Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.PackedNET.405.19996.11100

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.PackedNET.405.19996.11100 (renamed file extension from 11100 to exe)
Analysis ID:269500
MD5:4c7ff767584b23bad6fe05270fda579b
SHA1:30e9b214509182546a1f8546d46a5ac9c7cc5713
SHA256:86c28512dbc7ff79104d2c3bd9e81dcd493016f61316890206d3dcfeee47a244

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • SecuriteInfo.com.Trojan.PackedNET.405.19996.exe (PID: 7004 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.405.19996.exe' MD5: 4C7FF767584B23BAD6FE05270FDA579B)
    • RegSvcs.exe (PID: 7052 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)
      • explorer.exe (PID: 3420 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autofmt.exe (PID: 6656 cmdline: C:\Windows\SysWOW64\autofmt.exe MD5: 7FC345F685C2A58283872D851316ACC4)
        • WWAHost.exe (PID: 6872 cmdline: C:\Windows\SysWOW64\WWAHost.exe MD5: 370C260333EB3149EF4E49C8F64652A0)
          • cmd.exe (PID: 5252 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1285237261.00000000041B9000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.1285237261.00000000041B9000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0xafab0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0xafd1a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0xdb6d0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0xdb93a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0xbb99d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0xe75bd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0xbb489:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0xe70a9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0xbba9f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0xe76bf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0xbbc17:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xe7837:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xb0892:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0xdc4b2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0xba704:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xe6324:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb158b:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0xdd1ab:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0xc0d0f:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0xec92f:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0xc1d12:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.1285237261.00000000041B9000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0xbe621:$sqlite3step: 68 34 1C 7B E1
    • 0xbe734:$sqlite3step: 68 34 1C 7B E1
    • 0xea241:$sqlite3step: 68 34 1C 7B E1
    • 0xea354:$sqlite3step: 68 34 1C 7B E1
    • 0xbe650:$sqlite3text: 68 38 2A 90 C5
    • 0xbe775:$sqlite3text: 68 38 2A 90 C5
    • 0xea270:$sqlite3text: 68 38 2A 90 C5
    • 0xea395:$sqlite3text: 68 38 2A 90 C5
    • 0xbe663:$sqlite3blob: 68 53 D8 7F 8C
    • 0xbe78b:$sqlite3blob: 68 53 D8 7F 8C
    • 0xea283:$sqlite3blob: 68 53 D8 7F 8C
    • 0xea3ab:$sqlite3blob: 68 53 D8 7F 8C
    00000008.00000002.1540149665.0000000003400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000008.00000002.1540149665.0000000003400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 17 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.RegSvcs.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ab8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x149a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14491:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14aa7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14c1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x989a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1370c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa593:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19d17:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ad1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.RegSvcs.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17629:$sqlite3step: 68 34 1C 7B E1
        • 0x1773c:$sqlite3step: 68 34 1C 7B E1
        • 0x17658:$sqlite3text: 68 38 2A 90 C5
        • 0x1777d:$sqlite3text: 68 38 2A 90 C5
        • 0x1766b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17793:$sqlite3blob: 68 53 D8 7F 8C
        1.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.RegSvcs.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.1285237261.00000000041B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1540149665.0000000003400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1359100990.0000000001590000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1539941886.0000000002AE0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1540184552.0000000003430000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1355055994.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1358975598.0000000001560000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: SecuriteInfo.com.Trojan.PackedNET.405.19996.exeJoe Sandbox ML: detected
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop ebx1_2_00407AD1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop edi1_2_0040E56E
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 4x nop then pop ebx8_2_02AE7AD1
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 4x nop then pop edi8_2_02AEE56E
          Source: global trafficHTTP traffic detected: GET /usc/?LlS=hmrohIvzLI1j0JjLtxfBXyy0eHws+bE4ZP0WSRKWZU59Qc+J/zUznnQqQVJaZnPJs3+n&1bThAz=X0DtCDl8y HTTP/1.1Host: www.zodiaccasinoonline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /usc/?LlS=hmrohIvzLI1j0JjLtxfBXyy0eHws+bE4ZP0WSRKWZU59Qc+J/zUznnQqQVJaZnPJs3+n&1bThAz=X0DtCDl8y HTTP/1.1Host: www.zodiaccasinoonline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
          Source: unknownDNS traffic detected: queries for: www.minajatwa.com
          Source: explorer.exe, 00000002.00000000.1319637591.0000000012B70000.00000002.00000001.sdmpString found in binary or memory: http://%s.com
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://amazon.fr/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319637591.0000000012B70000.00000002.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busca.orange.es/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://cnet.search.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1307813600.00000000079D8000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://es.ask.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://find.joins.com/
          Source: explorer.exe, 00000002.00000000.1318972837.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://rover.ebay.com
