • VXNlcjMyLmRsbA== (User32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: win_mutex

  • Q3JlYXRlTXV0ZXg= (CreateMutex)

Match: win_registry

  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • UmVnQ2xvc2VLZXk= (RegCloseKey)
  • UmVnQ3JlYXRlS2V5QQ== (RegCreateKeyA)
  • UmVnT3BlbktleUV4QQ== (RegOpenKeyExA)
  • UmVnU2V0VmFsdWVFeEE= (RegSetValueExA)
  • UmVnUXVlcnlWYWx1ZUV4QQ== (RegQueryValueExA)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: win_token

  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWRqdXN0VG9rZW5Qcml2aWxlZ2Vz (AdjustTokenPrivileges)
  • RHVwbGljYXRlVG9rZW5FeA== (DuplicateTokenEx)
  • T3BlblByb2Nlc3NUb2tlbg== (OpenProcessToken)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: win_files_operation

  • Q29weUZpbGU= (CopyFile)
  • RmluZENsb3Nl (FindClose)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • U2V0RmlsZVBvaW50ZXI= (SetFilePointer)
  • UmVhZEZpbGU= (ReadFile)
  • V3JpdGVGaWxl (WriteFile)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: Str_Win32_Winsock2_Library

  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: Str_Win32_Wininet_Library

  • V0lOSU5FVC5kbGw= (WININET.dll)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: DebuggerCheck__QueryInfo

  • UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerHiding__Thread

  • U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerException__SetConsoleCtrl

  • U2V0Q29uc29sZUN0cmxIYW5kbGVy (SetConsoleCtrlHandler)

Match: ThreadControl__Context

  • U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: Check_Dlls

  • UABTAFQATwBSAEUAQwAuAEQATABMAA== (PSTOREC.DLL)
  • ZABiAGcAaABlAGwAcAAuAGQAbABsAA== (dbghelp.dll)

Match: anti_dbg

  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • SXNEZWJ1Z2dlclByZXNlbnQ= (IsDebuggerPresent)
  • T3V0cHV0RGVidWdTdHJpbmc= (OutputDebugString)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: disable_dep

  • U2V0UHJvY2Vzc0RFUFBvbGljeQ== (SetProcessDEPPolicy)

Match: win_hook

  • Q2FsbE5leHRIb29rRXg= (CallNextHookEx)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • VW5ob29rV2luZG93c0hvb2tFeA== (UnhookWindowsHookEx)
  • VXNlcjMyLmRsbA== (User32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)


URLs found in process memory
    http://www.expedia.com/favicon.ico
    http://uk.ask.com/favicon.ico
    http://www.priceminister.com/
    http://crl.identrust.com/DSTROOTCAX3CRL.crl0
    http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
    http://www.iask.com/favicon.ico
    http://www.merlin.com.pl/favicon.ico
    http://www.cnet.com/favicon.ico
    http://search.nifty.com/
    http://ns.adobe.com/exif/1.0/
    http://www.etmall.com.tw/
    http://search.goo.ne.jp/
    http://fr.wikipedia.org/favicon.ico
    http://busca.estadao.com.br/favicon.ico
    http://search.hanafos.com/favicon.ico
    http://search.chol.com/favicon.ico
    http://amazon.fr/
    http://www.amazon.co.jp/
    http://www.mtv.com/favicon.ico
    http://busqueda.aol.com.mx/
    http://search.live.com/results.aspx?FORM=SOLTDF
    http://msdn.microsoft.com/
    http://www.sogou.com/favicon.ico
    http://yellowpages.superpages.com/
    http://suche.freenet.de/
    http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson
    http://search.aol.com/
    http://browse.guardian.co.uk/
    http://www.mercadolibre.com.mx/
    http://www.auction.co.kr/auction.ico
    http://www.facebook.com/
    http://si.wikipedia.org/favicon.ico
    http://www.rtl.de/favicon.ico
    http://search.msn.com/results.aspx?q=
    http://www.microsoft.com/pki/certs/MicrosoftWinPCA.crt0
    http://search.naver.com/favicon.ico
    https://www.verisign.com/repository/verisignlogo.gif0D
    http://isrg.trustid.ocsp.identrust.com0
    https://s2-prod.liverpool.com/
    http://en.wikipedia.org/favicon.ico
    http://si.wikipedia.org/w/api.php?action=opensearch
    http://udn.com/favicon.ico
    http://rover.ebay.com
    http://search.ebay.fr/
    http://www.univision.com/
    http://pt.wikipedia.org/w/api.php?action=opensearch
    http://it.wikipedia.org/favicon.ico
    http://uk.ask.com/
    http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
    http://www.google.co.uk/
    http://cnweb.search.live.com/results.aspx?q=
    http://www.google.cz/
    http://www.google.co.jp/
    http://search.ebay.co.uk/
    http://crl.verisign.com/pca3.crl0
    http://www.weather.com/
    http://www.taobao.com/favicon.ico
    http://www.news.com.au/favicon.ico
    http://search.orange.co.uk/favicon.ico
    http://video.globo.com/
    https://quantcast.mgr.consensu.org
    http://search.ebay.de/
    http://www.taobao.com/
    http://find.joins.com/
    http://corp.naukri.com/favicon.ico
    http://www.servicios.clarin.com/
    http://localhost
    http://www.rambler.ru/favicon.ico
    http://www.linternaute.com/favicon.ico
    http://ns.adobe.com/photoshop/1.0/
    http://www.shopzilla.com/
    http://www.amazon.com/gp/search?ie=UTF8
    http://search.live.com/results.aspx?FORM=SO2TDF
    http://busca.orange.es/
    http://www.excite.co.jp/
    http://cs.wikipedia.org/
    http://www.gismeteo.ru/favicon.ico
    http://www.cjmall.com/favicon.ico
    http://suche.t-online.de/
    http://www.ya.com/favicon.ico
    http://list.taobao.com/
    http://www.priceminister.com/favicon.ico
    http://cert.startcom.org/policy.pdf05
    http://www.mercadolibre.com.mx/favicon.ico
    http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0
    http://ns.adobe.com/tiff/1.0/
    http://www.otto.de/favicon.ico
    http://www.iask.com/
    http://www.arrakis.com/
    http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
    http://search.ebay.es/
    http://search.gamer.com.tw/
    http://www.tiscali.it/favicon.ico
    http://ns.adobe.com/xap/1.0/
    http://www.soso.com/favicon.ico
    http://microsoft.com0
    http://recherche.tf1.fr/
    http://si.wikipedia.org/
    http://search.livedoor.com/
    http://search.centrum.cz/
    https://www.verisign.com/repository/CPS
    http://www.t-online.de/favicon.ico
    http://ja.wikipedia.org/favicon.ico
    http://www.abril.com.br/favicon.ico
    http://clients5.google.com/complete/search?hl=
    http://www.ozon.ru/
    http://search.alice.it/
    http://www.microsoft.com/windowsxp/expertzone/
    http://www.recherche.aol.fr/
    http://crl.startcom.org/sfsca-crl.crl0
    http://cnet.search.com/
    https://i2-prod.liverpool.com
    http://www.walmart.com/
    http://espn.go.com/favicon.ico
    http://msdn.microsoft.com/workshop/security/szone/overview/templates.asp)
    http://search.interpark.com/
    http://www.gmarket.co.kr/favicon.ico
    http://www.neckermann.de/favicon.ico
    http://sitesearch.timesonline.co.uk/
    http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
    http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
    http://cn.bing.com/search?q=
    http://video.globo.com/favicon.ico
    http://es.wikipedia.org/
    http://img.atlas.cz/favicon.ico
    http://searchresults.news.com.au/
    http://update.microsoft.com/windowsupdate
    http://search.rediff.com/
    http://search.lycos.co.uk/
    http://en.wikipedia.org/
    http://www.google.com.tw/
    http://www.tchibo.de/
    http://www.google.com/
    http://buscador.terra.es/
    http://www.digicert.com/CPS0
    http://search.msn.co.jp/results.aspx?q=
    http://www.mercadolivre.com.br/favicon.ico
    http://ja.wikipedia.org/
    http://search.chol.com/
    http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
    http://search.espn.go.com/
    http://www.google.com.sa/
    http://jobsearch.monster.com/
    http://cert.startcom.org/sfsca-crl.crl0
    http://buscador.terra.com/
    http://www.google.co.in/
    http://www.google.fr/
    http://www.microsoft.com
    http://www.cdiscount.com/favicon.ico
    http://asp.usatoday.com/
    http://vachercher.lycos.fr/
    http://www.yam.com/favicon.ico
    http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
    http://search.sify.com/
    http://search.ebay.com/favicon.ico
    http://www.paginasamarillas.es/
    http://nl.wikipedia.org/
    http://search.alice.it/favicon.ico
    http://www.ask.com/
    http://www.so-net.ne.jp/share/favicon.ico
    http://espanol.search.yahoo.com/
    http://www.alarabiya.net/favicon.ico
    http://crl4.digicert.com/sha2-assured-ts.crl0
    http://ocnsearch.goo.ne.jp/
    http://search.naver.com/
    http://www.asharqalawsat.com/
    http://buscador.terra.com.br/
    http://search.msn.co.uk/results.aspx?q=
    http://www.google.de/
    http://busca.igbusca.com.br//app/static/images/favicon.ico
    http://cps.root-x1.letsencrypt.org0
    http://www.rambler.ru/
    http://esearch.rakuten.co.jp/
    http://www.cdiscount.com/
    http://www.mercadolivre.com.br/
    https://www.verisign.com/rpa0
    http://www.facebook.com/favicon.ico
    http://search.hanafos.com/
    http://sads.myspace.com/
    http://suche.web.de/
    http://recherche.tf1.fr/favicon.ico
    http://cs.wikipedia.org/w/api.php?action=opensearch
    http://search.dreamwiz.com/
    http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService
    http://www.yandex.ru/
    http://www.baidu.com/favicon.ico
    http://ariadna.elmundo.es/
    http://www.rtl.de/
    http://es.search.yahoo.com/
    http://p.zhongsou.com/
    http://es.wikipedia.org/favicon.ico
    http://cert.startcom.org/intermediate.pdf0
    http://www.timesonline.co.uk/img/favicon.ico
    http://buscar.ozu.es/
    http://so-net.search.goo.ne.jp/
    http://cgi.search.biglobe.ne.jp/favicon.ico
    http://list.taobao.com/browse/search_visual.htm?n=15
    http://www.soso.com/
    http://www.afisha.ru/App_Themes/Default/images/favicon.ico
    http://img.shopzilla.com/shopzilla/shopzilla.ico
    http://wellformedweb.org/CommentAPI/
    http://search.orange.co.uk/
    http://ariadna.elmundo.es/favicon.ico
    http://search.gismeteo.ru/
    http://www3.fnac.com/favicon.ico
    http://en.wikipedia.org/w/api.php?action=opensearch
    http://support.microsoft.com
    http://in.search.yahoo.com/
    http://www.etmall.com.tw/favicon.ico
    http://www.ceneo.pl/favicon.ico
    http://service2.bfast.com/
    http://tw.search.yahoo.com/
    http://es.ask.com/
    https://www.verisign.com
    http://www.ozu.es/favicon.ico
    http://ru.wikipedia.org/
    http://google.pchome.com.tw/
    http://cert.startcom.org/policy.pdf0
    http://p.zhongsou.com/favicon.ico
    http://search.ebay.com/
    http://search1.taobao.com/
    http://br.search.yahoo.com/
    http://crt.comodoca.com/COMODORSAAddTrustCA.crt0
    http://suche.lycos.de/
    http://www.asharqalawsat.com/favicon.ico
    http://mail.live.com/
    http://ru.search.yahoo.com
    http://de.wikipedia.org/
    http://www.microsoft.com/pkiops/docs/primarycps.htm0
    http://crl.comodo.net/AAACertificateServices.crl0
    http://ns.adobe.com/xap/1.0/mm/
    http://www.google.ru/
    http://search.empas.com/favicon.ico
    http://search.seznam.cz/
    http://de.wikipedia.org/w/api.php?action=opensearch
    http://www.expedia.com/
    http://www.clarin.com/favicon.ico
    http://busca.uol.com.br/
    http://go2.microsoft.com/fwlink/?LinkId=131738
    http://mail.live.com/?rru=compose%3Fsubject%3D
    http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0
    http://buscador.terra.com/favicon.ico
    http://crl.globalsign.net/root-r2.crl0
    http://purl.org/rss/1.0/modules/slash/
    http://ie8.ebay.com/open-search/output-xml.php?q=
    http://www.kkbox.com.tw/favicon.ico
    http://www.ocn.ne.jp/favicon.ico
    http://corp.naukri.com/
    http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended
    https://www.google-analytics.com
    http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity
    http://search.yahoo.co.jp/favicon.ico
    http://pl.wikipedia.org/w/api.php?action=opensearch
    http://www.weather.com/favicon.ico
    http://search.centrum.cz/favicon.ico
    http://search.yam.com/
    http://search.live.com/results.aspx?q=
    http://busca.uol.com.br/favicon.ico
    http://images.joins.com/ui_c/fvc_joins.ico
    http://cgi.search.biglobe.ne.jp/
    http://msk.afisha.ru/
    http://es.wikipedia.org/w/api.php?action=opensearch
    http://www.google.pl/
    http://www.arrakis.com/favicon.ico
    http://search.microsoft.com/
    http://search.goo.ne.jp/favicon.ico
    http://image.excite.co.jp/jp/favicon/lep.ico
    http://www.merlin.com.pl/
    http://www.amazon.de/
    http://www.sogou.com/
    https://s2-prod.liverpool.com
    http://cerca.lycos.it/
    http://www.usertrust.com1
    http://www.orange.fr/
    http://www.microsofttranslator.com/?ref=IE8Activity
    http://www.rakuten.co.jp/favicon.ico
    http://search.nate.com/
    http://crl.usertrust.com/AddTrustExternalCARoot.crl05
    http://www.nate.com/favicon.ico
    http://de.wikipedia.org/favicon.ico
    http://apps.identrust.com/roots/dstrootcax3.p7c0
    http://ru.wikipedia.org/w/api.php?action=opensearch
    http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0
    http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
    https://www.example.com
    http://www.microsoft.com/PKI/docs/CPS/default.htm0
    http://nl.wikipedia.org/favicon.ico
    http://it.search.yahoo.com/
    http://www.google.it/
    http://ocsp.usertrust.com0
    http://suche.web.de/favicon.ico
    http://www.paginasamarillas.es/favicon.ico
    http://search.seznam.cz/favicon.ico
    http://search.livedoor.com/favicon.ico
    http://search.lycos.com/
    http://fr.wikipedia.org/w/api.php?action=opensearch
    http://search.dreamwiz.com/favicon.ico
    http://www.kkbox.com.tw/
    http://suche.aol.de/
    https://www.digicert.com/CPS0
    http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0a
    http://it.search.dada.net/
    http://search.empas.com/
    http://yellowpages.superpages.com/favicon.ico
    http://arianna.libero.it/
    http://www.dailymail.co.uk/
    http://ru.wikipedia.org/favicon.ico
    http://search.auction.co.kr/
    http://ns.adobe.com/pdf/1.3/
    https://www.verisign.com/CPS04
    http://search.lycos.com/favicon.ico
    http://www3.fnac.com/
    http://search.yahoo.co.jp
    http://asp.usatoday.com/favicon.ico
    http://search.msn.com.cn/results.aspx?q=
    http://cn.bing.com/favicon.ico
    http://search2.estadao.com.br/
    http://search.cn.yahoo.com/
    http://www.microsoft.com/pki/crl/products/WinPCA.crl0R
    http://ie.search.yahoo.com/os?command=
    http://www.tesco.com/
    http://search-dyn.tiscali.it/
    http://search.ipop.co.kr/favicon.ico
    http://arianna.libero.it/favicon.ico
    http://www.myspace.com/favicon.ico
    http://it.wikipedia.org/
    http://www.dailymail.co.uk/favicon.ico
    http://www.microsoft.com/schemas/rss/core/2005/internal
    http://home.altervista.org/
    http://it.search.dada.net/favicon.ico
    http://www.gmarket.co.kr/
    http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
    http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0
    http://price.ru/favicon.ico
    http://www.google.com.br/
    http://buscar.ya.com/
    http://images.monster.com/favicon.ico
    http://search.ebay.it/
    http://www.alarabiya.net/
    http://www.najdi.si/
    http://www.maktoob.com/favicon.ico
    http://purl.org/rss/1.0/modules/content/
    http://ocsp.comodoca.com0
    http://logo.verisign.com/vslogo.gif0
    https://www.googletagmanager.com
    http://price.ru/
    http://crl3.digicert.com/sha2-assured-ts.crl02
    https://felix.data.tm-awx.com
    http://www.najdi.si/favicon.ico
    http://kr.search.yahoo.com/
    http://www.aol.com/favicon.ico
    http://www.ozon.ru/favicon.ico
    http://pl.wikipedia.org/
    http://www.target.com/favicon.ico
    http://fr.search.yahoo.com/
    http://search.daum.net/
    http://de.search.yahoo.com/
    http://suche.freenet.de/favicon.ico
    http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
    http://www.ceneo.pl/
    http://busca.buscape.com.br/favicon.ico
    http://www.microsoft.com/favicon.ico
    http://auone.jp/favicon.ico
    http://buscador.lycos.es/
    http://search.yahoo.com/
    http://msdn.microsoft.com/workshop/security/privacy/overview/privacyimportxml.asp)
    http://search.rediff.com/favicon.ico
    http://search.auone.jp/
    http://web.ask.com/
    http://search.books.com.tw/
    http://search.ebay.in/
    http://search.about.com/
    http://www.neckermann.de/
    http://browse.guardian.co.uk/favicon.ico
    http://www.tesco.com/favicon.ico
    http://search.ipop.co.kr/
    http://www.target.com/
    http://www.amazon.com/favicon.ico
    http://recherche.linternaute.com/
    http://pt.wikipedia.org/favicon.ico
    http://openimage.interpark.com/interpark.ico
    http://www.google.si/
    http://www.yandex.ru/favicon.ico
    http://www.google.com/favicon.ico
    http://search.daum.net/favicon.ico
    http://www.walmart.com/favicon.ico
    http://udn.com/
    http://purl.org/dc/elements/1.1/
    http://www.google.es/
    http://www.cnet.co.uk/
    http://www.mtv.com/
    http://search.live.com/results.aspx?FORM=IEFM1
    http://www.abril.com.br/
    http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
    http://www.baidu.com/
    http://www.microsoft.com/schemas/ie9compatlistdescription/1.0
    http://www.amazon.co.uk/
    http://it.wikipedia.org/w/api.php?action=opensearch
    http://www.tchibo.de/favicon.ico
    http://www.pchome.com.tw/favicon.ico
    http://pt.wikipedia.org/
    http://ns.adobe.com/xap/1.0/sType/ResourceEvent
    http://fr.wikipedia.org/
    http://ja.wikipedia.org/w/api.php?action=opensearch
    http://www.chennaionline.com/ncommon/images/collogo.ico
    http://www.cjmall.com/
    http://uk.search.yahoo.com/
    http://search.yahoo.com/favicon.ico
    http://busca.igbusca.com.br/
    https://localhost
    http://www.nifty.com/favicon.ico
    http://www.sify.com/favicon.ico
    http://home.altervista.org/favicon.ico
    http://search.gamer.com.tw/favicon.ico
    http://busca.buscape.com.br/
    http://search.atlas.cz/
    http://ocsp.digicert.com0C
    http://ocsp.digicert.com0O
    http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0
    http://search.aol.co.uk/
    http://pl.wikipedia.org/favicon.ico
    http://ns.adobe.com/iX/1.0/
    http://search.books.com.tw/favicon.ico
    http://search.aol.in/
    https://example.com
    http://cs.wikipedia.org/favicon.ico
    http://www.valicert.com/1
    http://crl.comodoca.com/AAACertificateServices.crl06
    http://crl.comodoca.com/AAACertificateServices.crl04
    http://beta.visualstudio.net/net/sdk/feedback.asp
    http://z.about.com/m/a08.ico
    http://www.univision.com/favicon.ico
    http://nl.wikipedia.org/w/api.php?action=opensearch
    
