Loading ...

Play interactive tourEdit tour

Analysis Report documents.09.20.doc

Overview

General Information

Sample Name:documents.09.20.doc
Analysis ID:286560
MD5:6684e1ff76e75c81ed7a8369b7d9b756
SHA1:db8624ca75e7b7f1870d947ab5c3f033e812a457
SHA256:0176139b53da63665f94db957f7baa1ebfa10c9ae02f9e623c8efe2d2a941cfa

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (drops PE files)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Renamed MSHTA launching html
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Machine Learning detection for sample
Office process drops PE file
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Allocates memory with a write watch (potentially for evading sandboxes)
Contains capabilities to detect virtual machines
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Document contains no OLE stream with summary information
Document has an unknown application name
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 1468 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
    • in.com (PID: 1320 cmdline: C:\users\public\in.com C:\users\public\in.html MD5: 95828D670CFD3B16EE188168E083C3C5)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Renamed MSHTA launching htmlShow sources
Source: Process startedAuthor: Joe Security: Data: Command: C:\users\public\in.com C:\users\public\in.html, CommandLine: C:\users\public\in.com C:\users\public\in.html, CommandLine|base64offset|contains: , Image: C:\Users\Public\in.com, NewProcessName: C:\Users\Public\in.com, OriginalFileName: C:\Users\Public\in.com, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 1468, ProcessCommandLine: C:\users\public\in.com C:\users\public\in.html, ProcessId: 1320
Sigma detected: Executables Started in Suspicious FolderShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: C:\users\public\in.com C:\users\public\in.html, CommandLine: C:\users\public\in.com C:\users\public\in.html, CommandLine|base64offset|contains: , Image: C:\Users\Public\in.com, NewProcessName: C:\Users\Public\in.com, OriginalFileName: C:\Users\Public\in.com, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 1468, ProcessCommandLine: C:\users\public\in.com C:\users\public\in.html, ProcessId: 1320
Sigma detected: Execution in Non-Executable FolderShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: C:\users\public\in.com C:\users\public\in.html, CommandLine: C:\users\public\in.com C:\users\public\in.html, CommandLine|base64offset|contains: , Image: C:\Users\Public\in.com, NewProcessName: C:\Users\Public\in.com, OriginalFileName: C:\Users\Public\in.com, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 1468, ProcessCommandLine: C:\users\public\in.com C:\users\public\in.html, ProcessId: 1320
Sigma detected: Suspicious Program Location Process StartsShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: C:\users\public\in.com C:\users\public\in.html, CommandLine: C:\users\public\in.com C:\users\public\in.html, CommandLine|base64offset|contains: , Image: C:\Users\Public\in.com, NewProcessName: C:\Users\Public\in.com, OriginalFileName: C:\Users\Public\in.com, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 1468, ProcessCommandLine: C:\users\public\in.com C:\users\public\in.html, ProcessId: 1320

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for domain / URLShow sources
Source: wnc2sod.comVirustotal: Detection: 8%Perma Link
Source: http://wnc2sod.com/jivo/neky.php?l=wosam9.cabVirustotal: Detection: 8%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: documents.09.20.docVirustotal: Detection: 43%Perma Link
Machine Learning detection for sampleShow sources
Source: documents.09.20.docJoe Sandbox ML: detected

Software Vulnerabilities:

barindex
Document exploit detected (drops PE files)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: in.com.0.drJump to dropped file
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Users\Public\in.comJump to behavior
Source: global trafficDNS query: name: wnc2sod.com
Source: unknownDNS traffic detected: query: wnc2sod.com replaycode: Server failure (2)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B65F8163-1CF8-4E74-AA78-05F4F57053A0}.tmpJump to behavior
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: in.com, 00000002.00000002.2342384831.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: in.com, 00000002.00000002.2342946891.00000000033C0000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: in.com, 00000002.00000002.2342384831.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: unknownDNS traffic detected: queries for: wnc2sod.com
Source: in.com, 00000002.00000002.2344523989.0000000005730000.00000008.00000001.sdmpString found in binary or memory: http://%s.com
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://amazon.fr/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
Source: in.com, 00000002.00000002.2344523989.0000000005730000.00000008.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.orange.es/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://cnet.search.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://es.ask.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://find.joins.com/
Source: in.com, 00000002.00000002.2344260568.0000000004620000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.comQ
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://home.altervista.org/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
Source: in.com, 00000002.00000002.2342946891.00000000033C0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
Source: in.com, 00000002.00000002.2342946891.00000000033C0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://list.taobao.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
Source: in.com, 00000002.00000002.2343168876.00000000035A7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
Source: in.com, 00000002.00000002.2343168876.00000000035A7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://mail.live.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://price.ru/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://rover.ebay.com
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
Source: in.com, 00000002.00000002.2343460236.0000000003AF0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.about.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.alice.it/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.in/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.auone.jp/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.chol.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.daum.net/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.de/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.es/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.in/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.it/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.empas.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.interpark.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.nate.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.naver.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.nifty.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.rediff.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.sify.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yam.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
Source: in.com, 00000002.00000002.2343168876.00000000035A7000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.aol.de/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.web.de/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
Source: in.com, 00000002.00000002.2344523989.0000000005730000.00000008.00000001.sdmpString found in binary or memory: http://treyresearch.net
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://udn.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.ask.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://video.globo.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://web.ask.com/
Source: in.com, 00000002.00000002.2343168876.00000000035A7000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: in.com, 00000002.00000002.2344043364.0000000004280000.00000004.00000040.sdmp, in.com, 00000002.00000002.2342656360.0000000002D4E000.00000004.00000001.sdmpString found in binary or memory: http://wnc2sod.com/jivo/neky.php?l=wosam9.cab
Source: in.com, 00000002.00000002.2344043364.0000000004280000.00000004.00000040.sdmpString found in binary or memory: http://wnc2sod.com/jivo/neky.php?l=wosam9.cab2
Source: in.com, 00000002.00000002.2342384831.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: http://wnc2sod.com/jivo/neky.php?l=wosam9.cabL/
Source: in.com, 00000002.00000002.2344523989.0000000005730000.00000008.00000001.sdmpString found in binary or memory: http://www.%s.com
Source: in.com, 00000002.00000002.2343460236.0000000003AF0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.de/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
Source: in.com, 00000002.00000002.2344260568.0000000004620000.00000002.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/
Source: in.com, 00000002.00000002.2344260568.0000000004620000.00000002.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlt
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ask.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.baidu.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
Source: in.com, 00000002.00000002.2344260568.0000000004620000.00000002.00000001.sdmpString found in binary or memory: http://www.bethmardutho.org.P
Source: in.com, 00000002.00000002.2344260568.0000000004620000.00000002.00000001.sdmpString found in binary or memory: http://www.c-and-g.co.jp
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.expedia.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
Source: in.com, 00000002.00000002.2344260568.0000000004620000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
Source: in.com, 00000002.00000002.2344260568.0000000004620000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
Source: in.com, 00000002.00000002.2344260568.0000000004620000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: in.com, 00000002.00000002.2344260568.0000000004620000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: in.com, 00000002.00000002.2344260568.0000000004620000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
Source: in.com, 00000002.00000002.2344260568.0000000004620000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: in.com, 00000002.00000002.2344260568.0000000004620000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: in.com, 00000002.00000002.2344260568.0000000004620000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
Source: in.com, 00000002.00000002.2344260568.0000000004620000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
Source: in.com, 00000002.00000002.2344260568.0000000004620000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.in/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.br/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.cz/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.de/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.es/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.fr/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.it/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.pl/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.ru/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.si/
Source: in.com, 00000002.00000002.2342946891.00000000033C0000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.iask.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
Source: in.com, 00000002.00000002.2343168876.00000000035A7000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: in.com, 00000002.00000002.2342946891.00000000033C0000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mtv.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.najdi.si/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
Source: in.com, 00000002.00000002.2344260568.0000000004620000.00000002.00000001.sdmpString found in binary or memory: http://www.ncst.ernet.in/~rkjoshi
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.orange.fr/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rtl.de/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
Source: in.com, 00000002.00000002.2344260568.0000000004620000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: in.com, 00000002.00000002.2344260568.0000000004620000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sogou.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.soso.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.taobao.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.target.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tesco.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: in.com, 00000002.00000002.2344260568.0000000004620000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com;Copyright
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
Source: in.com, 00000002.00000002.2344260568.0000000004620000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.univision.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
Source: in.com, 00000002.00000002.2344260568.0000000004620000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.de
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.walmart.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
Source: in.com, 00000002.00000002.2342946891.00000000033C0000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
Source: in.com, 00000002.00000002.2344260568.0000000004620000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
Source: in.com, 00000002.00000002.2344746304.00000000057E9000.00000008.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico
Source: C:\Users\Public\in.comWindow created: window name: CLIPBRDWNDCLASSJump to behavior