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.about.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.in/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.auone.jp/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.de/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.es/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.in/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.it/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.interpark.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.nate.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.nifty.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.sify.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.yam.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://suche.aol.de/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319637591.0000000012B70000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://web.ask.com/
          Source: explorer.exe, 00000002.00000000.1319637591.0000000012B70000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.com
          Source: explorer.exe, 00000002.00000000.1299643309.0000000004970000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.de/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1318972837.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.ask.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
          Source: explorer.exe, 00000002.00000000.1313848975.000000000CF81000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1318972837.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.docUrl.com/bar.htm
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1318972837.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.1318972837.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.1318972837.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.1318972837.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.1318972837.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000002.00000000.1318972837.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.1318972837.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.1318972837.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.1318972837.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.1318972837.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.1318972837.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.1318972837.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.1318972837.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.1318972837.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
          Source: explorer.exe, 00000002.00000000.1318972837.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.in/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.br/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.cz/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.de/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.es/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.fr/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.it/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.pl/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.ru/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.si/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1318972837.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.orange.fr/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
          Source: explorer.exe, 00000002.00000000.1318972837.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.1318972837.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.1318972837.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
          Source: explorer.exe, 00000002.00000000.1318972837.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
          Source: explorer.exe, 00000002.00000000.1318972837.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1318972837.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1318972837.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
          Source: explorer.exe, 00000002.00000000.1319916642.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico
          Source: WWAHost.exe, 00000008.00000002.1540930946.000000000418F000.00000004.00000001.sdmpString found in binary or memory: http://zodiaccasinoonline.com/usc/?LlS=hmrohIvzLI1j0JjLtxfBXyy0eHws
          Source: SecuriteInfo.com.Trojan.PackedNET.405.19996.exe, 00000000.00000002.1282221648.0000000000E8B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.1285237261.00000000041B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1540149665.0000000003400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1359100990.0000000001590000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1539941886.0000000002AE0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1540184552.0000000003430000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1355055994.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1358975598.0000000001560000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.1285237261.00000000041B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.1285237261.00000000041B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.1540149665.0000000003400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.1540149665.0000000003400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.1359100990.0000000001590000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.1359100990.0000000001590000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.1539941886.0000000002AE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.1539941886.0000000002AE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.1540184552.0000000003430000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.1540184552.0000000003430000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.1355055994.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.1355055994.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.1358975598.0000000001560000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.1358975598.0000000001560000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00419830 NtCreateFile,1_2_00419830
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_004198E0 NtReadFile,1_2_004198E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00419960 NtClose,1_2_00419960
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00419A10 NtAllocateVirtualMemory,1_2_00419A10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041982A NtCreateFile,1_2_0041982A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_004198DA NtReadFile,1_2_004198DA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041995A NtClose,1_2_0041995A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01299910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_01299910
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012999A0 NtCreateSection,LdrInitializeThunk,1_2_012999A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01299860 NtQuerySystemInformation,LdrInitializeThunk,1_2_01299860
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01299840 NtDelayExecution,LdrInitializeThunk,1_2_01299840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012998F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_012998F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01299A20 NtResumeThread,LdrInitializeThunk,1_2_01299A20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01299A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_01299A00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01299A50 NtCreateFile,LdrInitializeThunk,1_2_01299A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01299540 NtReadFile,LdrInitializeThunk,1_2_01299540
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012995D0 NtClose,LdrInitializeThunk,1_2_012995D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01299710 NtQueryInformationToken,LdrInitializeThunk,1_2_01299710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012997A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_012997A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01299780 NtMapViewOfSection,LdrInitializeThunk,1_2_01299780
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01299660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_01299660
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012996E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_012996E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01299950 NtQueueApcThread,1_2_01299950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012999D0 NtCreateProcessEx,1_2_012999D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01299820 NtEnumerateKey,1_2_01299820
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0129B040 NtSuspendThread,1_2_0129B040
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012998A0 NtWriteVirtualMemory,1_2_012998A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01299B00 NtSetValueKey,1_2_01299B00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0129A3B0 NtGetContextThread,1_2_0129A3B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01299A10 NtQuerySection,1_2_01299A10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01299A80 NtOpenDirectoryObject,1_2_01299A80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01299520 NtWaitForSingleObject,1_2_01299520
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0129AD30 NtSetContextThread,1_2_0129AD30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01299560 NtWriteFile,1_2_01299560
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012995F0 NtQueryInformationFile,1_2_012995F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01299730 NtQueryVirtualMemory,1_2_01299730
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0129A710 NtOpenProcessToken,1_2_0129A710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01299760 NtOpenProcess,1_2_01299760
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01299770 NtSetInformationFile,1_2_01299770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0129A770 NtOpenThread,1_2_0129A770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01299FE0 NtCreateMutant,1_2_01299FE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01299610 NtEnumerateValueKey,1_2_01299610
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01299670 NtQueryInformationProcess,1_2_01299670
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01299650 NtQueryValueKey,1_2_01299650
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012996D0 NtCreateKey,1_2_012996D0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_03859780 NtMapViewOfSection,LdrInitializeThunk,8_2_03859780
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_03859FE0 NtCreateMutant,LdrInitializeThunk,8_2_03859FE0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_03859710 NtQueryInformationToken,LdrInitializeThunk,8_2_03859710
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038596D0 NtCreateKey,LdrInitializeThunk,8_2_038596D0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038596E0 NtFreeVirtualMemory,LdrInitializeThunk,8_2_038596E0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_03859650 NtQueryValueKey,LdrInitializeThunk,8_2_03859650
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_03859A50 NtCreateFile,LdrInitializeThunk,8_2_03859A50
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_03859660 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_03859660
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038599A0 NtCreateSection,LdrInitializeThunk,8_2_038599A0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038595D0 NtClose,LdrInitializeThunk,8_2_038595D0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_03859910 NtAdjustPrivilegesToken,LdrInitializeThunk,8_2_03859910
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_03859540 NtReadFile,LdrInitializeThunk,8_2_03859540
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_03859840 NtDelayExecution,LdrInitializeThunk,8_2_03859840
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_03859860 NtQuerySystemInformation,LdrInitializeThunk,8_2_03859860
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038597A0 NtUnmapViewOfSection,8_2_038597A0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_0385A3B0 NtGetContextThread,8_2_0385A3B0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_03859B00 NtSetValueKey,8_2_03859B00
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_0385A710 NtOpenProcessToken,8_2_0385A710
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_03859730 NtQueryVirtualMemory,8_2_03859730
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_03859760 NtOpenProcess,8_2_03859760
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_03859770 NtSetInformationFile,8_2_03859770
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_0385A770 NtOpenThread,8_2_0385A770
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_03859A80 NtOpenDirectoryObject,8_2_03859A80
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_03859A00 NtProtectVirtualMemory,8_2_03859A00
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_03859610 NtEnumerateValueKey,8_2_03859610
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_03859A10 NtQuerySection,8_2_03859A10
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_03859A20 NtResumeThread,8_2_03859A20
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_03859670 NtQueryInformationProcess,8_2_03859670
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038599D0 NtCreateProcessEx,8_2_038599D0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038595F0 NtQueryInformationFile,8_2_038595F0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_03859520 NtWaitForSingleObject,8_2_03859520
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_0385AD30 NtSetContextThread,8_2_0385AD30
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_03859950 NtQueueApcThread,8_2_03859950
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_03859560 NtWriteFile,8_2_03859560
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038598A0 NtWriteVirtualMemory,8_2_038598A0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038598F0 NtReadVirtualMemory,8_2_038598F0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_03859820 NtEnumerateKey,8_2_03859820
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_0385B040 NtSuspendThread,8_2_0385B040
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_02AF9A10 NtAllocateVirtualMemory,8_2_02AF9A10
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_02AF98E0 NtReadFile,8_2_02AF98E0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_02AF9830 NtCreateFile,8_2_02AF9830
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_02AF9960 NtClose,8_2_02AF9960
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_02AF98DA NtReadFile,8_2_02AF98DA
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_02AF982A NtCreateFile,8_2_02AF982A
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_02AF995A NtClose,8_2_02AF995A
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.405.19996.exeCode function: 0_2_00E704680_2_00E70468
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.405.19996.exeCode function: 0_2_00E7173A0_2_00E7173A
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.405.19996.exeCode function: 0_2_049F1C580_2_049F1C58
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.405.19996.exeCode function: 0_2_049F2AF80_2_049F2AF8
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.405.19996.exeCode function: 0_2_049F53280_2_049F5328
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.405.19996.exeCode function: 0_2_049F4CF80_2_049F4CF8
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.405.19996.exeCode function: 0_2_049F1C480_2_049F1C48
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.405.19996.exeCode function: 0_2_049F4D080_2_049F4D08
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.405.19996.exeCode function: 0_2_049F76850_2_049F7685
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.405.19996.exeCode function: 0_2_049F00060_2_049F0006
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.405.19996.exeCode function: 0_2_049F10300_2_049F1030
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.405.19996.exeCode function: 0_2_049F10220_2_049F1022
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.405.19996.exeCode function: 0_2_049F00400_2_049F0040
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.405.19996.exeCode function: 0_2_049F21500_2_049F2150
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.405.19996.exeCode function: 0_2_049F21400_2_049F2140
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.405.19996.exeCode function: 0_2_049F2AF60_2_049F2AF6
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.405.19996.exeCode function: 0_2_049F32E00_2_049F32E0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.405.19996.exeCode function: 0_2_049F53190_2_049F5319
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.405.19996.exeCode function: 0_2_049F6B780_2_049F6B78
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.405.19996.exeCode function: 0_2_049F6B680_2_049F6B68
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041D8191_2_0041D819
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041D8281_2_0041D828
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041D4E01_2_0041D4E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041D57C1_2_0041D57C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041D5D21_2_0041D5D2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00402D8A1_2_00402D8A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00409F5B1_2_00409F5B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00409F601_2_00409F60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041DFEE1_2_0041DFEE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041C7931_2_0041C793
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041C7961_2_0041C796
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012741201_2_01274120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0125F9001_2_0125F900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132E8241_2_0132E824
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013110021_2_01311002
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012820A01_2_012820A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013220A81_2_013220A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0126B0901_2_0126B090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013228EC1_2_013228EC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01322B281_2_01322B28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0128EBB01_2_0128EBB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131DBD21_2_0131DBD2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013103DA1_2_013103DA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013222AE1_2_013222AE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01250D201_2_01250D20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01322D071_2_01322D07
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01321D551_2_01321D55
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_012825811_2_01282581
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0126D5E01_2_0126D5E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_013225DD1_2_013225DD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0126841F1_2_0126841F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131D4661_2_0131D466
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01321FF11_2_01321FF1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0132DFCE1_2_0132DFCE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01276E301_2_01276E30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0131D6161_2_0131D616
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01322EF71_2_01322EF7
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_0384EBB08_2_0384EBB0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_03836E308_2_03836E30
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_0381F9008_2_0381F900
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_03810D208_2_03810D20
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038341208_2_03834120
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038E1D558_2_038E1D55
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_0382B0908_2_0382B090
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_038D10028_2_038D1002
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_02AFD8288_2_02AFD828
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_02AFD8198_2_02AFD819
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_02AE2FB08_2_02AE2FB0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_02AFC7968_2_02AFC796
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_02AFC7938_2_02AFC793
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_02AFDFEE8_2_02AFDFEE
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_02AE9F608_2_02AE9F60
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_02AE9F5B8_2_02AE9F5B
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_02AE2D8A8_2_02AE2D8A
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_02AE2D908_2_02AE2D90
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 8_2_02AFD5CD8_2_02AFD5CD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0125B150 appears 45 times
          Source: SecuriteInfo.com.Trojan.PackedNET.405.19996.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.PackedNET.405.19996.exe
          Source: SecuriteInfo.com.Trojan.PackedNET.405.19996.exe, 00000000.00000002.1281872091.0000000000652000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLHI.exe8 vs SecuriteInfo.com.Trojan.PackedNET.405.19996.exe
          Source: SecuriteInfo.com.Trojan.PackedNET.405.19996.exe, 00000000.00000002.1282395003.00000000029B1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAmun.dll, vs SecuriteInfo.com.Trojan.PackedNET.405.19996.exe
          Source: SecuriteInfo.com.Trojan.PackedNET.405.19996.exe, 00000000.00000002.1282221648.0000000000E8B000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Trojan.PackedNET.405.19996.exe
          Source: SecuriteInfo.com.Trojan.PackedNET.405.19996.exe, 00000000.00000002.1287159962.0000000008020000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLoreal.exe4 vs SecuriteInfo.com.Trojan.PackedNET.405.19996.exe
          Source: SecuriteInfo.com.Trojan.PackedNET.405.19996.exeBinary or memory string: OriginalFilenameLHI.exe8 vs SecuriteInfo.com.Trojan.PackedNET.405.19996.exe
          Source: 00000000.00000002.1285237261.00000000041B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.1285237261.00000000041B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.1540149665.0000000003400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.1540149665.0000000003400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.1359100990.0000000001590000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.1359100990.0000000001590000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.1539941886.0000000002AE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.1539941886.0000000002AE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.1540184552.0000000003430000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.1540184552.0000000003430000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.1355055994.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.1355055994.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.1358975598.0000000001560000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.1358975598.0000000001560000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: SecuriteInfo.com.Trojan.PackedNET.405.19996.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/1@3/1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.405.19996.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.PackedNET.405.19996.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5900:120:WilError_01
          Source: SecuriteInfo.com.Trojan.PackedNET.405.19996.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.405.19996.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.405.19996.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.405.19996.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.405.19996.exe'
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
          Source: unknownProcess created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\WWAHost.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.405.19996.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}Jump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.405.19996.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: SecuriteInfo.com.Trojan.PackedNET.405.19996.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: SecuriteInfo.com.Trojan.PackedNET.405.19996.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: WWAHost.pdb source: RegSvcs.exe, 00000001.00000002.1360482452.0000000003220000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.1306215245.0000000006850000.00000002.00000001.sdmp
          Source: Binary string: WWAHost.pdbUGP source: RegSvcs.exe, 00000001.00000002.1360482452.0000000003220000.00000040.00000001.sdmp
          Source: Binary string: RegSvcs.pdb, source: WWAHost.exe, 00000008.00000002.1540880850.0000000003D1F000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000001.00000002.1355720356.0000000001230000.00000040.00000001.sdmp, WWAHost.exe, 00000008.00000002.1540312262.00000000037F0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: RegSvcs.exe, WWAHost.exe
          Source: Binary string: RegSvcs.pdb source: WWAHost.exe, 00000008.00000002.1540880850.0000000003D1F000.00000004.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.1306215245.0000000006850000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PackedNET.405.19996.exeCode function: 0_2_049F9CDE push dword ptr [edx+ebp*2-75h]; iretd 0_2_049F9CE7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00419B74 push ecx; retf 1_2_00419B76
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041DC9A push dword ptr [F4EECDBAh]; ret 1_2_0041DDC1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041BE31 pushfd ; iretd 1_2_0041BE39
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041C6F2 push eax; ret 1_2_0041C6F8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041C6FB push eax; ret 1_2_0041C762
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041C6A5 push eax; ret 1_2_0041C6F8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041C75C push eax; ret 1_2_0041C762
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041DF