                                                

Process memory dump for shedyx.exe (PID 7132, dump 2)

Extracted/injected images (may contain unpacked executables)
Download #1
Download #2


Yara signatures matches on process memory

Match: inject_thread

  • Q3JlYXRlVGhyZWFk (CreateThread)
  • T3BlblByb2Nlc3M= (OpenProcess)
  • V3JpdGVQcm9jZXNzTWVtb3J5 (WriteProcessMemory)
  • VmlydHVhbEFsbG9jRXg= (VirtualAllocEx)

Match: create_com_service

  • RGxsQ2FuVW5sb2FkTm93 (DllCanUnloadNow)
  • RGxsR2V0Q2xhc3NPYmplY3Q= (DllGetClassObject)
  • RGxsSW5zdGFsbA== (DllInstall)
  • RGxsUmVnaXN0ZXJTZXJ2ZXI= (DllRegisterServer)
  • RGxsVW5yZWdpc3RlclNlcnZlcg== (DllUnregisterServer)

Match: network_udp_sock

  • U3lzdGVtLk5ldA== (System.Net)
  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • V1NBU2VuZFRv (WSASendTo)
  • V1NBU3RhcnR1cA== (WSAStartup)
  • V1NBUmVjdkZyb20= (WSARecvFrom)
  • VWRwQ2xpZW50 (UdpClient)
  • c2VuZHRv (sendto)
  • c3lzdGVtLm5ldA== (system.net)
  • cmVjdmZyb20= (recvfrom)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: network_tcp_listen

  • QWNjZXB0RXg= (AcceptEx)
  • QWNjZXB0VGNwQ2xpZW50 (AcceptTcpClient)
  • R2V0QWNjZXB0RXhTb2NrYWRkcnM= (GetAcceptExSockaddrs)
  • U3lzdGVtLk5ldA== (System.Net)
  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • V1NBU29ja2V0 (WSASocket)
  • V1NBU3RhcnR1cA== (WSAStartup)
  • VGNwTGlzdGVuZXI= (TcpListener)
  • YWNjZXB0 (accept)
  • YmluZA== (bind)
  • bGlzdGVu (listen)
  • bXN3c29jay5kbGw= (mswsock.dll)
  • c3lzdGVtLm5ldA== (system.net)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: network_smtp_dotNet

  • U210cENsaWVudA== (SmtpClient)
  • U3lzdGVtLk5ldC5NYWls (System.Net.Mail)

Match: network_dropper

  • VVJMRG93bmxvYWRUb0NhY2hlRmlsZQ== (URLDownloadToCacheFile)
  • VVJMRG93bmxvYWRUb0ZpbGU= (URLDownloadToFile)
  • dXJsbW9uLmRsbA== (urlmon.dll)

Match: network_tcp_socket

  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • V1NBQ29ubmVjdA== (WSAConnect)
  • V1NBU29ja2V0 (WSASocket)
  • V1NBU2VuZA== (WSASend)
  • V1NBU3RhcnR1cA== (WSAStartup)
  • Y29ubmVjdA== (connect)
  • Y2xvc2Vzb2NrZXQ= (closesocket)
  • c29ja2V0 (socket)
  • c2VuZA== (send)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: network_dns

  • R2V0SG9zdEVudHJ5 (GetHostEntry)
  • RE5TQVBJLmRsbA== (DNSAPI.dll)
  • RG5zUXVlcnk= (DnsQuery)
  • U3lzdGVtLk5ldA== (System.Net)
  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • Z2V0aG9zdGJ5bmFtZQ== (gethostbyname)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: network_dga

  • Q1JZUFQzMi5kbGw= (CRYPT32.dll)
  • Q3J5cHRBY3F1aXJlQ29udGV4dA== (CryptAcquireContext)
  • Q3J5cHRDcmVhdGVIYXNo (CryptCreateHash)
  • Q3J5cHRIYXNoRGF0YQ== (CryptHashData)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • R2V0U3lzdGVtVGltZQ== (GetSystemTime)
  • R2V0U3lzdGVtVGltZUFzRmlsZVRpbWU= (GetSystemTimeAsFileTime)
  • U3lzdGVtVGltZVRvRmlsZVRpbWU= (SystemTimeToFileTime)
  • V0lOSU5FVC5kbGw= (WININET.dll)
  • Y3J5cHQzMi5kbGw= (crypt32.dll)
  • YWR2YXBpMzIuZGxs (advapi32.dll)
  • Z2V0aG9zdGJ5bmFtZQ== (gethostbyname)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: escalate_priv

  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWRqdXN0VG9rZW5Qcml2aWxlZ2Vz (AdjustTokenPrivileges)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: screenshot

  • Qml0Qmx0 (BitBlt)
  • R0RJMzIuZGxs (GDI32.dll)
  • R2V0REM= (GetDC)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • VXNlcjMyLmRsbA== (User32.dll)
  • Z2RpMzIuZGxs (gdi32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: keylogger

  • R2V0QXN5bmNLZXlTdGF0ZQ== (GetAsyncKeyState)
  • R2V0S2V5U3RhdGU= (GetKeyState)
  • TWFwVmlydHVhbEtleQ== (MapVirtualKey)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • VXNlcjMyLmRsbA== (User32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: win_mutex

  • Q3JlYXRlTXV0ZXg= (CreateMutex)

Match: win_registry

  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • UmVnQ2xvc2VLZXk= (RegCloseKey)
  • UmVnQ3JlYXRlS2V5QQ== (RegCreateKeyA)
  • UmVnT3BlbktleUV4QQ== (RegOpenKeyExA)
  • UmVnU2V0VmFsdWVFeEE= (RegSetValueExA)
  • UmVnUXVlcnlWYWx1ZUV4QQ== (RegQueryValueExA)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: win_token

  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWRqdXN0VG9rZW5Qcml2aWxlZ2Vz (AdjustTokenPrivileges)
  • RHVwbGljYXRlVG9rZW5FeA== (DuplicateTokenEx)
  • T3BlblByb2Nlc3NUb2tlbg== (OpenProcessToken)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: win_files_operation

  • Q29weUZpbGU= (CopyFile)
  • RmluZENsb3Nl (FindClose)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • U2V0RmlsZVBvaW50ZXI= (SetFilePointer)
  • UmVhZEZpbGU= (ReadFile)
  • V3JpdGVGaWxl (WriteFile)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: Str_Win32_Winsock2_Library

  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: Str_Win32_Wininet_Library

  • V0lOSU5FVC5kbGw= (WININET.dll)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: DebuggerCheck__QueryInfo

  • UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerHiding__Thread

  • U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerException__SetConsoleCtrl

  • U2V0Q29uc29sZUN0cmxIYW5kbGVy (SetConsoleCtrlHandler)