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: Enable editing" button on the top bar, and then click "Enable content" a
Source: Screenshot number: 4Screenshot OCR: Enable content" a
Source: Document image extraction number: 0Screenshot OCR: Enable editing" button on the top bar, and then click "Enable content"
Source: Document image extraction number: 0Screenshot OCR: Enable content"
Source: Document image extraction number: 1Screenshot OCR: Enable editing" button on the top bar, and then click "Enable content"
Source: Document image extraction number: 1Screenshot OCR: Enable content"
Office process drops PE fileShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\Public\in.comJump to dropped file
Source: C:\Users\Public\in.comCode function: 2_2_000000013FF212382_2_000000013FF21238
Source: documents.09.20.docOLE, VBA macro line: Sub AutoOpen()
Source: VBA code instrumentationOLE, VBA macro: Module a9pwjI, Function AutoOpenName: AutoOpen
Source: documents.09.20.docOLE indicator, VBA macros: true
Source: documents.09.20.docOLE indicator has summary info: false
Source: documents.09.20.docOLE indicator application name: unknown
Source: Joe Sandbox ViewDropped File: C:\Users\Public\in.com 8C10AE4BE93834A4C744F27CA79736D9123ED9B0D180DB28556D2D002545BAF2
Source: C:\Users\Public\in.comKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: in.com, 00000002.00000002.2342946891.00000000033C0000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
Source: classification engineClassification label: mal100.expl.winDOC@3/13@4/0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$cuments.09.20.docJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRC052.tmpJump to behavior
Source: documents.09.20.docOLE document summary: title field not present or empty
Source: documents.09.20.docOLE document summary: author field not present or empty
Source: documents.09.20.docOLE document summary: edited time not present or 0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\Public\in.comKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\Public\in.comFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\Public\in.comFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: documents.09.20.docVirustotal: Detection: 43%
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknownProcess created: C:\Users\Public\in.com C:\users\public\in.com C:\users\public\in.html
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Users\Public\in.com C:\users\public\in.com C:\users\public\in.htmlJump to behavior
Source: C:\Users\Public\in.comKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
Source: C:\Users\Public\in.comKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: Binary string: mshta.pdbH source: in.com, 00000002.00000002.2347808802.000000013FF21000.00000020.00020000.sdmp, in.com.0.dr
Source: Binary string: wshom.pdb source: in.com, 00000002.00000002.2342770370.0000000002EE0000.00000002.00000001.sdmp
Source: Binary string: mshta.pdb source: in.com, in.com.0.dr

Persistence and Installation Behavior:

barindex
Drops PE files with a suspicious file extensionShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\Public\in.comJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\Public\in.comJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\Public\in.comJump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\Public\in.comJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX