Loading ...

Play interactive tourEdit tour

Analysis Report ATR1.exe

Overview

General Information

Sample Name:ATR1.exe
Analysis ID:255272
MD5:020d56ce7d0a45a896c811550e05ce9d
SHA1:814c8ddbc50e9e158e63bdd745d683dcb636c2a6
SHA256:06078629129c4bc1abb214bbbe1bfadca65b618ac9f6f93fc3b22d0a37740f5b

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Detected FormBook malware
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • ATR1.exe (PID: 6900 cmdline: 'C:\Users\user\Desktop\ATR1.exe' MD5: 020D56CE7D0A45A896C811550E05CE9D)
    • ATR1.exe (PID: 7140 cmdline: C:\Users\user\Desktop\ATR1.exe MD5: 020D56CE7D0A45A896C811550E05CE9D)
    • ATR1.exe (PID: 7148 cmdline: C:\Users\user\Desktop\ATR1.exe MD5: 020D56CE7D0A45A896C811550E05CE9D)
      • explorer.exe (PID: 3456 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wscript.exe (PID: 6688 cmdline: C:\Windows\SysWOW64\wscript.exe MD5: 7075DD7B9BE8807FCA93ACD86F724884)
          • cmd.exe (PID: 6924 cmdline: /c del 'C:\Users\user\Desktop\ATR1.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 7140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • 1bsdwdzi4xdbt2h.exe (PID: 5376 cmdline: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exe MD5: 020D56CE7D0A45A896C811550E05CE9D)
        • 1bsdwdzi4xdbt2h.exe (PID: 5568 cmdline: 'C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exe' MD5: 020D56CE7D0A45A896C811550E05CE9D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.483209800.00000000035E0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000A.00000002.483209800.00000000035E0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000A.00000002.483209800.00000000035E0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18429:$sqlite3step: 68 34 1C 7B E1
    • 0x1853c:$sqlite3step: 68 34 1C 7B E1
    • 0x18458:$sqlite3text: 68 38 2A 90 C5
    • 0x1857d:$sqlite3text: 68 38 2A 90 C5
    • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000002.285825335.0000000001480000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000002.285825335.0000000001480000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.ATR1.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.ATR1.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ab8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x149a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14491:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14aa7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14c1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x989a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1370c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa593:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19d17:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ad1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.ATR1.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17629:$sqlite3step: 68 34 1C 7B E1
        • 0x1773c:$sqlite3step: 68 34 1C 7B E1
        • 0x17658:$sqlite3text: 68 38 2A 90 C5
        • 0x1777d:$sqlite3text: 68 38 2A 90 C5
        • 0x1766b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17793:$sqlite3blob: 68 53 D8 7F 8C
        3.2.ATR1.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.2.ATR1.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000A.00000002.483209800.00000000035E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.285825335.0000000001480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.481843345.00000000033C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.234773983.0000000003C17000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.280990399.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.285998034.00000000014B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.483004188.00000000035B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001E.00000002.486073260.0000000003E84000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001F.00000002.483763459.0000000004234000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.ATR1.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.ATR1.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\U5jylqh\1bsdwdzi4xdbt2h.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: ATR1.exeJoe Sandbox ML: detected
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h0_2_0801BA08
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 4x nop then jmp 0801CE62h0_2_0801CE22
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 4x nop then jmp 0801CE62h0_2_0801BF30
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 4x nop then jmp 0801CE62h0_2_0801BFCE
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h0_2_0801B9FC
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 4x nop then jmp 0801CE62h0_2_0801CDEE
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 4x nop then jmp 0801CE62h0_2_0801CE7C
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h0_2_08010E88
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h0_2_08012EFC
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 4x nop then jmp 0801CE62h0_2_0801BF2D
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 4x nop then jmp 0801CE62h0_2_0801CF5C
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 4x nop then jmp 0801CE62h0_2_0801BF9F
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 4x nop then jmp 0801CE62h0_2_0801BFE7
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]30_2_071762E4
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]30_2_07177168
          Source: global trafficHTTP traffic detected: GET /hnh/?qDK01JEX=h/4DcK1oRmQPNXcsBQGJmENtdlNoZa85XYz4HTDaapT5oIalCVcEvkAIiZHN/BUgzOf8&zN9hQH=1bDh-DOP98ftZJ-0 HTTP/1.1Host: www.patlod.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hnh/?qDK01JEX=h/4DcK1oRmQPNXcsBQGJmENtdlNoZa85XYz4HTDaapT5oIalCVcEvkAIiZHN/BUgzOf8&zN9hQH=1bDh-DOP98ftZJ-0 HTTP/1.1Host: www.patlod.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
          Source: unknownDNS traffic detected: queries for: g.msn.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 31 Jul 2020 19:02:33 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 327Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 68 6e 68 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /hnh/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
          Source: explorer.exe, 00000004.00000000.266152365.0000000013CB0000.00000002.00000001.sdmpString found in binary or memory: http://%s.com
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://amazon.fr/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
          Source: explorer.exe, 00000004.00000000.266152365.0000000013CB0000.00000002.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://busca.orange.es/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://cnet.search.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.262127688.000000000ED17000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://es.ask.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://find.joins.com/
          Source: explorer.exe, 00000004.00000000.257631035.000000000BF06000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://rover.ebay.com
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
          Source: ATR1.exe, 00000000.00000002.234319338.00000000023DC000.00000004.00000001.sdmp, 1bsdwdzi4xdbt2h.exe, 0000001E.00000002.483790696.000000000264C000.00000004.00000001.sdmp, 1bsdwdzi4xdbt2h.exe, 0000001F.00000002.481485091.00000000029FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.about.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.in/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.auone.jp/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.de/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.es/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.in/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.it/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.interpark.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.nate.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.nifty.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.sify.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search.yam.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://suche.aol.de/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
          Source: explorer.exe, 00000004.00000000.266152365.0000000013CB0000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://web.ask.com/
          Source: explorer.exe, 00000004.00000000.266152365.0000000013CB0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.com
          Source: explorer.exe, 00000004.00000000.250333631.0000000006000000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.de/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.257631035.000000000BF06000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.ask.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.257631035.000000000BF06000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.docUrl.com/bar.htm
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.257631035.000000000BF06000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.257631035.000000000BF06000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000004.00000000.257631035.000000000BF06000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000004.00000000.257631035.000000000BF06000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000004.00000000.257631035.000000000BF06000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000004.00000000.257631035.000000000BF06000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000004.00000000.257631035.000000000BF06000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000004.00000000.257631035.000000000BF06000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000004.00000000.257631035.000000000BF06000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000004.00000000.257631035.000000000BF06000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000004.00000000.257631035.000000000BF06000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000004.00000000.257631035.000000000BF06000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000004.00000000.257631035.000000000BF06000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000004.00000000.257631035.000000000BF06000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
          Source: explorer.exe, 00000004.00000000.257631035.000000000BF06000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.in/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.br/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.cz/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.de/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.es/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.fr/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.it/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.pl/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.ru/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.si/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.257631035.000000000BF06000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.orange.fr/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
          Source: explorer.exe, 00000004.00000000.257631035.000000000BF06000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000004.00000000.257631035.000000000BF06000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000004.00000000.257631035.000000000BF06000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
          Source: explorer.exe, 00000004.00000000.257631035.000000000BF06000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
          Source: explorer.exe, 00000004.00000000.257631035.000000000BF06000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.257631035.000000000BF06000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.257631035.000000000BF06000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
          Source: explorer.exe, 00000004.00000000.266583956.0000000013DA3000.00000002.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico
          Source: wscript.exe, 0000000A.00000003.449721665.0000000003641000.00000004.00000001.sdmpString found in binary or memory: https://login.liv
          Source: wscript.exe, 0000000A.00000003.449225396.000000000363F000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
          Source: wscript.exe, 0000000A.00000003.449225396.000000000363F000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
          Source: wscript.exe, 0000000A.00000003.449225396.000000000363F000.00000004.00000001.sdmp, wscript.exe, 0000000A.00000002.481737144.00000000033B8000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
          Source: wscript.exe, 0000000A.00000003.449225396.000000000363F000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld255a
          Source: wscript.exe, 0000000A.00000003.449225396.000000000363F000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
          Source: wscript.exe, 0000000A.00000003.449225396.000000000363F000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=10335-LMEM
          Source: wscript.exe, 0000000A.00000003.449721665.0000000003641000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033=
          Source: wscript.exe, 0000000A.00000003.449225396.000000000363F000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033=y
          Source: wscript.exe, 0000000A.00000003.449225396.000000000363F000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
          Source: wscript.exe, 0000000A.00000003.449225396.000000000363F000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000A.00000002.483209800.00000000035E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.285825335.0000000001480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.481843345.00000000033C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.234773983.0000000003C17000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.280990399.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.285998034.00000000014B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.483004188.00000000035B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001E.00000002.486073260.0000000003E84000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001F.00000002.483763459.0000000004234000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.ATR1.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.ATR1.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Detected FormBook malwareShow sources
          Source: C:\Windows\SysWOW64\wscript.exeDropped file: C:\Users\user\AppData\Roaming\OL-MN2TC\OL-logri.iniJump to dropped file
          Source: C:\Windows\SysWOW64\wscript.exeDropped file: C:\Users\user\AppData\Roaming\OL-MN2TC\OL-logrv.iniJump to dropped file
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000000A.00000002.483209800.00000000035E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.483209800.00000000035E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.285825335.0000000001480000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.285825335.0000000001480000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.481843345.00000000033C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.481843345.00000000033C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.234773983.0000000003C17000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.234773983.0000000003C17000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.280990399.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.280990399.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.285998034.00000000014B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.285998034.00000000014B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.483004188.00000000035B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.483004188.00000000035B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001E.00000002.486073260.0000000003E84000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001E.00000002.486073260.0000000003E84000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001F.00000002.483763459.0000000004234000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001F.00000002.483763459.0000000004234000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.ATR1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.ATR1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.ATR1.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.ATR1.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 0_2_021B033C NtQueryInformationProcess,0_2_021B033C
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 0_2_021B6FB8 NtQueryInformationProcess,0_2_021B6FB8
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 3_2_00419830 NtCreateFile,3_2_00419830
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 3_2_004198E0 NtReadFile,3_2_004198E0
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 3_2_00419960 NtClose,3_2_00419960
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 3_2_00419A10 NtAllocateVirtualMemory,3_2_00419A10
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 3_2_0041982A NtCreateFile,3_2_0041982A
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 3_2_0041995B NtClose,3_2_0041995B
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 3_2_00419A0A NtAllocateVirtualMemory,3_2_00419A0A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_05539540 NtReadFile,LdrInitializeThunk,10_2_05539540
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_05539560 NtWriteFile,LdrInitializeThunk,10_2_05539560
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_055395D0 NtClose,LdrInitializeThunk,10_2_055395D0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_05539770 NtSetInformationFile,LdrInitializeThunk,10_2_05539770
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_05539710 NtQueryInformationToken,LdrInitializeThunk,10_2_05539710
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_05539FE0 NtCreateMutant,LdrInitializeThunk,10_2_05539FE0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_05539780 NtMapViewOfSection,LdrInitializeThunk,10_2_05539780
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_05539650 NtQueryValueKey,LdrInitializeThunk,10_2_05539650
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_05539660 NtAllocateVirtualMemory,LdrInitializeThunk,10_2_05539660
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_05539610 NtEnumerateValueKey,LdrInitializeThunk,10_2_05539610
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_055396D0 NtCreateKey,LdrInitializeThunk,10_2_055396D0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_055396E0 NtFreeVirtualMemory,LdrInitializeThunk,10_2_055396E0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_05539910 NtAdjustPrivilegesToken,LdrInitializeThunk,10_2_05539910
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_055399A0 NtCreateSection,LdrInitializeThunk,10_2_055399A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_05539840 NtDelayExecution,LdrInitializeThunk,10_2_05539840
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_05539860 NtQuerySystemInformation,LdrInitializeThunk,10_2_05539860
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_05539B00 NtSetValueKey,LdrInitializeThunk,10_2_05539B00
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_05539A50 NtCreateFile,LdrInitializeThunk,10_2_05539A50
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_0553AD30 NtSetContextThread,10_2_0553AD30
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_05539520 NtWaitForSingleObject,10_2_05539520
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_055395F0 NtQueryInformationFile,10_2_055395F0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_0553A770 NtOpenThread,10_2_0553A770
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_05539760 NtOpenProcess,10_2_05539760
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_0553A710 NtOpenProcessToken,10_2_0553A710
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_05539730 NtQueryVirtualMemory,10_2_05539730
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_055397A0 NtUnmapViewOfSection,10_2_055397A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_05539670 NtQueryInformationProcess,10_2_05539670
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_05539950 NtQueueApcThread,10_2_05539950
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_055399D0 NtCreateProcessEx,10_2_055399D0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_0553B040 NtSuspendThread,10_2_0553B040
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_05539820 NtEnumerateKey,10_2_05539820
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_055398F0 NtReadVirtualMemory,10_2_055398F0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_055398A0 NtWriteVirtualMemory,10_2_055398A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_0553A3B0 NtGetContextThread,10_2_0553A3B0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_05539A10 NtQuerySection,10_2_05539A10