Match: ThreadControl__Context

  • U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: Check_Dlls

  • UABTAFQATwBSAEUAQwAuAEQATABMAA== (PSTOREC.DLL)
  • ZABiAGcAaABlAGwAcAAuAGQAbABsAA== (dbghelp.dll)

Match: anti_dbg

  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • SXNEZWJ1Z2dlclByZXNlbnQ= (IsDebuggerPresent)
  • T3V0cHV0RGVidWdTdHJpbmc= (OutputDebugString)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: disable_dep

  • U2V0UHJvY2Vzc0RFUFBvbGljeQ== (SetProcessDEPPolicy)

Match: win_hook

  • Q2FsbE5leHRIb29rRXg= (CallNextHookEx)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • VW5ob29rV2luZG93c0hvb2tFeA== (UnhookWindowsHookEx)
  • VXNlcjMyLmRsbA== (User32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)


URLs found in process memory
    http://www.expedia.com/favicon.ico
    http://uk.ask.com/favicon.ico
    http://www.priceminister.com/
    http://crl.identrust.com/DSTROOTCAX3CRL.crl0
    http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
    http://www.iask.com/favicon.ico
    http://www.merlin.com.pl/favicon.ico
    http://www.cnet.com/favicon.ico
    http://search.nifty.com/
    http://ns.adobe.com/exif/1.0/
    http://www.etmall.com.tw/
    http://search.goo.ne.jp/
    http://fr.wikipedia.org/favicon.ico
    http://busca.estadao.com.br/favicon.ico
    http://search.hanafos.com/favicon.ico
    http://search.chol.com/favicon.ico
    http://amazon.fr/
    http://www.amazon.co.jp/
    http://www.mtv.com/favicon.ico
    http://busqueda.aol.com.mx/
    http://search.live.com/results.aspx?FORM=SOLTDF
    http://msdn.microsoft.com/
    http://www.sogou.com/favicon.ico
    http://yellowpages.superpages.com/
    http://suche.freenet.de/
    http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson
    http://search.aol.com/
    http://browse.guardian.co.uk/
    http://www.mercadolibre.com.mx/
    http://www.auction.co.kr/auction.ico
    http://www.facebook.com/
    http://si.wikipedia.org/favicon.ico
    http://www.rtl.de/favicon.ico
    http://search.msn.com/results.aspx?q=
    http://www.microsoft.com/pki/certs/MicrosoftWinPCA.crt0
    http://search.naver.com/favicon.ico
    https://www.verisign.com/repository/verisignlogo.gif0D
    http://isrg.trustid.ocsp.identrust.com0
    https://s2-prod.liverpool.com/
    http://en.wikipedia.org/favicon.ico
    http://si.wikipedia.org/w/api.php?action=opensearch
    http://udn.com/favicon.ico
    http://rover.ebay.com
    http://search.ebay.fr/
    http://www.univision.com/
    http://pt.wikipedia.org/w/api.php?action=opensearch
    http://it.wikipedia.org/favicon.ico
    http://uk.ask.com/
    http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
    http://www.google.co.uk/
    http://cnweb.search.live.com/results.aspx?q=
    http://www.google.cz/
    http://www.google.co.jp/
    http://search.ebay.co.uk/
    http://crl.verisign.com/pca3.crl0
    http://www.weather.com/
    http://www.taobao.com/favicon.ico
    http://www.news.com.au/favicon.ico
    http://search.orange.co.uk/favicon.ico
    http://video.globo.com/
    https://quantcast.mgr.consensu.org
    http://search.ebay.de/
    http://www.taobao.com/
    http://find.joins.com/
    http://corp.naukri.com/favicon.ico
    http://www.servicios.clarin.com/
    http://localhost
    http://www.rambler.ru/favicon.ico
    http://www.linternaute.com/favicon.ico
    http://ns.adobe.com/photoshop/1.0/
    http://www.shopzilla.com/
    http://www.amazon.com/gp/search?ie=UTF8
    http://search.live.com/results.aspx?FORM=SO2TDF
    http://busca.orange.es/
    http://www.excite.co.jp/
    http://cs.wikipedia.org/
    http://www.gismeteo.ru/favicon.ico
    http://www.cjmall.com/favicon.ico
    http://suche.t-online.de/
    http://www.ya.com/favicon.ico
    http://list.taobao.com/
    http://www.priceminister.com/favicon.ico
    http://cert.startcom.org/policy.pdf05
    http://www.mercadolibre.com.mx/favicon.ico
    http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0
    http://ns.adobe.com/tiff/1.0/
    http://www.otto.de/favicon.ico
    http://www.iask.com/
    http://www.arrakis.com/
    http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
    http://search.ebay.es/
    http://search.gamer.com.tw/
    http://www.tiscali.it/favicon.ico
    http://ns.adobe.com/xap/1.0/
    http://www.soso.com/favicon.ico
    http://microsoft.com0
    http://recherche.tf1.fr/
    http://si.wikipedia.org/
    http://search.livedoor.com/
    http://search.centrum.cz/
    https://www.verisign.com/repository/CPS
    http://www.t-online.de/favicon.ico
    http://ja.wikipedia.org/favicon.ico
    http://www.abril.com.br/favicon.ico
    http://clients5.google.com/complete/search?hl=
    http://www.ozon.ru/
    http://search.alice.it/
    http://www.microsoft.com/windowsxp/expertzone/
    http://www.recherche.aol.fr/
    http://crl.startcom.org/sfsca-crl.crl0
    http://cnet.search.com/
    https://i2-prod.liverpool.com
    http://www.walmart.com/
    http://espn.go.com/favicon.ico
    http://msdn.microsoft.com/workshop/security/szone/overview/templates.asp)
    http://search.interpark.com/
    http://www.gmarket.co.kr/favicon.ico
    http://www.neckermann.de/favicon.ico
    http://sitesearch.timesonline.co.uk/
    http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
    http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
    http://cn.bing.com/search?q=
    http://video.globo.com/favicon.ico
    http://es.wikipedia.org/
    http://img.atlas.cz/favicon.ico
    http://searchresults.news.com.au/
    http://update.microsoft.com/windowsupdate
    http://search.rediff.com/
    http://search.lycos.co.uk/
    http://en.wikipedia.org/
    http://www.google.com.tw/
    http://www.tchibo.de/
    http://www.google.com/
    http://buscador.terra.es/
    http://www.digicert.com/CPS0
    http://search.msn.co.jp/results.aspx?q=
    http://www.mercadolivre.com.br/favicon.ico
    http://ja.wikipedia.org/
    http://search.chol.com/
    http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
    http://search.espn.go.com/
    http://www.google.com.sa/
    http://jobsearch.monster.com/
    http://cert.startcom.org/sfsca-crl.crl0
    http://buscador.terra.com/
    http://www.google.co.in/
    http://www.google.fr/
    http://www.microsoft.com
    http://www.cdiscount.com/favicon.ico
    http://asp.usatoday.com/
    http://vachercher.lycos.fr/
    http://www.yam.com/favicon.ico
    http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
    http://search.sify.com/
    http://search.ebay.com/favicon.ico
    http://www.paginasamarillas.es/
    http://nl.wikipedia.org/
    http://search.alice.it/favicon.ico
    http://www.ask.com/
    http://www.so-net.ne.jp/share/favicon.ico
    http://espanol.search.yahoo.com/
    http://www.alarabiya.net/favicon.ico
    http://crl4.digicert.com/sha2-assured-ts.crl0
    http://ocnsearch.goo.ne.jp/
    http://search.naver.com/
    http://www.asharqalawsat.com/
    http://buscador.terra.com.br/
    http://search.msn.co.uk/results.aspx?q=
    http://www.google.de/
    http://busca.igbusca.com.br//app/static/images/favicon.ico
    http://cps.root-x1.letsencrypt.org0
    http://www.rambler.ru/
    http://esearch.rakuten.co.jp/
    http://www.cdiscount.com/
    http://www.mercadolivre.com.br/
    https://www.verisign.com/rpa0
    http://www.facebook.com/favicon.ico
    http://search.hanafos.com/
    http://sads.myspace.com/
    http://suche.web.de/
    http://recherche.tf1.fr/favicon.ico
    http://cs.wikipedia.org/w/api.php?action=opensearch
    http://search.dreamwiz.com/
    http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService
    http://www.yandex.ru/
    http://www.baidu.com/favicon.ico
    http://ariadna.elmundo.es/
    http://www.rtl.de/
    http://es.search.yahoo.com/
    http://p.zhongsou.com/
    http://es.wikipedia.org/favicon.ico
    http://cert.startcom.org/intermediate.pdf0
    http://www.timesonline.co.uk/img/favicon.ico
    http://buscar.ozu.es/
    http://so-net.search.goo.ne.jp/
    http://cgi.search.biglobe.ne.jp/favicon.ico
    http://list.taobao.com/browse/search_visual.htm?n=15
    http://www.soso.com/
    http://www.afisha.ru/App_Themes/Default/images/favicon.ico
    http://img.shopzilla.com/shopzilla/shopzilla.ico
    http://wellformedweb.org/CommentAPI/
    http://search.orange.co.uk/
    http://ariadna.elmundo.es/favicon.ico
    http://search.gismeteo.ru/
    http://www3.fnac.com/favicon.ico
    http://en.wikipedia.org/w/api.php?action=opensearch
    http://support.microsoft.com
    http://in.search.yahoo.com/
    http://www.etmall.com.tw/favicon.ico
    http://www.ceneo.pl/favicon.ico
    http://service2.bfast.com/
    http://tw.search.yahoo.com/
    http://es.ask.com/
    https://www.verisign.com
    http://www.ozu.es/favicon.ico
    http://ru.wikipedia.org/
    http://google.pchome.com.tw/
    http://cert.startcom.org/policy.pdf0
    http://p.zhongsou.com/favicon.ico
    http://search.ebay.com/
    http://search1.taobao.com/
    http://br.search.yahoo.com/
    http://crt.comodoca.com/COMODORSAAddTrustCA.crt0
    http://suche.lycos.de/
    http://www.asharqalawsat.com/favicon.ico
    http://mail.live.com/
    http://ru.search.yahoo.com
    http://de.wikipedia.org/
    http://www.microsoft.com/pkiops/docs/primarycps.htm0
    http://crl.comodo.net/AAACertificateServices.crl0
    http://ns.adobe.com/xap/1.0/mm/
    http://www.google.ru/
    http://search.empas.com/favicon.ico
    http://search.seznam.cz/
    http://de.wikipedia.org/w/api.php?action=opensearch
    http://www.expedia.com/
    http://www.clarin.com/favicon.ico
    http://busca.uol.com.br/
    http://go2.microsoft.com/fwlink/?LinkId=131738
    http://mail.live.com/?rru=compose%3Fsubject%3D
    http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0
    http://buscador.terra.com/favicon.ico
    http://crl.globalsign.net/root-r2.crl0
    http://purl.org/rss/1.0/modules/slash/
    http://ie8.ebay.com/open-search/output-xml.php?q=
    http://www.kkbox.com.tw/favicon.ico
    http://www.ocn.ne.jp/favicon.ico
    http://corp.naukri.com/
    http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended
    https://www.google-analytics.com
    http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity
    http://search.yahoo.co.jp/favicon.ico
    http://pl.wikipedia.org/w/api.php?action=opensearch
    http://www.weather.com/favicon.ico
    http://search.centrum.cz/favicon.ico
    http://search.yam.com/
    http://search.live.com/results.aspx?q=
    http://busca.uol.com.br/favicon.ico
    http://images.joins.com/ui_c/fvc_joins.ico
    http://cgi.search.biglobe.ne.jp/
    http://msk.afisha.ru/
    http://es.wikipedia.org/w/api.php?action=opensearch
    http://www.google.pl/
    http://www.arrakis.com/favicon.ico
    http://search.microsoft.com/
    http://search.goo.ne.jp/favicon.ico
    http://image.excite.co.jp/jp/favicon/lep.ico
    http://www.merlin.com.pl/
    http://www.amazon.de/
    http://www.sogou.com/
    https://s2-prod.liverpool.com
    http://cerca.lycos.it/
    http://www.usertrust.com1
    http://www.orange.fr/
    http://www.microsofttranslator.com/?ref=IE8Activity
    http://www.rakuten.co.jp/favicon.ico
    http://search.nate.com/
    http://crl.usertrust.com/AddTrustExternalCARoot.crl05
    http://www.nate.com/favicon.ico
    http://de.wikipedia.org/favicon.ico
    http://apps.identrust.com/roots/dstrootcax3.p7c0
    http://ru.wikipedia.org/w/api.php?action=opensearch
    http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0
    http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
    https://www.example.com
    http://www.microsoft.com/PKI/docs/CPS/default.htm0
    http://nl.wikipedia.org/favicon.ico
    http://it.search.yahoo.com/
    http://www.google.it/
    http://ocsp.usertrust.com0
    http://suche.web.de/favicon.ico
    http://www.paginasamarillas.es/favicon.ico
    http://search.seznam.cz/favicon.ico
    http://search.livedoor.com/favicon.ico
    http://search.lycos.com/
    http://fr.wikipedia.org/w/api.php?action=opensearch
    http://search.dreamwiz.com/favicon.ico
    http://www.kkbox.com.tw/
    http://suche.aol.de/
    https://www.digicert.com/CPS0
    http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0a
    http://it.search.dada.net/
    http://search.empas.com/
    http://yellowpages.superpages.com/favicon.ico
    http://arianna.libero.it/
    http://www.dailymail.co.uk/
    http://ru.wikipedia.org/favicon.ico
    http://search.auction.co.kr/
    http://ns.adobe.com/pdf/1.3/
    https://www.verisign.com/CPS04
    http://search.lycos.com/favicon.ico
    http://www3.fnac.com/
    http://search.yahoo.co.jp
    http://asp.usatoday.com/favicon.ico
    http://search.msn.com.cn/results.aspx?q=
    http://cn.bing.com/favicon.ico
    http://search2.estadao.com.br/
    http://search.cn.yahoo.com/
    http://www.microsoft.com/pki/crl/products/WinPCA.crl0R
    http://ie.search.yahoo.com/os?command=
    http://www.tesco.com/
    http://search-dyn.tiscali.it/
    http://search.ipop.co.kr/favicon.ico
    http://arianna.libero.it/favicon.ico
    http://www.myspace.com/favicon.ico
    http://it.wikipedia.org/
    http://www.dailymail.co.uk/favicon.ico
    http://www.microsoft.com/schemas/rss/core/2005/internal
    http://home.altervista.org/
    http://it.search.dada.net/favicon.ico
    http://www.gmarket.co.kr/
    http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
    http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0
    http://price.ru/favicon.ico
    http://www.google.com.br/
    http://buscar.ya.com/
    http://images.monster.com/favicon.ico
    http://search.ebay.it/
    http://www.alarabiya.net/
    http://www.najdi.si/
    http://www.maktoob.com/favicon.ico
    http://purl.org/rss/1.0/modules/content/
    http://ocsp.comodoca.com0
    http://logo.verisign.com/vslogo.gif0
    https://www.googletagmanager.com
    http://price.ru/
    http://crl3.digicert.com/sha2-assured-ts.crl02
    https://felix.data.tm-awx.com
    http://www.najdi.si/favicon.ico
    http://kr.search.yahoo.com/
    http://www.aol.com/favicon.ico
    http://www.ozon.ru/favicon.ico
    http://pl.wikipedia.org/
    http://www.target.com/favicon.ico
    http://fr.search.yahoo.com/
    http://search.daum.net/
    http://de.search.yahoo.com/
    http://suche.freenet.de/favicon.ico
    http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
    http://www.ceneo.pl/
    http://busca.buscape.com.br/favicon.ico
    http://www.microsoft.com/favicon.ico
    http://auone.jp/favicon.ico
    http://buscador.lycos.es/
    http://search.yahoo.com/
    http://msdn.microsoft.com/workshop/security/privacy/overview/privacyimportxml.asp)
    http://search.rediff.com/favicon.ico
    http://search.auone.jp/
    http://web.ask.com/
    http://search.books.com.tw/
    http://search.ebay.in/
    http://search.about.com/
    http://www.neckermann.de/
    http://browse.guardian.co.uk/favicon.ico
    http://www.tesco.com/favicon.ico
    http://search.ipop.co.kr/
    http://www.target.com/
    http://www.amazon.com/favicon.ico
    http://recherche.linternaute.com/
    http://pt.wikipedia.org/favicon.ico
    http://openimage.interpark.com/interpark.ico
    http://www.google.si/
    http://www.yandex.ru/favicon.ico
    http://www.google.com/favicon.ico
    http://search.daum.net/favicon.ico
    http://www.walmart.com/favicon.ico
    http://udn.com/
    http://purl.org/dc/elements/1.1/
    http://www.google.es/
    http://www.cnet.co.uk/
    http://www.mtv.com/
    http://search.live.com/results.aspx?FORM=IEFM1
    http://www.abril.com.br/
    http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
    http://www.baidu.com/
    http://www.microsoft.com/schemas/ie9compatlistdescription/1.0
    http://www.amazon.co.uk/
    http://it.wikipedia.org/w/api.php?action=opensearch
    http://www.tchibo.de/favicon.ico
    http://www.pchome.com.tw/favicon.ico
    http://pt.wikipedia.org/
    http://ns.adobe.com/xap/1.0/sType/ResourceEvent
    http://fr.wikipedia.org/
    http://ja.wikipedia.org/w/api.php?action=opensearch
    http://www.chennaionline.com/ncommon/images/collogo.ico
    http://www.cjmall.com/
    http://uk.search.yahoo.com/
    http://search.yahoo.com/favicon.ico
    http://busca.igbusca.com.br/
    https://localhost
    http://www.nifty.com/favicon.ico
    http://www.sify.com/favicon.ico
    http://home.altervista.org/favicon.ico
    http://search.gamer.com.tw/favicon.ico
    http://busca.buscape.com.br/
    http://search.atlas.cz/
    http://ocsp.digicert.com0C
    http://ocsp.digicert.com0O
    http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0
    http://search.aol.co.uk/
    http://pl.wikipedia.org/favicon.ico
    http://ns.adobe.com/iX/1.0/
    http://search.books.com.tw/favicon.ico
    http://search.aol.in/
    https://example.com
    http://cs.wikipedia.org/favicon.ico
    http://www.valicert.com/1
    http://crl.comodoca.com/AAACertificateServices.crl06
    http://crl.comodoca.com/AAACertificateServices.crl04
    http://beta.visualstudio.net/net/sdk/feedback.asp
    http://z.about.com/m/a08.ico
    http://www.univision.com/favicon.ico
    http://nl.wikipedia.org/w/api.php?action=opensearch
    
                                                

Process memory dump for cmd.exe (PID 7960, dump 1)

Extracted/injected images (may contain unpacked executables)
Download #1


Yara signatures matches on process memory

Match: inject_thread

  • Q3JlYXRlUmVtb3RlVGhyZWFk (CreateRemoteThread)
  • Q3JlYXRlVGhyZWFk (CreateThread)
  • T3BlblByb2Nlc3M= (OpenProcess)
  • TnRXcml0ZVZpcnR1YWxNZW1vcnk= (NtWriteVirtualMemory)
  • V3JpdGVQcm9jZXNzTWVtb3J5 (WriteProcessMemory)
  • VmlydHVhbEFsbG9jRXg= (VirtualAllocEx)

Match: create_service

  • Q29udHJvbFNlcnZpY2U= (ControlService)
  • Q3JlYXRlU2VydmljZQ== (CreateService)
  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • U3RhcnRTZXJ2aWNl (StartService)
  • UXVlcnlTZXJ2aWNlU3RhdHVz (QueryServiceStatus)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: network_udp_sock

  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • V1NBU2VuZFRv (WSASendTo)
  • V1NBU3RhcnR1cA== (WSAStartup)
  • V1NBUmVjdkZyb20= (WSARecvFrom)
  • c2VuZHRv (sendto)
  • cmVjdmZyb20= (recvfrom)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: network_tcp_listen

  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • V1NBQWNjZXB0 (WSAAccept)
  • V1NBU29ja2V0 (WSASocket)
  • V1NBU3RhcnR1cA== (WSAStartup)
  • YWNjZXB0 (accept)
  • YmluZA== (bind)
  • bGlzdGVu (listen)
  • bXN3c29jay5kbGw= (mswsock.dll)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: network_p2p_win

  • UGVlckNvbGxhYkV4cG9ydENvbnRhY3Q= (PeerCollabExportContact)
  • UGVlckNvbGxhYkdldEFwcGxpY2F0aW9uUmVnaXN0cmF0aW9uSW5mbw== (PeerCollabGetApplicationRegistrationInfo)
  • UGVlckNvbGxhYkdldEV2ZW50RGF0YQ== (PeerCollabGetEventData)
  • UGVlckNvbGxhYkdldEVuZHBvaW50TmFtZQ== (PeerCollabGetEndpointName)
  • UGVlckNvbGxhYkdldEludml0YXRpb25SZXNwb25zZQ== (PeerCollabGetInvitationResponse)
  • UGVlckNvbGxhYkdldFByZXNlbmNlSW5mbw== (PeerCollabGetPresenceInfo)
  • UGVlckNvbGxhYkdldFNpZ25pbk9wdGlvbnM= (PeerCollabGetSigninOptions)
  • UGVlckNvbGxhYkludml0ZUNvbnRhY3Q= (PeerCollabInviteContact)
  • UGVlckNvbGxhYkludml0ZUVuZHBvaW50 (PeerCollabInviteEndpoint)
  • UGVlckNvbGxhYlBhcnNlQ29udGFjdA== (PeerCollabParseContact)
  • UGVlckNvbGxhYlF1ZXJ5Q29udGFjdERhdGE= (PeerCollabQueryContactData)
  • UGVlckNvbGxhYlJlZ2lzdGVyQXBwbGljYXRpb24= (PeerCollabRegisterApplication)
  • UGVlckNvbGxhYlJlZ2lzdGVyRXZlbnQ= (PeerCollabRegisterEvent)
  • UGVlckNvbGxhYlJlZnJlc2hFbmRwb2ludERhdGE= (PeerCollabRefreshEndpointData)
  • UGVlckNvbGxhYlNldE9iamVjdA== (PeerCollabSetObject)
  • UGVlckNvbGxhYlNldEVuZHBvaW50TmFtZQ== (PeerCollabSetEndpointName)
  • UGVlckNvbGxhYlNldFByZXNlbmNlSW5mbw== (PeerCollabSetPresenceInfo)
  • UGVlckNvbGxhYlNpZ25vdXQ= (PeerCollabSignout)
  • UGVlckNvbGxhYlVucmVnaXN0ZXJBcHBsaWNhdGlvbg== (PeerCollabUnregisterApplication)
  • UGVlckNvbGxhYlVwZGF0ZUNvbnRhY3Q= (PeerCollabUpdateContact)

Match: network_http

  • SHR0cE9wZW5SZXF1ZXN0 (HttpOpenRequest)
  • SHR0cFNlbmRSZXF1ZXN0 (HttpSendRequest)
  • SW50ZXJuZXRDb25uZWN0 (InternetConnect)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRPcGVuVXJs (InternetOpenUrl)
  • SW50ZXJuZXRSZWFkRmlsZQ== (InternetReadFile)
  • SW50ZXJuZXRXcml0ZUZpbGU= (InternetWriteFile)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: network_dropper

  • VVJMRG93bmxvYWRUb0NhY2hlRmlsZQ== (URLDownloadToCacheFile)
  • VVJMRG93bmxvYWRUb0ZpbGU= (URLDownloadToFile)
  • dXJsbW9uLmRsbA== (urlmon.dll)

Match: network_ftp

  • RnRwQ3JlYXRlRGlyZWN0b3J5 (FtpCreateDirectory)
  • RnRwR2V0Q3VycmVudERpcmVjdG9yeQ== (FtpGetCurrentDirectory)
  • RnRwR2V0RmlsZQ== (FtpGetFile)
  • RnRwR2V0RmlsZVNpemU= (FtpGetFileSize)
  • RnRwRGVsZXRlRmlsZQ== (FtpDeleteFile)
  • RnRwT3BlbkZpbGU= (FtpOpenFile)
  • RnRwU2V0Q3VycmVudERpcmVjdG9yeQ== (FtpSetCurrentDirectory)
  • RnRwUHV0RmlsZQ== (FtpPutFile)
  • RnRwUmVtb3ZlRGlyZWN0b3J5 (FtpRemoveDirectory)
  • RnRwUmVuYW1lRmlsZQ== (FtpRenameFile)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: network_tcp_socket

  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • V1NBQ29ubmVjdA== (WSAConnect)
  • V1NBQ2xlYW51cA== (WSACleanup)
  • V1NBU29ja2V0 (WSASocket)
  • V1NBU2VuZA== (WSASend)
  • V1NBU3RhcnR1cA== (WSAStartup)
  • Y29ubmVjdA== (connect)
  • Y2xvc2Vzb2NrZXQ= (closesocket)
  • c29ja2V0 (socket)
  • c2VuZA== (send)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: network_dns

  • RG5zUXVlcnk= (DnsQuery)
  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • Z2V0YWRkcmluZm8= (getaddrinfo)
  • Z2V0aG9zdGJ5bmFtZQ== (gethostbyname)
  • ZG5zYXBpLmRsbA== (dnsapi.dll)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: network_dga

  • Q3J5cHRBY3F1aXJlQ29udGV4dA== (CryptAcquireContext)
  • Q3J5cHRDcmVhdGVIYXNo (CryptCreateHash)
  • Q3J5cHRIYXNoRGF0YQ== (CryptHashData)
  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • R2V0U3lzdGVtVGltZQ== (GetSystemTime)
  • R2V0U3lzdGVtVGltZUFzRmlsZVRpbWU= (GetSystemTimeAsFileTime)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRPcGVuVXJs (InternetOpenUrl)
  • U3lzdGVtVGltZVRvRmlsZVRpbWU= (SystemTimeToFileTime)
  • Y3J5cHQzMi5kbGw= (crypt32.dll)
  • YWR2YXBpMzIuZGxs (advapi32.dll)
  • Z2V0YWRkcmluZm8= (getaddrinfo)
  • Z2V0aG9zdGJ5bmFtZQ== (gethostbyname)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: escalate_priv

  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWRqdXN0VG9rZW5Qcml2aWxlZ2Vz (AdjustTokenPrivileges)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: screenshot

  • Qml0Qmx0 (BitBlt)
  • R0RJMzIuZGxs (GDI32.dll)
  • R2V0REM= (GetDC)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • Z2RpMzIuZGxs (gdi32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: keylogger

  • R2V0QXN5bmNLZXlTdGF0ZQ== (GetAsyncKeyState)
  • R2V0S2V5U3RhdGU= (GetKeyState)
  • R2V0S2V5Ym9hcmRUeXBl (GetKeyboardType)
  • TWFwVmlydHVhbEtleQ== (MapVirtualKey)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: cred_local

  • Q3JlZEVudW1lcmF0ZUE= (CredEnumerateA)
  • Q3JlZEVudW1lcmF0ZVc= (CredEnumerateW)
  • THNhRW51bWVyYXRlTG9nb25TZXNzaW9ucw== (LsaEnumerateLogonSessions)
  • U2FtSUNvbm5lY3Q= (SamIConnect)
  • U2FtUXVlcnlJbmZvcm1hdGlvblVzZQ== (SamQueryInformationUse)

Match: sniff_audio

  • d2F2ZUluQ2xvc2U= (waveInClose)
  • d2F2ZUluQWRkQnVmZmVy (waveInAddBuffer)
  • d2F2ZUluT3Blbg== (waveInOpen)
  • d2F2ZUluU3RhcnQ= (waveInStart)
  • d2F2ZUluUmVzZXQ= (waveInReset)
  • d2lubW0uZGxs (winmm.dll)

Match: migrate_apc

  • T3BlblRocmVhZA== (OpenThread)
  • UXVldWVVc2VyQVBD (QueueUserAPC)

Match: spreading_share

  • TmV0U2hhcmVFbnVt (NetShareEnum)
  • TmV0U2hhcmVHZXRJbmZv (NetShareGetInfo)
  • bmV0YXBpMzIuZGxs (netapi32.dll)

Match: win_mutex

  • Q3JlYXRlTXV0ZXg= (CreateMutex)

Match: win_registry

  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • UmVnQ2xvc2VLZXk= (RegCloseKey)
  • UmVnQ3JlYXRlS2V5QQ== (RegCreateKeyA)
  • UmVnT3BlbktleUV4QQ== (RegOpenKeyExA)
  • UmVnU2V0VmFsdWVFeEE= (RegSetValueExA)
  • UmVnUXVlcnlWYWx1ZUV4QQ== (RegQueryValueExA)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: win_token

  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWRqdXN0VG9rZW5Qcml2aWxlZ2Vz (AdjustTokenPrivileges)
  • RHVwbGljYXRlVG9rZW5FeA== (DuplicateTokenEx)
  • T3BlblByb2Nlc3NUb2tlbg== (OpenProcessToken)
  • TG9va3VwUHJpdmlsZWdlVmFsdWVB (LookupPrivilegeValueA)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: win_private_profile

  • R2V0UHJpdmF0ZVByb2ZpbGVJbnRB (GetPrivateProfileIntA)
  • R2V0UHJpdmF0ZVByb2ZpbGVTdHJpbmdB (GetPrivateProfileStringA)
  • S0VSTkVMMzIuRExM (KERNEL32.DLL)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • V3JpdGVQcml2YXRlUHJvZmlsZVN0cmluZ0E= (WritePrivateProfileStringA)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: win_files_operation

  • Q29weUZpbGU= (CopyFile)
  • Q3JlYXRlRmlsZUE= (CreateFileA)
  • RGVsZXRlRmlsZUE= (DeleteFileA)
  • RmluZENsb3Nl (FindClose)
  • RmluZEZpcnN0RmlsZUE= (FindFirstFileA)
  • S0VSTkVMMzIuRExM (KERNEL32.DLL)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • TW92ZUZpbGVFeEE= (MoveFileExA)
  • U2V0RmlsZUF0dHJpYnV0ZXNB (SetFileAttributesA)
  • U2V0RmlsZVBvaW50ZXI= (SetFilePointer)
  • UmVhZEZpbGU= (ReadFile)
  • V3JpdGVGaWxl (WriteFile)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: Str_Win32_Winsock2_Library

  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: Str_Win32_Wininet_Library

  • d2luaW5ldC5kbGw= (wininet.dll)

Match: Str_Win32_Internet_API

  • SW50ZXJuZXRDb25uZWN0 (InternetConnect)
  • SW50ZXJuZXRDbG9zZUhhbmRsZQ== (InternetCloseHandle)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRSZWFkRmlsZQ== (InternetReadFile)

Match: Str_Win32_Http_API

  • SHR0cE9wZW5SZXF1ZXN0 (HttpOpenRequest)
  • SHR0cFF1ZXJ5SW5mbw== (HttpQueryInfo)
  • SHR0cFNlbmRSZXF1ZXN0 (HttpSendRequest)

Match: DebuggerCheck__GlobalFlags

  • TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

  • UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerCheck__RemoteAPI

  • Q2hlY2tSZW1vdGVEZWJ1Z2dlclByZXNlbnQ= (CheckRemoteDebuggerPresent)

Match: DebuggerHiding__Thread

  • U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: DebuggerException__ConsoleCtrl

  • R2VuZXJhdGVDb25zb2xlQ3RybEV2ZW50 (GenerateConsoleCtrlEvent)

Match: DebuggerException__SetConsoleCtrl

  • U2V0Q29uc29sZUN0cmxIYW5kbGVy (SetConsoleCtrlHandler)

Match: ThreadControl__Context

  • U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

  • QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
  • UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: Check_Dlls

  • ZGJnaGVscC5kbGw= (dbghelp.dll)
  • cABzAHQAbwByAGUAYwAuAGQAbABsAA== (pstorec.dll)
  • cHN0b3JlYy5kbGw= (pstorec.dll)

Match: anti_dbg

  • Q29udGludWVEZWJ1Z0V2ZW50 (ContinueDebugEvent)
  • Q2hlY2tSZW1vdGVEZWJ1Z2dlclByZXNlbnQ= (CheckRemoteDebuggerPresent)
  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
  • S0VSTkVMMzIuRExM (KERNEL32.DLL)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • SXNEZWJ1Z2dlclByZXNlbnQ= (IsDebuggerPresent)
  • T3V0cHV0RGVidWdTdHJpbmc= (OutputDebugString)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: antisb_threatExpert

  • ZGJnaGVscC5kbGw= (dbghelp.dll)

Match: disable_dep

  • TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
  • U2V0UHJvY2Vzc0RFUFBvbGljeQ== (SetProcessDEPPolicy)
  • WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

Match: win_hook

  • Q2FsbE5leHRIb29rRXg= (CallNextHookEx)
  • U2V0V2luZG93c0hvb2tFeEE= (SetWindowsHookExA)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • VW5ob29rV2luZG93c0hvb2tFeA== (UnhookWindowsHookEx)
  • dXNlcjMyLmRsbA== (user32.dll)


Process memory dump for shedyx.exe (PID 8104, dump 1)

Extracted/injected images (may contain unpacked executables)
Download #1


Yara signatures matches on process memory

Match: network_tcp_listen

  • U3lzdGVtLk5ldA== (System.Net)
  • YmluZA== (bind)
  • bGlzdGVu (listen)

Match: network_smtp_dotNet

  • U210cENsaWVudA== (SmtpClient)
  • U3lzdGVtLk5ldC5NYWls (System.Net.Mail)

Match: keylogger

  • TWFwVmlydHVhbEtleQ== (MapVirtualKey)
  • VXNlcjMyLmRsbA== (User32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: DebuggerCheck__GlobalFlags

  • TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

  • UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerHiding__Thread

  • U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: ThreadControl__Context

  • U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

  • QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
  • UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: disable_dep

  • TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
  • WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

Match: win_hook

  • Q2FsbE5leHRIb29rRXg= (CallNextHookEx)
  • VW5ob29rV2luZG93c0hvb2tFeA== (UnhookWindowsHookEx)
  • VXNlcjMyLmRsbA== (User32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)


Process memory dump for shedyx.exe (PID 8104, dump 2)

Extracted/injected images (may contain unpacked executables)
Download #1
Download #2


Yara signatures matches on process memory

Match: infoStealer_emailClients_Zero

  • QWVyb2ZveFxGb3htYWls (Aerofox\Foxmail)
  • Rm94bWFpbFxtYWls (Foxmail\mail)
  • SW5jcmVkaU1haWxcSWRlbnRpdGllcw== (IncrediMail\Identities)
  • T3BlcmEgTWFpbFxPcGVyYSBNYWlsXHdhbmQuZGF0 (Opera Mail\Opera Mail\wand.dat)
  • U29mdHdhcmVcUmltQXJ0c1xCMlxTZXR0aW5ncw== (Software\RimArts\B2\Settings)
  • UHJvZmlsZXNcT3V0bG9vaw== (Profiles\Outlook)
  • UXVhbGNvbW1cRXVkb3JhXENvbW1hbmRMaW5l (Qualcomm\Eudora\CommandLine)

Match: inject_thread

  • Q3JlYXRlUmVtb3RlVGhyZWFk (CreateRemoteThread)
  • Q3JlYXRlVGhyZWFk (CreateThread)
  • T3BlblByb2Nlc3M= (OpenProcess)
  • TnRXcml0ZVZpcnR1YWxNZW1vcnk= (NtWriteVirtualMemory)
  • V3JpdGVQcm9jZXNzTWVtb3J5 (WriteProcessMemory)
  • VmlydHVhbEFsbG9jRXg= (VirtualAllocEx)

Match: create_service

  • Q29udHJvbFNlcnZpY2U= (ControlService)
  • Q3JlYXRlU2VydmljZQ== (CreateService)
  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWR2QXBpMzIuZGxs (AdvApi32.dll)
  • QWR2YXBpMzIuZGxs (Advapi32.dll)
  • U3RhcnRTZXJ2aWNl (StartService)
  • UXVlcnlTZXJ2aWNlU3RhdHVz (QueryServiceStatus)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: create_com_service

  • RGxsQ2FuVW5sb2FkTm93 (DllCanUnloadNow)
  • RGxsR2V0Q2xhc3NPYmplY3Q= (DllGetClassObject)
  • RGxsSW5zdGFsbA== (DllInstall)
  • RGxsUmVnaXN0ZXJTZXJ2ZXI= (DllRegisterServer)
  • RGxsVW5yZWdpc3RlclNlcnZlcg== (DllUnregisterServer)

Match: network_udp_sock

  • U3lzdGVtLk5ldA== (System.Net)
  • V1MyXzMyLkRMTA== (WS2_32.DLL)
  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • V1NBU2VuZFRv (WSASendTo)
  • V1NBU3RhcnR1cA== (WSAStartup)
  • V1NBUmVjdkZyb20= (WSARecvFrom)
  • VWRwQ2xpZW50 (UdpClient)
  • c2VuZHRv (sendto)
  • c3lzdGVtLm5ldA== (system.net)
  • cmVjdmZyb20= (recvfrom)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: network_tcp_listen

  • QWNjZXB0RXg= (AcceptEx)
  • QWNjZXB0VGNwQ2xpZW50 (AcceptTcpClient)
  • R2V0QWNjZXB0RXhTb2NrYWRkcnM= (GetAcceptExSockaddrs)
  • U3lzdGVtLk5ldA== (System.Net)
  • V1MyXzMyLkRMTA== (WS2_32.DLL)
  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • V1NBQWNjZXB0 (WSAAccept)
  • V1NBU29ja2V0 (WSASocket)
  • V1NBU3RhcnR1cA== (WSAStartup)
  • VGNwTGlzdGVuZXI= (TcpListener)
  • YWNjZXB0 (accept)
  • YmluZA== (bind)
  • bGlzdGVu (listen)
  • bXN3c29jay5kbGw= (mswsock.dll)
  • c3lzdGVtLm5ldA== (system.net)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: network_smtp_dotNet

  • U210cENsaWVudA== (SmtpClient)
  • U3lzdGVtLk5ldC5NYWls (System.Net.Mail)

Match: network_p2p_win

  • UGVlckNvbGxhYkV4cG9ydENvbnRhY3Q= (PeerCollabExportContact)
  • UGVlckNvbGxhYkdldEFwcGxpY2F0aW9uUmVnaXN0cmF0aW9uSW5mbw== (PeerCollabGetApplicationRegistrationInfo)
  • UGVlckNvbGxhYkdldEV2ZW50RGF0YQ== (PeerCollabGetEventData)
  • UGVlckNvbGxhYkdldEVuZHBvaW50TmFtZQ== (PeerCollabGetEndpointName)
  • UGVlckNvbGxhYkdldEludml0YXRpb25SZXNwb25zZQ== (PeerCollabGetInvitationResponse)
  • UGVlckNvbGxhYkdldFByZXNlbmNlSW5mbw== (PeerCollabGetPresenceInfo)
  • UGVlckNvbGxhYkdldFNpZ25pbk9wdGlvbnM= (PeerCollabGetSigninOptions)
  • UGVlckNvbGxhYkludml0ZUNvbnRhY3Q= (PeerCollabInviteContact)
  • UGVlckNvbGxhYkludml0ZUVuZHBvaW50 (PeerCollabInviteEndpoint)
  • UGVlckNvbGxhYlBhcnNlQ29udGFjdA== (PeerCollabParseContact)
  • UGVlckNvbGxhYlF1ZXJ5Q29udGFjdERhdGE= (PeerCollabQueryContactData)
  • UGVlckNvbGxhYlJlZ2lzdGVyQXBwbGljYXRpb24= (PeerCollabRegisterApplication)
  • UGVlckNvbGxhYlJlZ2lzdGVyRXZlbnQ= (PeerCollabRegisterEvent)
  • UGVlckNvbGxhYlJlZnJlc2hFbmRwb2ludERhdGE= (PeerCollabRefreshEndpointData)
  • UGVlckNvbGxhYlNldE9iamVjdA== (PeerCollabSetObject)
  • UGVlckNvbGxhYlNldEVuZHBvaW50TmFtZQ== (PeerCollabSetEndpointName)
  • UGVlckNvbGxhYlNldFByZXNlbmNlSW5mbw== (PeerCollabSetPresenceInfo)
  • UGVlckNvbGxhYlNpZ25vdXQ= (PeerCollabSignout)
  • UGVlckNvbGxhYlVucmVnaXN0ZXJBcHBsaWNhdGlvbg== (PeerCollabUnregisterApplication)
  • UGVlckNvbGxhYlVwZGF0ZUNvbnRhY3Q= (PeerCollabUpdateContact)

Match: network_http

  • SHR0cE9wZW5SZXF1ZXN0 (HttpOpenRequest)
  • SHR0cFNlbmRSZXF1ZXN0 (HttpSendRequest)
  • SW50ZXJuZXRDb25uZWN0 (InternetConnect)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRPcGVuVXJs (InternetOpenUrl)
  • SW50ZXJuZXRSZWFkRmlsZQ== (InternetReadFile)
  • SW50ZXJuZXRXcml0ZUZpbGU= (InternetWriteFile)
  • V0lOSU5FVC5kbGw= (WININET.dll)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: network_dropper

  • VVJMRG93bmxvYWRUb0NhY2hlRmlsZQ== (URLDownloadToCacheFile)
  • VVJMRG93bmxvYWRUb0ZpbGU= (URLDownloadToFile)
  • dXJsbW9uLmRsbA== (urlmon.dll)

Match: network_ftp

  • RnRwQ3JlYXRlRGlyZWN0b3J5 (FtpCreateDirectory)
  • RnRwR2V0Q3VycmVudERpcmVjdG9yeQ== (FtpGetCurrentDirectory)
  • RnRwR2V0RmlsZQ== (FtpGetFile)
  • RnRwR2V0RmlsZVNpemU= (FtpGetFileSize)
  • RnRwRGVsZXRlRmlsZQ== (FtpDeleteFile)
  • RnRwT3BlbkZpbGU= (FtpOpenFile)
  • RnRwU2V0Q3VycmVudERpcmVjdG9yeQ== (FtpSetCurrentDirectory)
  • RnRwUHV0RmlsZQ== (FtpPutFile)
  • RnRwUmVtb3ZlRGlyZWN0b3J5 (FtpRemoveDirectory)
  • RnRwUmVuYW1lRmlsZQ== (FtpRenameFile)
  • V0lOSU5FVC5kbGw= (WININET.dll)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: network_tcp_socket

  • V1MyXzMyLkRMTA== (WS2_32.DLL)
  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • V1NBQ29ubmVjdA== (WSAConnect)
  • V1NBQ2xlYW51cA== (WSACleanup)
  • V1NBU29ja2V0 (WSASocket)
  • V1NBU2VuZA== (WSASend)
  • V1NBU3RhcnR1cA== (WSAStartup)
  • Y29ubmVjdA== (connect)
  • Y2xvc2Vzb2NrZXQ= (closesocket)
  • c29ja2V0 (socket)
  • c2VuZA== (send)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: network_dns

  • R2V0SG9zdEVudHJ5 (GetHostEntry)
  • RE5TQVBJLmRsbA== (DNSAPI.dll)
  • RG5zUXVlcnk= (DnsQuery)
  • U3lzdGVtLk5ldA== (System.Net)
  • V1MyXzMyLkRMTA== (WS2_32.DLL)
  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • V1NBQXN5bmNHZXRIb3N0QnlOYW1l (WSAAsyncGetHostByName)
  • Z2V0YWRkcmluZm8= (getaddrinfo)
  • Z2V0aG9zdGJ5bmFtZQ== (gethostbyname)
  • ZG5zYXBpLmRsbA== (dnsapi.dll)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: network_dga

  • Q1JZUFQzMi5kbGw= (CRYPT32.dll)
  • Q3J5cHRBY3F1aXJlQ29udGV4dA== (CryptAcquireContext)
  • Q3J5cHRDcmVhdGVIYXNo (CryptCreateHash)
  • Q3J5cHRIYXNoRGF0YQ== (CryptHashData)
  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWR2QXBpMzIuZGxs (AdvApi32.dll)
  • QWR2YXBpMzIuZGxs (Advapi32.dll)
  • R2V0U3lzdGVtVGltZQ== (GetSystemTime)
  • R2V0U3lzdGVtVGltZUFzRmlsZVRpbWU= (GetSystemTimeAsFileTime)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRPcGVuVXJs (InternetOpenUrl)
  • U3lzdGVtVGltZVRvRmlsZVRpbWU= (SystemTimeToFileTime)
  • V0lOSU5FVC5kbGw= (WININET.dll)
  • Y3J5cHQzMi5kbGw= (crypt32.dll)
  • YWR2YXBpMzIuZGxs (advapi32.dll)
  • Z2V0YWRkcmluZm8= (getaddrinfo)
  • Z2V0aG9zdGJ5bmFtZQ== (gethostbyname)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: escalate_priv

  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWR2QXBpMzIuZGxs (AdvApi32.dll)
  • QWR2YXBpMzIuZGxs (Advapi32.dll)
  • QWRqdXN0VG9rZW5Qcml2aWxlZ2Vz (AdjustTokenPrivileges)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: screenshot

  • Qml0Qmx0 (BitBlt)
  • R0RJMzIuZGxs (GDI32.dll)
  • R2V0REM= (GetDC)
  • VVNFUjMyLkRMTA== (USER32.DLL)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • VXNlcjMyLmRsbA== (User32.dll)
  • Z2RpMzIuZGxs (gdi32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: dyndns

  • U09GVFdBUkVcVml0YWx3ZXJrc1xEVUM= (SOFTWARE\Vitalwerks\DUC)

Match: keylogger

  • R2V0QXN5bmNLZXlTdGF0ZQ== (GetAsyncKeyState)
  • R2V0S2V5U3RhdGU= (GetKeyState)
  • R2V0S2V5Ym9hcmRUeXBl (GetKeyboardType)
  • TWFwVmlydHVhbEtleQ== (MapVirtualKey)
  • VVNFUjMyLkRMTA== (USER32.DLL)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • VXNlcjMyLmRsbA== (User32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: cred_local

  • Q3JlZEVudW1lcmF0ZUE= (CredEnumerateA)
  • Q3JlZEVudW1lcmF0ZVc= (CredEnumerateW)
  • THNhRW51bWVyYXRlTG9nb25TZXNzaW9ucw== (LsaEnumerateLogonSessions)
  • U2FtSUNvbm5lY3Q= (SamIConnect)
  • U2FtUXVlcnlJbmZvcm1hdGlvblVzZQ== (SamQueryInformationUse)

Match: sniff_audio

  • V0lOTU0uZGxs (WINMM.dll)
  • d2F2ZUluQ2xvc2U= (waveInClose)
  • d2F2ZUluQWRkQnVmZmVy (waveInAddBuffer)
  • d2F2ZUluT3Blbg== (waveInOpen)
  • d2F2ZUluU3RhcnQ= (waveInStart)
  • d2F2ZUluUmVzZXQ= (waveInReset)
  • d2lubW0uZGxs (winmm.dll)

Match: cred_ff

  • a2V5My5kYg== (key3.db)
  • c2lnbm9ucy5zcWxpdGU= (signons.sqlite)
  • c2lnbm9uczMudHh0 (signons3.txt)

Match: migrate_apc

  • T3BlblRocmVhZA== (OpenThread)
  • UXVldWVVc2VyQVBD (QueueUserAPC)

Match: spreading_file

  • ZGVza3RvcC5pbmk= (desktop.ini)

Match: spreading_share

  • TmV0U2hhcmVFbnVt (NetShareEnum)
  • TmV0U2hhcmVHZXRJbmZv (NetShareGetInfo)
  • bmV0YXBpMzIuZGxs (netapi32.dll)

Match: rat_vnc

  • dWx0cmF2bmMuaW5p (ultravnc.ini)

Match: win_mutex

  • Q3JlYXRlTXV0ZXg= (CreateMutex)

Match: win_registry

  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWR2QXBpMzIuZGxs (AdvApi32.dll)
  • QWR2YXBpMzIuZGxs (Advapi32.dll)
  • UmVnQ2xvc2VLZXk= (RegCloseKey)
  • UmVnQ3JlYXRlS2V5QQ== (RegCreateKeyA)
  • UmVnT3BlbktleUV4QQ== (RegOpenKeyExA)
  • UmVnU2V0VmFsdWVFeEE= (RegSetValueExA)
  • UmVnUXVlcnlWYWx1ZUV4QQ== (RegQueryValueExA)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: win_token

  • QURWQVBJMzIuRExM (ADVAPI32.DLL)
  • QURWQVBJMzIuZGxs (ADVAPI32.dll)
  • QWR2QXBpMzIuZGxs (AdvApi32.dll)
  • QWR2YXBpMzIuZGxs (Advapi32.dll)
  • QWRqdXN0VG9rZW5Qcml2aWxlZ2Vz (AdjustTokenPrivileges)
  • RHVwbGljYXRlVG9rZW5FeA== (DuplicateTokenEx)
  • T3BlblByb2Nlc3NUb2tlbg== (OpenProcessToken)
  • TG9va3VwUHJpdmlsZWdlVmFsdWVB (LookupPrivilegeValueA)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: win_private_profile

  • R2V0UHJpdmF0ZVByb2ZpbGVJbnRB (GetPrivateProfileIntA)
  • R2V0UHJpdmF0ZVByb2ZpbGVTdHJpbmdB (GetPrivateProfileStringA)
  • S0VSTkVMMzIuRExM (KERNEL32.DLL)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • S2VybmVsMzIuZGxs (Kernel32.dll)
  • V3JpdGVQcml2YXRlUHJvZmlsZVN0cmluZ0E= (WritePrivateProfileStringA)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: win_files_operation

  • Q29weUZpbGU= (CopyFile)
  • Q3JlYXRlRmlsZUE= (CreateFileA)
  • RGVsZXRlRmlsZUE= (DeleteFileA)
  • RmluZENsb3Nl (FindClose)
  • RmluZEZpcnN0RmlsZUE= (FindFirstFileA)
  • S0VSTkVMMzIuRExM (KERNEL32.DLL)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • S2VybmVsMzIuZGxs (Kernel32.dll)
  • TW92ZUZpbGVFeEE= (MoveFileExA)
  • U2V0RmlsZUF0dHJpYnV0ZXNB (SetFileAttributesA)
  • U2V0RmlsZVBvaW50ZXI= (SetFilePointer)
  • UmVhZEZpbGU= (ReadFile)
  • V3JpdGVGaWxl (WriteFile)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: Str_Win32_Winsock2_Library

  • V1MyXzMyLkRMTA== (WS2_32.DLL)
  • V1MyXzMyLmRsbA== (WS2_32.dll)
  • d3MyXzMyLmRsbA== (ws2_32.dll)

Match: Str_Win32_Wininet_Library

  • V0lOSU5FVC5kbGw= (WININET.dll)
  • d2luaW5ldC5kbGw= (wininet.dll)

Match: Str_Win32_Internet_API

  • SW50ZXJuZXRDb25uZWN0 (InternetConnect)
  • SW50ZXJuZXRDbG9zZUhhbmRsZQ== (InternetCloseHandle)
  • SW50ZXJuZXRPcGVu (InternetOpen)
  • SW50ZXJuZXRSZWFkRmlsZQ== (InternetReadFile)

Match: Str_Win32_Http_API

  • SHR0cE9wZW5SZXF1ZXN0 (HttpOpenRequest)
  • SHR0cFF1ZXJ5SW5mbw== (HttpQueryInfo)
  • SHR0cFNlbmRSZXF1ZXN0 (HttpSendRequest)

Match: infoStealer_ftpClients_Zero

  • Q29yZUZUUFxzaXRlcy5pZHg= (CoreFTP\sites.idx)
  • RlRQIE5hdmlnYXRvclxGdHBsaXN0LnR4dA== (FTP Navigator\Ftplist.txt)
  • RlRQR2V0dGVyXHNlcnZlcnMueG1s (FTPGetter\servers.xml)
  • RlRQV2FyZVxDT1JFRlRQXFNpdGVz (FTPWare\COREFTP\Sites)
  • RmlsZVppbGxhXHJlY2VudHNlcnZlcnMueG1s (FileZilla\recentservers.xml)
  • Rmxhc2hGWFBcM3F1aWNrLmRhdA== (FlashFXP\3quick.dat)
  • SXBzd2l0Y2hcV1NfRlRQXFNpdGVzXHdzX2Z0cC5pbmk= (Ipswitch\WS_FTP\Sites\ws_ftp.ini)
  • U09GVFdBUkVcXE1hcnRpbiBQcmlrcnlsXFxXaW5TQ1AgMlxcU2Vzc2lvbnM= (SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions)
  • U21hcnRGVFBcQ2xpZW50IDIuMFxGYXZvcml0ZXNcUXVpY2sgQ29ubmVjdFwqLnhtbA== (SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml)
  • Y2Z0cFxGdHBsaXN0LnR4dA== (cftp\Ftplist.txt)

Match: Win_Trojan_agentTesla_Zero

  • Q29jQ29jXEJyb3dzZXJcVXNlciBEYXRh (CocCoc\Browser\User Data)
  • Q29tb2RvXERyYWdvblxVc2VyIERhdGE= (Comodo\Dragon\User Data)
  • Q29vd29uXENvb3dvblxVc2VyIERhdGE= (Coowon\Coowon\User Data)
  • Q29yZUZUUFxzaXRlcy5pZHg= (CoreFTP\sites.idx)
  • Q2F0YWxpbmFHcm91cFxDaXRyaW9cVXNlciBEYXRh (CatalinaGroup\Citrio\User Data)
  • Q2VudEJyb3dzZXJcVXNlciBEYXRh (CentBrowser\User Data)
  • Q2hlZG90XFVzZXIgRGF0YQ== (Chedot\User Data)
  • Q3JlYXRlVGhyZWFk (CreateThread)
  • QW1pZ29cVXNlciBEYXRh (Amigo\User Data)
  • QWVyb2ZveFxGb3htYWls (Aerofox\Foxmail)
  • QnJhdmVTb2Z0d2FyZVxCcmF2ZS1Ccm93c2VyXFVzZXIgRGF0YQ== (BraveSoftware\Brave-Browser\User Data)
  • R2V0RW52aXJvbm1lbnRWYXJpYWJsZQ== (GetEnvironmentVariable)
  • RWxlbWVudHMgQnJvd3NlclxVc2VyIERhdGE= (Elements Browser\User Data)
  • RXBpYyBQcml2YWN5IEJyb3dzZXJcVXNlciBEYXRh (Epic Privacy Browser\User Data)
  • RlRQIE5hdmlnYXRvclxGdHBsaXN0LnR4dA== (FTP Navigator\Ftplist.txt)
  • RlRQR2V0dGVyXHNlcnZlcnMueG1s (FTPGetter\servers.xml)
  • RlRQV2FyZVxDT1JFRlRQXFNpdGVz (FTPWare\COREFTP\Sites)
  • Rm94bWFpbFxtYWls (Foxmail\mail)
  • RmlsZVppbGxhXHJlY2VudHNlcnZlcnMueG1s (FileZilla\recentservers.xml)
  • Rmxhc2hGWFBcM3F1aWNrLmRhdA== (FlashFXP\3quick.dat)
  • RnRwR2V0Q3VycmVudERpcmVjdG9yeQ== (FtpGetCurrentDirectory)
  • S29tZXRhXFVzZXIgRGF0YQ== (Kometa\User Data)
  • SW5jcmVkaU1haWxcSWRlbnRpdGllcw== (IncrediMail\Identities)
  • SXBzd2l0Y2hcV1NfRlRQXFNpdGVzXHdzX2Z0cC5pbmk= (Ipswitch\WS_FTP\Sites\ws_ftp.ini)
  • SXJpZGl1bVxVc2VyIERhdGE= (Iridium\User Data)
  • T3BlblByb2Nlc3M= (OpenProcess)
  • T3BlcmEgTWFpbFxPcGVyYSBNYWlsXHdhbmQuZGF0 (Opera Mail\Opera Mail\wand.dat)
  • T3BlcmEgU29mdHdhcmVcT3BlcmEgU3RhYmxl (Opera Software\Opera Stable)
  • T3JiaXR1bVxVc2VyIERhdGE= (Orbitum\User Data)
  • U09GVFdBUkVcXE1hcnRpbiBQcmlrcnlsXFxXaW5TQ1AgMlxcU2Vzc2lvbnM= (SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions)
  • U210cENsaWVudA== (SmtpClient)
  • U21hcnRGVFBcQ2xpZW50IDIuMFxGYXZvcml0ZXNcUXVpY2sgQ29ubmVjdFwqLnhtbA== (SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml)
  • U29mdHdhcmVcUmltQXJ0c1xCMlxTZXR0aW5ncw== (Software\RimArts\B2\Settings)
  • U2xlaXBuaXI1XHNldHRpbmdcbW9kdWxlc1xDaHJvbWl1bVZpZXdlcg== (Sleipnir5\setting\modules\ChromiumViewer)
  • U3B1dG5pa1xTcHV0bmlrXFVzZXIgRGF0YQ== (Sputnik\Sputnik\User Data)
  • U3lzdGVtLk5ldC5NYWls (System.Net.Mail)
  • UHJvZmlsZXNcT3V0bG9vaw== (Profiles\Outlook)
  • UUlQIFN1cmZcVXNlciBEYXRh (QIP Surf\User Data)
  • UXVhbGNvbW1cRXVkb3JhXENvbW1hbmRMaW5l (Qualcomm\Eudora\CommandLine)
  • V3JpdGVQcm9jZXNzTWVtb3J5 (WriteProcessMemory)
  • VG9yY2hcVXNlciBEYXRh (Torch\User Data)
  • VGVuY2VudFxRUUJyb3dzZXJcVXNlciBEYXRh (Tencent\QQBrowser\User Data)
  • Vml2YWxkaVxVc2VyIERhdGE= (Vivaldi\User Data)
  • VmlydHVhbEFsbG9jRXg= (VirtualAllocEx)
  • WWFuZGV4XFlhbmRleEJyb3dzZXJcVXNlciBEYXRh (Yandex\YandexBrowser\User Data)
  • XDdTdGFyXFVzZXIgRGF0YQ== (\7Star\User Data)
  • Y2Z0cFxGdHBsaXN0LnR4dA== (cftp\Ftplist.txt)
  • bGllYmFvXFVzZXIgRGF0YQ== (liebao\User Data)
  • dUNvek1lZGlhXFVyYW5cVXNlciBEYXRh (uCozMedia\Uran\User Data)

Match: DebuggerCheck__GlobalFlags

  • TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

  • UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerCheck__RemoteAPI

  • Q2hlY2tSZW1vdGVEZWJ1Z2dlclByZXNlbnQ= (CheckRemoteDebuggerPresent)

Match: DebuggerHiding__Thread

  • U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: DebuggerException__ConsoleCtrl

  • R2VuZXJhdGVDb25zb2xlQ3RybEV2ZW50 (GenerateConsoleCtrlEvent)

Match: DebuggerException__SetConsoleCtrl

  • U2V0Q29uc29sZUN0cmxIYW5kbGVy (SetConsoleCtrlHandler)

Match: ThreadControl__Context

  • U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

  • QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
  • UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: Check_Dlls

  • ZGJnaGVscC5kbGw= (dbghelp.dll)
  • cHN0b3JlYy5kbGw= (pstorec.dll)

Match: anti_dbg

  • Q29udGludWVEZWJ1Z0V2ZW50 (ContinueDebugEvent)
  • Q2hlY2tSZW1vdGVEZWJ1Z2dlclByZXNlbnQ= (CheckRemoteDebuggerPresent)
  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
  • S0VSTkVMMzIuRExM (KERNEL32.DLL)
  • S0VSTkVMMzIuZGxs (KERNEL32.dll)
  • S2VybmVsMzIuZGxs (Kernel32.dll)
  • SXNEZWJ1Z2dlclByZXNlbnQ= (IsDebuggerPresent)
  • T3V0cHV0RGVidWdTdHJpbmc= (OutputDebugString)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: antisb_threatExpert

  • ZGJnaGVscC5kbGw= (dbghelp.dll)

Match: disable_dep

  • TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
  • U2V0UHJvY2Vzc0RFUFBvbGljeQ== (SetProcessDEPPolicy)
  • WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

Match: win_hook

  • Q2FsbE5leHRIb29rRXg= (CallNextHookEx)
  • U2V0V2luZG93c0hvb2tFeEE= (SetWindowsHookExA)
  • VVNFUjMyLkRMTA== (USER32.DLL)
  • VVNFUjMyLmRsbA== (USER32.dll)
  • VW5ob29rV2luZG93c0hvb2tFeA== (UnhookWindowsHookEx)
  • VXNlcjMyLmRsbA== (User32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: infoStealer_browser_Zero

  • Q29jQ29jXEJyb3dzZXJcVXNlciBEYXRh (CocCoc\Browser\User Data)
  • Q29tb2RvXERyYWdvblxVc2VyIERhdGE= (Comodo\Dragon\User Data)
  • Q29vd29uXENvb3dvblxVc2VyIERhdGE= (Coowon\Coowon\User Data)
  • Q2F0YWxpbmFHcm91cFxDaXRyaW9cVXNlciBEYXRh (CatalinaGroup\Citrio\User Data)
  • Q2VudEJyb3dzZXJcVXNlciBEYXRh (CentBrowser\User Data)
  • Q2hlZG90XFVzZXIgRGF0YQ== (Chedot\User Data)
  • QW1pZ29cVXNlciBEYXRh (Amigo\User Data)
  • QnJhdmVTb2Z0d2FyZVxCcmF2ZS1Ccm93c2VyXFVzZXIgRGF0YQ== (BraveSoftware\Brave-Browser\User Data)
  • RWxlbWVudHMgQnJvd3NlclxVc2VyIERhdGE= (Elements Browser\User Data)
  • RXBpYyBQcml2YWN5IEJyb3dzZXJcVXNlciBEYXRh (Epic Privacy Browser\User Data)
  • S29tZXRhXFVzZXIgRGF0YQ== (Kometa\User Data)
  • SXJpZGl1bVxVc2VyIERhdGE= (Iridium\User Data)
  • T3BlcmEgU29mdHdhcmVcT3BlcmEgU3RhYmxl (Opera Software\Opera Stable)
  • T3JiaXR1bVxVc2VyIERhdGE= (Orbitum\User Data)
  • U2xlaXBuaXI1XHNldHRpbmdcbW9kdWxlc1xDaHJvbWl1bVZpZXdlcg== (Sleipnir5\setting\modules\ChromiumViewer)
  • U3B1dG5pa1xTcHV0bmlrXFVzZXIgRGF0YQ== (Sputnik\Sputnik\User Data)
  • UUlQIFN1cmZcVXNlciBEYXRh (QIP Surf\User Data)
  • VG9yY2hcVXNlciBEYXRh (Torch\User Data)
  • VGVuY2VudFxRUUJyb3dzZXJcVXNlciBEYXRh (Tencent\QQBrowser\User Data)
  • Vml2YWxkaVxVc2VyIERhdGE= (Vivaldi\User Data)
  • WWFuZGV4XFlhbmRleEJyb3dzZXJcVXNlciBEYXRh (Yandex\YandexBrowser\User Data)
  • XDdTdGFyXFVzZXIgRGF0YQ== (\7Star\User Data)
  • bGllYmFvXFVzZXIgRGF0YQ== (liebao\User Data)
  • dUNvek1lZGlhXFVyYW5cVXNlciBEYXRh (uCozMedia\Uran\User Data)

Match: Chrome_User_Data_Check_Zero

  • XEdvb2dsZVxDaHJvbWVcVXNlciBEYXRhXA== (\Google\Chrome\User Data\)

Match: infoStealer_DownloadManagement_Zero

  • akRvd25sb2FkZXJcY29uZmlnXGRhdGFiYXNlLnNjcmlwdA== (jDownloader\config\database.script)


URLs found in process memory
    http://www.expedia.com/favicon.ico
    http://uk.ask.com/favicon.ico
    http://www.priceminister.com/
    http://ru.wikipedia.org/
    http://www.merlin.com.pl/favicon.ico
    http://www.cnet.com/favicon.ico
    http://search.nifty.com/
    http://ns.adobe.com/exif/1.0/
    http://www.etmall.com.tw/
    http://search.goo.ne.jp/
    http://fr.wikipedia.org/favicon.ico
    http://busca.estadao.com.br/favicon.ico
    http://search.hanafos.com/favicon.ico
    http://search.chol.com/favicon.ico
    http://amazon.fr/
    http://www.amazon.co.jp/
    http://www.mtv.com/favicon.ico
    http://busqueda.aol.com.mx/
    http://search.live.com/results.aspx?FORM=SOLTDF
    http://msdn.microsoft.com/
    http://msdn.microsoft.com/workshop/security/privacy/overview/privacyimportxml.asp)
    http://www.sify.com/favicon.ico
    http://yellowpages.superpages.com/
    http://suche.freenet.de/
    http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson
    http://search.aol.com/
    http://browse.guardian.co.uk/
    http://www.mercadolibre.com.mx/
    http://www.asharqalawsat.com/
    http://www.facebook.com/
    http://si.wikipedia.org/favicon.ico
    http://www.rtl.de/favicon.ico
    http://search.msn.com/results.aspx?q=
    http://www.microsoft.com/pki/certs/MicrosoftWinPCA.crt0
    http://search.naver.com/favicon.ico
    http://en.wikipedia.org/favicon.ico
    http://si.wikipedia.org/w/api.php?action=opensearch
    http://udn.com/favicon.ico
    http://rover.ebay.com
    http://search.ebay.fr/
    http://www.univision.com/
    http://pt.wikipedia.org/w/api.php?action=opensearch
    http://it.wikipedia.org/favicon.ico
    http://uk.ask.com/
    http://www.google.co.uk/
    http://cnweb.search.live.com/results.aspx?q=
    http://www.google.cz/
    http://www.google.co.jp/
    http://search.ebay.co.uk/
    http://www.weather.com/
    http://www.taobao.com/favicon.ico
    http://www.news.com.au/favicon.ico
    http://search.orange.co.uk/favicon.ico
    http://video.globo.com/
    http://search.ebay.de/
    http://www.taobao.com/
    http://corp.naukri.com/favicon.ico
    http://www.servicios.clarin.com/
    http://localhost
    http://www.rambler.ru/favicon.ico
    http://www.linternaute.com/favicon.ico
    http://ns.adobe.com/photoshop/1.0/
    http://www.shopzilla.com/
    http://www.amazon.com/gp/search?ie=UTF8
    http://search.live.com/results.aspx?FORM=SO2TDF
    http://busca.orange.es/
    http://www.excite.co.jp/
    http://cs.wikipedia.org/
    http://www.gismeteo.ru/favicon.ico
    http://www.cjmall.com/favicon.ico
    http://suche.t-online.de/
    http://www.ya.com/favicon.ico
    http://www.priceminister.com/favicon.ico
    http://www.mercadolibre.com.mx/favicon.ico
    http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0
    http://ns.adobe.com/tiff/1.0/
    http://www.google.de/
    http://www.otto.de/favicon.ico
    http://www.iask.com/
    http://www.microsoft.com
    http://www.arrakis.com/
    http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
    http://search.ebay.es/
    http://search.gamer.com.tw/
    http://www.tiscali.it/favicon.ico
    http://ns.adobe.com/xap/1.0/
    http://www.soso.com/favicon.ico
    http://microsoft.com0
    http://recherche.tf1.fr/
    http://si.wikipedia.org/
    http://search.livedoor.com/
    http://search.centrum.cz/
    http://www.auction.co.kr/auction.ico
    http://www.t-online.de/favicon.ico
    http://ja.wikipedia.org/favicon.ico
    http://www.abril.com.br/favicon.ico
    http://clients5.google.com/complete/search?hl=
    http://www.ozon.ru/
    http://search.alice.it/
    http://www.microsoft.com/windowsxp/expertzone/
    http://search.yahoo.co.jp/favicon.ico
    http://cnet.search.com/
    http://www.walmart.com/
    http://espn.go.com/favicon.ico
    http://msdn.microsoft.com/workshop/security/szone/overview/templates.asp)
    http://search.interpark.com/
    http://www.gmarket.co.kr/favicon.ico
    http://www.neckermann.de/favicon.ico
    http://sitesearch.timesonline.co.uk/
    http://cn.bing.com/search?q=
    http://video.globo.com/favicon.ico
    http://es.wikipedia.org/
    http://img.atlas.cz/favicon.ico
    http://searchresults.news.com.au/
    http://update.microsoft.com/windowsupdate
    http://search.rediff.com/
    http://search.lycos.co.uk/
    http://en.wikipedia.org/
    http://www.google.com.tw/
    http://www.tchibo.de/
    http://www.google.com/
    http://buscador.terra.es/
    http://search.msn.co.jp/results.aspx?q=
    http://www.mercadolivre.com.br/favicon.ico
    http://ja.wikipedia.org/
    http://search.chol.com/
    http://search.espn.go.com/
    http://www.google.com.sa/
    http://jobsearch.monster.com/
    http://buscador.terra.com/
    http://www.google.co.in/
    http://www.google.fr/
    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%hash%%torpass%https://www.theonionrouter.com/dist.torproject.org/torbrowser/
    http://www.cdiscount.com/favicon.ico
    http://asp.usatoday.com/
    http://vachercher.lycos.fr/
    http://www.yam.com/favicon.ico
    http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
    http://search.sify.com/
    http://search.ebay.com/favicon.ico
    http://www.paginasamarillas.es/
    http://nl.wikipedia.org/
    http://search.alice.it/favicon.ico
    http://www.ask.com/
    http://www.so-net.ne.jp/share/favicon.ico
    http://espanol.search.yahoo.com/
    http://www.alarabiya.net/favicon.ico
    http://ocnsearch.goo.ne.jp/
    http://list.taobao.com/
    http://buscador.terra.com.br/
    http://search.msn.co.uk/results.aspx?q=
    http://anWqTR.com
    http://busca.igbusca.com.br//app/static/images/favicon.ico
    http://www.rambler.ru/
    http://purl.org/dc/elements/1.1/
    http://www.cdiscount.com/
    http://www.mercadolivre.com.br/
    http://www.facebook.com/favicon.ico
    http://search.hanafos.com/
    http://sads.myspace.com/
    http://suche.web.de/
    http://recherche.tf1.fr/favicon.ico
    http://cs.wikipedia.org/w/api.php?action=opensearch
    http://search.dreamwiz.com/
    http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService
    http://www.yandex.ru/
    http://www.baidu.com/favicon.ico
    http://ariadna.elmundo.es/
    http://www.rtl.de/
    http://es.search.yahoo.com/
    http://p.zhongsou.com/
    http://es.wikipedia.org/favicon.ico
    http://www.timesonline.co.uk/img/favicon.ico
    http://buscar.ozu.es/
    http://so-net.search.goo.ne.jp/
    http://cgi.search.biglobe.ne.jp/favicon.ico
    http://list.taobao.com/browse/search_visual.htm?n=15
    http://www.soso.com/
    http://www.afisha.ru/App_Themes/Default/images/favicon.ico
    http://img.shopzilla.com/shopzilla/shopzilla.ico
    http://wellformedweb.org/CommentAPI/
    http://search.orange.co.uk/
    http://ariadna.elmundo.es/favicon.ico
    http://search.gismeteo.ru/
    http://www3.fnac.com/favicon.ico
    http://en.wikipedia.org/w/api.php?action=opensearch
    http://support.microsoft.com
    http://in.search.yahoo.com/
    http://www.etmall.com.tw/favicon.ico
    http://www.ceneo.pl/favicon.ico
    http://service2.bfast.com/
    http://tw.search.yahoo.com/
    http://www.paginasamarillas.es/favicon.ico
    http://www.ozu.es/favicon.ico
    http://www.iask.com/favicon.ico
    http://google.pchome.com.tw/
    http://p.zhongsou.com/favicon.ico
    http://search.ebay.com/
    http://search1.taobao.com/
    http://br.search.yahoo.com/
    http://suche.lycos.de/
    http://www.asharqalawsat.com/favicon.ico
    http://mail.live.com/
    http://ru.search.yahoo.com
    http://de.wikipedia.org/
    http://www.microsoft.com/pkiops/docs/primarycps.htm0
    http://find.joins.com/
    http://ns.adobe.com/xap/1.0/mm/
    http://www.google.ru/
    http://search.empas.com/favicon.ico
    http://search.seznam.cz/
    http://de.wikipedia.org/w/api.php?action=opensearch
    http://www.expedia.com/
    http://www.clarin.com/favicon.ico
    http://busca.uol.com.br/
    http://go2.microsoft.com/fwlink/?LinkId=131738
    http://mail.live.com/?rru=compose%3Fsubject%3D
    http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0
    http://buscador.terra.com/favicon.ico
    http://search.nate.com/
    http://purl.org/rss/1.0/modules/slash/
    http://ie8.ebay.com/open-search/output-xml.php?q=
    http://www.kkbox.com.tw/favicon.ico
    http://www.ocn.ne.jp/favicon.ico
    http://corp.naukri.com/
    http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended
    http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity
    http://www.recherche.aol.fr/
    http://pl.wikipedia.org/w/api.php?action=opensearch
    http://www.weather.com/favicon.ico
    http://search.centrum.cz/favicon.ico
    http://search.yam.com/
    http://search.live.com/results.aspx?q=
    http://busca.uol.com.br/favicon.ico
    http://images.joins.com/ui_c/fvc_joins.ico
    http://cgi.search.biglobe.ne.jp/
    http://msk.afisha.ru/
    http://es.wikipedia.org/w/api.php?action=opensearch
    http://www.google.pl/
    http://www.arrakis.com/favicon.ico
    http://search.microsoft.com/
    http://search.goo.ne.jp/favicon.ico
    http://image.excite.co.jp/jp/favicon/lep.ico
    http://www.merlin.com.pl/
    http://www.amazon.de/
    http://www.sogou.com/
    http://cerca.lycos.it/
    http://www.orange.fr/
    http://www.microsofttranslator.com/?ref=IE8Activity
    http://www.rakuten.co.jp/favicon.ico
    http://www.nate.com/favicon.ico
    http://de.wikipedia.org/favicon.ico
    http://ru.wikipedia.org/w/api.php?action=opensearch
    http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0
    http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
    https://www.example.com
    http://www.microsoft.com/PKI/docs/CPS/default.htm0
    http://nl.wikipedia.org/favicon.ico
    http://it.search.yahoo.com/
    http://www.google.it/
    http://suche.web.de/favicon.ico
    http://search.seznam.cz/favicon.ico
    http://search.livedoor.com/favicon.ico
    http://search.lycos.com/
    http://fr.wikipedia.org/w/api.php?action=opensearch
    http://search.dreamwiz.com/favicon.ico
    http://www.kkbox.com.tw/
    http://suche.aol.de/
    http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0a
    http://it.search.dada.net/
    http://search.empas.com/
    http://yellowpages.superpages.com/favicon.ico
    http://arianna.libero.it/
    http://www.dailymail.co.uk/
    http://ru.wikipedia.org/favicon.ico
    http://search.auction.co.kr/
    http://search.lycos.com/favicon.ico
    http://www3.fnac.com/
    http://search.yahoo.co.jp
    http://asp.usatoday.com/favicon.ico
    http://search.msn.com.cn/results.aspx?q=
    http://cn.bing.com/favicon.ico
    http://127.0.0.1
    http://search2.estadao.com.br/
    http://search.cn.yahoo.com/
    http://www.microsoft.com/pki/crl/products/WinPCA.crl0R
    http://ie.search.yahoo.com/os?command=
    http://www.tesco.com/
    http://search-dyn.tiscali.it/
    http://search.ipop.co.kr/favicon.ico
    http://arianna.libero.it/favicon.ico
    http://www.myspace.com/favicon.ico
    http://it.wikipedia.org/
    http://www.dailymail.co.uk/favicon.ico
    http://www.microsoft.com/schemas/rss/core/2005/internal
    http://home.altervista.org/
    http://it.search.dada.net/favicon.ico
    http://www.gmarket.co.kr/
    http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
    http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0
    http://price.ru/favicon.ico
    http://www.google.com.br/
    http://buscar.ya.com/
    http://images.monster.com/favicon.ico
    http://search.ebay.it/
    http://www.alarabiya.net/
    http://www.najdi.si/
    http://www.maktoob.com/favicon.ico
    http://purl.org/rss/1.0/modules/content/
    http://ns.adobe.com/pdf/1.3/
    http://price.ru/
    http://DynDns.comDynDNS
    http://www.najdi.si/favicon.ico
    http://kr.search.yahoo.com/
    http://www.aol.com/favicon.ico
    http://www.ozon.ru/favicon.ico
    http://pl.wikipedia.org/
    http://www.target.com/favicon.ico
    http://fr.search.yahoo.com/
    http://search.daum.net/
    http://de.search.yahoo.com/
    http://suche.freenet.de/favicon.ico
    http://busca.buscape.com.br/favicon.ico
    http://www.microsoft.com/favicon.ico
    http://auone.jp/favicon.ico
    http://buscador.lycos.es/
    http://search.yahoo.com/
    http://www.sogou.com/favicon.ico
    http://search.rediff.com/favicon.ico
    http://search.auone.jp/
    http://web.ask.com/
    http://search.books.com.tw/
    http://search.ebay.in/
    http://search.aol.co.uk/
    http://www.neckermann.de/
    http://browse.guardian.co.uk/favicon.ico
    http://www.tesco.com/favicon.ico
    http://search.ipop.co.kr/
    http://www.target.com/
    http://www.amazon.com/favicon.ico
    http://recherche.linternaute.com/
    http://pt.wikipedia.org/favicon.ico
    http://openimage.interpark.com/interpark.ico
    http://www.google.si/
    http://www.yandex.ru/favicon.ico
    http://www.google.com/favicon.ico
    http://search.daum.net/favicon.ico
    http://www.walmart.com/favicon.ico
    http://udn.com/
    http://esearch.rakuten.co.jp/
    http://www.google.es/
    http://www.cnet.co.uk/
    http://www.mtv.com/
    http://search.live.com/results.aspx?FORM=IEFM1
    http://www.abril.com.br/
    http://www.baidu.com/
    http://www.microsoft.com/schemas/ie9compatlistdescription/1.0
    http://www.amazon.co.uk/
    http://it.wikipedia.org/w/api.php?action=opensearch
    http://www.tchibo.de/favicon.ico
    http://www.pchome.com.tw/favicon.ico
    http://pt.wikipedia.org/
    http://ns.adobe.com/xap/1.0/sType/ResourceEvent
    http://fr.wikipedia.org/
    http://ja.wikipedia.org/w/api.php?action=opensearch
    http://www.chennaionline.com/ncommon/images/collogo.ico
    http://www.cjmall.com/
    http://uk.search.yahoo.com/
    http://search.yahoo.com/favicon.ico
    http://busca.igbusca.com.br/
    https://localhost
    http://www.nifty.com/favicon.ico
    http://search.naver.com/
    http://home.altervista.org/favicon.ico
    http://search.gamer.com.tw/favicon.ico
    http://busca.buscape.com.br/
    http://es.ask.com/
    http://search.atlas.cz/
    http://www.ceneo.pl/
    http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0
    http://search.about.com/
    http://pl.wikipedia.org/favicon.ico
    http://ns.adobe.com/iX/1.0/
    http://search.books.com.tw/favicon.ico
    http://search.aol.in/
    https://example.com
    http://cs.wikipedia.org/favicon.ico
    http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
    http://beta.visualstudio.net/net/sdk/feedback.asp
    http://z.about.com/m/a08.ico
    http://www.univision.com/favicon.ico
    http://nl.wikipedia.org/w/api.php?action=opensearch