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_05539A00 NtProtectVirtualMemory,10_2_05539A00
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_05539A20 NtResumeThread,10_2_05539A20
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_05539A80 NtOpenDirectoryObject,10_2_05539A80
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_033D9A10 NtAllocateVirtualMemory,10_2_033D9A10
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_033D9960 NtClose,10_2_033D9960
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_033D9830 NtCreateFile,10_2_033D9830
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_033D98E0 NtReadFile,10_2_033D98E0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_033D9A0A NtAllocateVirtualMemory,10_2_033D9A0A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_033D995B NtClose,10_2_033D995B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_033D982A NtCreateFile,10_2_033D982A
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 30_2_00A4033C NtQueryInformationProcess,30_2_00A4033C
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 30_2_00A402E3 NtQueryInformationProcess,30_2_00A402E3
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 30_2_00A46FB8 NtQueryInformationProcess,30_2_00A46FB8
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 31_2_04E7033C NtQueryInformationProcess,31_2_04E7033C
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 31_2_04E702E3 NtQueryInformationProcess,31_2_04E702E3
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 31_2_04E76FB8 NtQueryInformationProcess,31_2_04E76FB8
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 0_2_021BE2980_2_021BE298
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 0_2_021B30E00_2_021B30E0
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 0_2_021B21E00_2_021B21E0
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 0_2_021B77500_2_021B7750
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 0_2_021B57A00_2_021B57A0
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 0_2_021B17D90_2_021B17D9
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 0_2_021B6E080_2_021B6E08
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 0_2_021B0F600_2_021B0F60
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 0_2_021B53880_2_021B5388
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 0_2_021B53800_2_021B5380
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 0_2_021B60A50_2_021B60A5
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 0_2_021B51590_2_021B5159
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 0_2_021B51680_2_021B5168
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 0_2_021B76F70_2_021B76F7
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 0_2_021B67000_2_021B6700
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 0_2_021B67580_2_021B6758
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 0_2_021B04790_2_021B0479
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 0_2_021B55D00_2_021B55D0
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 0_2_021B55C00_2_021B55C0
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 0_2_021B5A900_2_021B5A90
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 0_2_021B5AA00_2_021B5AA0
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 0_2_021B0F3D0_2_021B0F3D
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 0_2_021B3F980_2_021B3F98
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 0_2_021B3F880_2_021B3F88
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 0_2_021B2FE70_2_021B2FE7
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 0_2_021B6DF80_2_021B6DF8
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 0_2_021B4DE80_2_021B4DE8
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 0_2_080170B00_2_080170B0
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 0_2_080162800_2_08016280
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 0_2_08018AC00_2_08018AC0
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 0_2_0801EE380_2_0801EE38
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 0_2_080112490_2_08011249
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 0_2_08015D300_2_08015D30
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 0_2_0802B9A00_2_0802B9A0
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 0_2_08025F280_2_08025F28
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 3_2_0041E0C53_2_0041E0C5
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 3_2_0041C89C3_2_0041C89C
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 3_2_0041DD303_2_0041DD30
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 3_2_00402D873_2_00402D87
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 3_2_0041CEC43_2_0041CEC4
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 3_2_00409F5B3_2_00409F5B
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 3_2_00409F603_2_00409F60
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 3_2_0041D79C3_2_0041D79C
          Source: C:\Users\user\Desktop\ATR1.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_055C1D5510_2_055C1D55
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_055C2D0710_2_055C2D07
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_054F0D2010_2_054F0D20
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_055C25DD10_2_055C25DD
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_0550D5E010_2_0550D5E0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_0552258110_2_05522581
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_055BD46610_2_055BD466
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_0550841F10_2_0550841F
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_055CDFCE10_2_055CDFCE
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_055C1FF110_2_055C1FF1
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_055BD61610_2_055BD616
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_05516E3010_2_05516E30
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_055C2EF710_2_055C2EF7
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_054FF90010_2_054FF900
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_0551412010_2_05514120
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_055B100210_2_055B1002
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_055CE82410_2_055CE824
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_055C28EC10_2_055C28EC
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_0550B09010_2_0550B090
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_055220A010_2_055220A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_055C20A810_2_055C20A8
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_055C2B2810_2_055C2B28
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_055B03DA10_2_055B03DA
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_055BDBD210_2_055BDBD2
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_0552EBB010_2_0552EBB0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_055C22AE10_2_055C22AE
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_033DC89C10_2_033DC89C
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_033DE0C510_2_033DE0C5
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_033C9F6010_2_033C9F60
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_033C9F5B10_2_033C9F5B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_033C2FB010_2_033C2FB0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_033DD79C10_2_033DD79C
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_033DCEC410_2_033DCEC4
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_033DDD3010_2_033DDD30
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_033C2D9010_2_033C2D90
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 10_2_033C2D8710_2_033C2D87
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 30_2_00A430E030_2_00A430E0
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 30_2_00A421E030_2_00A421E0
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 30_2_00A4E29830_2_00A4E298
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 30_2_00A457A030_2_00A457A0
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 30_2_00A417D930_2_00A417D9
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 30_2_00A4775030_2_00A47750
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 30_2_00A46E0830_2_00A46E08
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 30_2_00A40F6030_2_00A40F60
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 30_2_00A4516830_2_00A45168
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 30_2_00A4515930_2_00A45159
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 30_2_00A4538030_2_00A45380
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 30_2_00A4538830_2_00A45388
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 30_2_00A4047930_2_00A40479
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 30_2_00A455C030_2_00A455C0
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 30_2_00A455D030_2_00A455D0
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 30_2_00A4773030_2_00A47730
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 30_2_00A4673030_2_00A46730
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 30_2_00A4675830_2_00A46758
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 30_2_00A45AA030_2_00A45AA0
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 30_2_00A45A9030_2_00A45A90
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 30_2_00A44DE830_2_00A44DE8
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 30_2_00A46DF930_2_00A46DF9
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 30_2_00A40EAF30_2_00A40EAF
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 30_2_00A40ED430_2_00A40ED4
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 30_2_00A43F8830_2_00A43F88
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 30_2_00A43F9830_2_00A43F98
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 30_2_00A42FE730_2_00A42FE7
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 30_2_0717443830_2_07174438
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 30_2_0717C39830_2_0717C398
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 30_2_0717F27830_2_0717F278
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 30_2_0717CF2030_2_0717CF20
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 30_2_0717C38830_2_0717C388
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 30_2_0717F26930_2_0717F269
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 30_2_0717CF1230_2_0717CF12
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 30_2_07172BDC30_2_07172BDC
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 30_2_0811B9A030_2_0811B9A0
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 30_2_08115F2830_2_08115F28
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 31_2_04E717D931_2_04E717D9
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 31_2_04E757A031_2_04E757A0
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 31_2_04E7775031_2_04E77750
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 31_2_04E730E031_2_04E730E0
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 31_2_04E721E031_2_04E721E0
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 31_2_04E7E29831_2_04E7E298
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 31_2_04E76E0831_2_04E76E08
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 31_2_04E70F6031_2_04E70F60
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 31_2_04E7047131_2_04E70471
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 31_2_04E755C031_2_04E755C0
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 31_2_04E755D031_2_04E755D0
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 31_2_04E7675831_2_04E76758
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 31_2_04E760A531_2_04E760A5
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 31_2_04E7516831_2_04E75168
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 31_2_04E7515931_2_04E75159
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 31_2_04E7538831_2_04E75388
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 31_2_04E74DE831_2_04E74DE8
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 31_2_04E73F8831_2_04E73F88
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 31_2_04E73F9831_2_04E73F98
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 31_2_04E70F3D31_2_04E70F3D
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 31_2_04E75AA031_2_04E75AA0
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 31_2_04E75A9031_2_04E75A90
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 31_2_0855B9A031_2_0855B9A0
          Source: C:\Program Files (x86)\U5jylqh\1bsdwdzi4xdbt2h.exeCode function: 31_2_08555F2831_2_08555F28
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 054FB150 appears 45 times
          Source: ATR1.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 1bsdwdzi4xdbt2h.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: ATR1.exeBinary or memory string: OriginalFilename vs ATR1.exe
          Source: ATR1.exe, 00000000.00000002.232723213.0000000000022000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameaJTfZLnhKT.exe. vs ATR1.exe
          Source: ATR1.exe, 00000000.00000002.234319338.00000000023DC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAphrodite.dll4 vs ATR1.exe
          Source: ATR1.exe, 00000000.00000002.237198231.0000000007EE0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameJupiter.dll0 vs ATR1.exe
          Source: ATR1.exeBinary or memory string: OriginalFilename vs ATR1.exe
          Source: ATR1.exe, 00000002.00000002.231129346.0000000000252000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameaJTfZLnhKT.exe. vs ATR1.exe
          Source: ATR1.exeBinary or memory string: OriginalFilename vs ATR1.exe
          Source: ATR1.exe, 00000003.00000000.231804228.0000000000722000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameaJTfZLnhKT.exe. vs ATR1.exe
          Source: ATR1.exe, 00000003.0