Loading ...

Analysis Report 15message.dat.exe

Overview

General Information

Joe Sandbox Version:24.0.0 Fire Opal
Analysis ID:96293
Start date:06.12.2018
Start time:23:04:45
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 7m 21s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:15message.dat.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30
Number of analysed new started processes analysed:14
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:1
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal96.evad.winEXE@5/9@161/3
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 99.9% (good quality ratio 97.1%)
  • Quality average: 84.1%
  • Quality standard deviation: 23%
HCA Information:
  • Successful, ratio: 97%
  • Number of executed functions: 23
  • Number of non-executed functions: 122
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, TiWorker.exe, RuntimeBroker.exe, MusNotifyIcon.exe, conhost.exe, CompatTelRunner.exe, WmiPrvSE.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Detection

StrategyScoreRangeReportingDetection
Threshold960 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Contains functionality to modify the execution of threads in other processes
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsExecution through Module Load1Registry Run Keys / Start Folder1Process Injection311Masquerading1Input Capture1Process Discovery2Application Deployment SoftwareInput Capture1Data CompressedStandard Cryptographic Protocol1
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesSoftware Packing1Network SniffingSecurity Software Discovery21Remote ServicesData from Local System1Exfiltration Over Other Network MediumStandard Non-Application Layer Protocol1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionDisabling Security Tools1Input CaptureRemote System Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol1
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection311Credentials in FilesSystem Information Discovery23Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessObfuscated Files or Information2Account ManipulationRemote System DiscoveryShared WebrootData StagedScheduled TransferStandard Cryptographic Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Windows\tserv.exeAvira: Label: WORM/Stration.C
Antivirus detection for submitted fileShow sources
Source: 15message.dat.exeAvira: Label: WORM/Stration.C
Antivirus detection for unpacked fileShow sources
Source: 6.0.tserv.exe.400000.3.unpackAvira: Label: WORM/Stration.C
Source: 6.0.tserv.exe.400000.2.unpackAvira: Label: WORM/Stration.C
Source: 4.0.15message.dat.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 4.2.15message.dat.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 6.2.tserv.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 6.1.tserv.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 6.0.tserv.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 6.0.tserv.exe.400000.1.unpackAvira: Label: WORM/Stration.C

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_00406360 GetFileAttributesA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,GetLastError,lstrcmpA,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,FindNextFileA,FindClose,4_2_00406360

Networking:

barindex
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 98.136.101.117 98.136.101.117
Source: Joe Sandbox ViewIP Address: 98.137.159.27 98.137.159.27
Social media urls found in memory dataShow sources
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.facebook.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.facebook.com/favicon.ico
Found strings which match to known social media urlsShow sources
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: <SuggestionsURL>http://ie.search.yahoo.com/os?command={SearchTerms}</SuggestionsURL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: <FavoriteIcon>http://search.yahoo.co.jp/favicon.ico</FavoriteIcon> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: <FavoriteIcon>http://search.yahoo.com/favicon.ico</FavoriteIcon> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: <URL>http://br.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: <URL>http://de.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: <URL>http://es.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: <URL>http://espanol.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: <URL>http://fr.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: <URL>http://in.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: <URL>http://it.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: <URL>http://kr.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: <URL>http://ru.search.yahoo.com</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: <URL>http://sads.myspace.com/</URL> equals www.myspace.com (Myspace)
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: <URL>http://search.cn.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: <URL>http://search.yahoo.co.jp</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: <URL>http://search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: <URL>http://tw.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: <URL>http://uk.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: explorer.exe, 0000000B.00000000.5210473918.0000000006930000.00000002.sdmpString found in binary or memory: Free Hotmail.url equals www.hotmail.com (Hotmail)
Source: tserv.exe, 00000006.00000002.6131528942.00000000021B0000.00000004.sdmpString found in binary or memory: hotmail.com equals www.hotmail.com (Hotmail)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: yahoo.com
Urls found in memory or binary dataShow sources
Source: explorer.exe, 0000000B.00000000.5210473918.0000000006930000.00000002.sdmpString found in binary or memory: http://%s.com
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://amazon.fr/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 0000000B.00000000.5210473918.0000000006930000.00000002.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://es.ask.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://find.joins.com/
Source: explorer.exe, 0000000B.00000000.5223616296.000000000A6A6000.00000002.sdmpString found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://mail.live.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://price.ru/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.about.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.alice.it/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.aol.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.aol.in/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.chol.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.daum.net/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.empas.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.nate.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.naver.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.sify.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search.yam.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://suche.web.de/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 0000000B.00000000.5210473918.0000000006930000.00000002.sdmpString found in binary or memory: http://treyresearch.net
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://udn.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://video.globo.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://web.ask.com/
Source: explorer.exe, 0000000B.00000000.5210473918.0000000006930000.00000002.sdmpString found in binary or memory: http://www.%s.com
Source: explorer.exe, 0000000B.00000000.5142708348.0000000002B50000.00000002.sdmpString found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5223616296.000000000A6A6000.00000002.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.ask.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5223616296.000000000A6A6000.00000002.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5223616296.000000000A6A6000.00000002.sdmpString found in binary or memory: http://www.fonts.com
Source: explorer.exe, 0000000B.00000000.5223616296.000000000A6A6000.00000002.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 0000000B.00000000.5223616296.000000000A6A6000.00000002.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 0000000B.00000000.5223616296.000000000A6A6000.00000002.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 0000000B.00000000.5223616296.000000000A6A6000.00000002.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.google.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.google.cz/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.google.de/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.google.es/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.google.fr/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.google.it/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.google.pl/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.google.ru/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.google.si/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.iask.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5223616296.000000000A6A6000.00000002.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 0000000B.00000000.5223616296.000000000A6A6000.00000002.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 0000000B.00000000.5223616296.000000000A6A6000.00000002.sdmpString found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 0000000B.00000000.5223616296.000000000A6A6000.00000002.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.soso.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.target.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 0000000B.00000000.5223616296.000000000A6A6000.00000002.sdmpString found in binary or memory: http://www.tiro.com
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 0000000B.00000000.5223616296.000000000A6A6000.00000002.sdmpString found in binary or memory: http://www.typography.netD
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.univision.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 0000000B.00000000.5223616296.000000000A6A6000.00000002.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
Source: tserv.exe, 00000006.00000002.6128885711.000000000073A000.00000004.sdmpString found in binary or memory: http://www4.cedesunjerinkas.com/chr/wtb/lt.exe
Source: tserv.exe, 00000006.00000002.6128885711.000000000073A000.00000004.sdmpString found in binary or memory: http://www4.cedesunjerinkas.com/chr/wtb/lt.exe$
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
Source: explorer.exe, 0000000B.00000000.5211864690.0000000006A23000.00000002.sdmpString found in binary or memory: http://z.about.com/m/a08.ico

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: tserv.exe, 00000006.00000002.6128885711.000000000073A000.00000004.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Contains functionality to communicate with device driversShow sources
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_00423D83: QueryDosDeviceA,lstrcpyA,lstrcatA,GetLastError,lstrcpyA,lstrcatA,DefineDosDeviceA,GetLastError,lstrcpyA,lstrcatA,CreateFileA,DeviceIoControl,GetLastError,GetLastError,DefineDosDeviceA,GetLastError,4_2_00423D83
Creates files inside the system directoryShow sources
Source: C:\Users\user\Desktop\15message.dat.exeFile created: C:\Windows\tserv.exeJump to behavior
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_004118004_2_00411800
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_004108D04_2_004108D0
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_0040C8E04_2_0040C8E0
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_0040F0E94_2_0040F0E9
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_004109074_2_00410907
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_004041104_2_00404110
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_004091194_2_00409119
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_0040F1C74_2_0040F1C7
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_0040C1D04_2_0040C1D0
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_004049904_2_00404990
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_004091A74_2_004091A7
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_0040E2464_2_0040E246
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_00428A084_2_00428A08
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_004252144_2_00425214
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_004053104_2_00405310
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_00408BC04_2_00408BC0
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_00415BD04_2_00415BD0
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_0041B3D04_2_0041B3D0
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_0040DBF04_2_0040DBF0
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_0041E3A04_2_0041E3A0
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_004094364_2_00409436
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_00409CF74_2_00409CF7
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_0041BD004_2_0041BD00
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_0040EDE04_2_0040EDE0
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_0040DE564_2_0040DE56
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_0041C6604_2_0041C660
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_004106704_2_00410670
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_0040E6764_2_0040E676
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_00409F474_2_00409F47
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_0040EF784_2_0040EF78
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_0040FF304_2_0040FF30
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_00405F304_2_00405F30
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\15message.dat.exeCode function: String function: 0042664C appears 45 times
PE file contains strange resourcesShow sources
Source: 15message.dat.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tserv.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Reads the hosts fileShow sources
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\15message.dat.exeFile read: C:\Users\user\Desktop\15message.dat.exeJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\15message.dat.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\Desktop\15message.dat.exeSection loaded: cmut449c14b7.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: cmut449c14b7.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: cmut449c14b7.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: cmut449c14b7.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: tserv.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: wow64log.dllJump to behavior
Binary contains paths to development resourcesShow sources
Source: explorer.exe, 0000000B.00000000.5218707865.0000000009906000.00000004.sdmpBinary or memory string: .sln}4k
Classification labelShow sources
Source: classification engineClassification label: mal96.evad.winEXE@5/9@161/3
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_004047A0 lstrcatA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,4_2_004047A0
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_00405090 GetSystemDirectoryA,lstrcatA,lstrcatA,lstrcatA,GetFileAttributesA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,4_2_00405090
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_0041E0B0 FindResourceA,LoadResource,SizeofResource,LockResource,CreateFileA,WriteFile,CloseHandle,4_2_0041E0B0
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\15message.dat.exeFile created: C:\Users\user\Desktop\8839.tmpJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: 15message.dat.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Windows\explorer.exeFile read: C:\Users\user\3D Objects\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\15message.dat.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\15message.dat.exe 'C:\Users\user\Desktop\15message.dat.exe'
Source: unknownProcess created: C:\Windows\tserv.exe C:\Windows\tserv.exe s
Source: unknownProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\System32\notepad.exe C:\Users\user\Desktop\8839.tmp
Source: C:\Users\user\Desktop\15message.dat.exeProcess created: C:\Windows\tserv.exe C:\Windows\tserv.exe sJump to behavior
Source: C:\Users\user\Desktop\15message.dat.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\System32\notepad.exe C:\Users\user\Desktop\8839.tmpJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\SysWOW64\notepad.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32Jump to behavior
Uses Rich Edit ControlsShow sources
Source: C:\Windows\explorer.exeFile opened: C:\Windows\SYSTEM32\MsftEdit.dllJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Binary contains paths to debug symbolsShow sources
Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000B.00000000.5234704996.000000000D810000.00000002.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 0000000B.00000000.5234704996.000000000D810000.00000002.sdmp

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_0041F660 LoadLibraryA,GetProcAddress,SetWindowsHookExA,4_2_0041F660
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_0042647C push eax; ret 4_2_0042649A
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_004254B0 push eax; ret 4_2_004254C4
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_004254B0 push eax; ret 4_2_004254EC
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_00426687 push ecx; ret 4_2_00426697

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Users\user\Desktop\15message.dat.exeExecutable created and started: C:\Windows\tserv.exeJump to behavior
Drops PE filesShow sources
Source: C:\Users\user\Desktop\15message.dat.exeFile created: C:\Windows\tserv.exeJump to dropped file
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\Desktop\15message.dat.exeFile created: C:\Windows\tserv.exeJump to dropped file

Boot Survival:

barindex
Creates an undocumented autostart registry key Show sources
Source: C:\Windows\tserv.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLsJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Uses an obfuscated file name to hide its real file extension (double extension)Show sources
Source: Possible double extension: dat.exeStatic PE information: 15message.dat.exe
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_0041D159 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,4_2_0041D159
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_0040C1D0 rdtsc 4_2_0040C1D0
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\tserv.exeThread delayed: delay time: 300000Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\Desktop\15message.dat.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_4-12752
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\Desktop\15message.dat.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_4-12686
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\15message.dat.exeAPI coverage: 9.3 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\tserv.exe TID: 2876Thread sleep time: -4800000s >= -30000sJump to behavior
Source: C:\Windows\tserv.exe TID: 944Thread sleep time: -120000s >= -30000sJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_00406360 GetFileAttributesA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,GetLastError,lstrcmpA,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,FindNextFileA,FindClose,4_2_00406360
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_00429F44 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,4_2_00429F44
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: tserv.exe, 00000006.00000002.6128885711.000000000073A000.00000004.sdmpBinary or memory string: c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\*.*
Source: explorer.exe, 0000000B.00000000.5203429539.0000000005240000.00000002.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: tserv.exe, 00000006.00000002.6128885711.000000000073A000.00000004.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllh
Source: explorer.exe, 0000000B.00000000.5203429539.0000000005240000.00000002.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 0000000B.00000000.5203429539.0000000005240000.00000002.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: tserv.exe, 00000006.00000002.6128885711.000000000073A000.00000004.sdmpBinary or memory string: c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\*.*
Source: explorer.exe, 0000000B.00000000.5203429539.0000000005240000.00000002.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Program exit pointsShow sources
Source: C:\Users\user\Desktop\15message.dat.exeAPI call chain: ExitProcess graph end nodegraph_4-12753
Queries a list of all running processesShow sources
Source: C:\Windows\tserv.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\tserv.exeSystem information queried: KernelDebuggerInformationJump to behavior
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_0040C1D0 rdtsc 4_2_0040C1D0
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_0041F660 LoadLibraryA,GetProcAddress,SetWindowsHookExA,4_2_0041F660
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_004210D0 GetProcessHeap,GetProcessHeap,HeapAlloc,RegOpenKeyExA,GetLastError,GetProcessHeap,HeapFree,RegCloseKey,4_2_004210D0
Enables debug privilegesShow sources
Source: C:\Windows\tserv.exeProcess token adjusted: DebugJump to behavior
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_0042731A SetUnhandledExceptionFilter,4_2_0042731A
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_0042732E SetUnhandledExceptionFilter,4_2_0042732E

HIPS / PFW / Operating System Protection Evasion:

barindex
Early bird code injection technique detectedShow sources
Source: C:\Users\user\Desktop\15message.dat.exeProcess created / APC Queued / Resumed: C:\Windows\tserv.exeJump to behavior
Allocates memory in foreign processesShow sources
Source: C:\Windows\tserv.exeMemory allocated: C:\Windows\explorer.exe base: 4480000 protect: page read and writeJump to behavior
Injects code into the Windows Explorer (explorer.exe)Show sources
Source: C:\Windows\tserv.exeMemory written: PID: 2884 base: 4480000 value: 65Jump to behavior
Injects files into Windows applicationShow sources
Source: C:\Windows\SysWOW64\notepad.exeInjected file: C:\Users\user\Desktop\8839.tmp was created by C:\Users\user\Desktop\15message.dat.exeJump to behavior
Writes to foreign memory regionsShow sources
Source: C:\Windows\tserv.exeMemory written: C:\Windows\explorer.exe base: 4480000Jump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\15message.dat.exeProcess created: C:\Windows\tserv.exe C:\Windows\tserv.exe sJump to behavior
Source: C:\Users\user\Desktop\15message.dat.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\System32\notepad.exe C:\Users\user\Desktop\8839.tmpJump to behavior
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_00423260 GetProcessHeap,HeapAlloc,HeapAlloc,RtlAllocateHeap,HeapFree,HeapAlloc,HeapFree,HeapFree,HeapFree,RtlAllocateHeap,HeapFree,HeapFree,HeapFree,HeapAlloc,HeapFree,HeapFree,HeapFree,HeapFree,HeapAlloc,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,InitializeSecurityDescriptor,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetTokenInformation,GetTokenInformation,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,AllocateAndInitializeSid,GetLengthSid,AddAce,AllocateAndInitializeSid,GetLengthSid,AddAce,AllocateAndInitializeSid,GetLengthSid,AddAce,IsValidSecurityDescriptor,4_2_00423260
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: tserv.exe, 00000006.00000002.6131204728.0000000000CC0000.00000002.sdmp, notepad.exe, 00000007.00000002.6148555752.0000000003AB0000.00000002.sdmp, explorer.exe, 0000000B.00000000.5125512165.0000000000CA0000.00000002.sdmpBinary or memory string: Program Manager
Source: tserv.exe, 00000006.00000002.6131204728.0000000000CC0000.00000002.sdmp, notepad.exe, 00000007.00000002.6148555752.0000000003AB0000.00000002.sdmp, explorer.exe, 0000000B.00000000.5206850121.00000000058C0000.00000004.sdmpBinary or memory string: Shell_TrayWnd
Source: tserv.exe, 00000006.00000002.6131204728.0000000000CC0000.00000002.sdmp, notepad.exe, 00000007.00000002.6148555752.0000000003AB0000.00000002.sdmp, explorer.exe, 0000000B.00000000.5121697929.00000000006A0000.00000004.sdmpBinary or memory string: Progman
Source: tserv.exe, 00000006.00000002.6131204728.0000000000CC0000.00000002.sdmp, notepad.exe, 00000007.00000002.6148555752.0000000003AB0000.00000002.sdmp, explorer.exe, 0000000B.00000000.5125512165.0000000000CA0000.00000002.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to inject threads in other processesShow sources
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_00404840 OpenProcess,lstrlenA,VirtualAllocEx,WriteProcessMemory,GetModuleHandleA,GetProcAddress,CreateRemoteThread,4_2_00404840
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\15message.dat.exeCode function: GetLocaleInfoA,4_2_0042C8B2
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\tserv.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeQueries volume information: C:\Users\user\Desktop\8839.tmp VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_00401830 ExpandEnvironmentStringsA,GetLocalTime,CreateFileA,CloseHandle,4_2_00401830
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_0040BE00 lstrlenA,GetLocalTime,GetTimeZoneInformation,lstrlenA,4_2_0040BE00
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\15message.dat.exeCode function: 4_2_00425D91 EntryPoint,GetVersionExA,GetModuleHandleA,GetModuleHandleA,_fast_error_exit,_fast_error_exit,GetCommandLineA,GetStartupInfoA,__wincmdln,GetModuleHandleA,4_2_00425D91

Stealing of Sensitive Information:

barindex
Searches for user specific document filesShow sources
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
Source: C:\Windows\explorer.exeDirectory queried: C:\Users\user\DocumentsJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 96293 Sample: 15message.dat.exe Startdate: 06/12/2018 Architecture: WINDOWS Score: 96 31 Antivirus detection for submitted file 2->31 33 Uses an obfuscated file name to hide its real file extension (double extension) 2->33 35 Antivirus detection for unpacked file 2->35 7 15message.dat.exe 3 2->7         started        process3 file4 19 C:\Windows\tserv.exe, PE32 7->19 dropped 21 C:\Windows\tserv.exe:Zone.Identifier, ASCII 7->21 dropped 23 C:\Users\user\Desktop\8839.tmp, data 7->23 dropped 37 Contains functionality to inject threads in other processes 7->37 39 Early bird code injection technique detected 7->39 41 Drops executables to the windows directory (C:\Windows) and starts them 7->41 11 tserv.exe 1 18 7->11         started        15 notepad.exe 7->15         started        signatures5 process6 dnsIp7 25 mta5.am0.yahoodns.net 98.137.159.27, 25, 49811, 49812 YAHOO-NE1-YahooUS United States 11->25 27 mta6.am0.yahoodns.net 98.136.101.117, 25, 49813 YAHOO-GQ1-YahooUS United States 11->27 29 8 other IPs or domains 11->29 43 Antivirus detection for dropped file 11->43 45 Creates an undocumented autostart registry key 11->45 47 Injects code into the Windows Explorer (explorer.exe) 11->47 51 2 other signatures 11->51 17 explorer.exe 4 24 11->17 injected 49 Injects files into Windows application 15->49 signatures8 process9

Simulations

Behavior and APIs

TimeTypeDescription
23:05:36API Interceptor1x Sleep call for process: 15message.dat.exe modified
23:05:43API Interceptor152x Sleep call for process: tserv.exe modified
23:06:00AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run tserv C:\Windows\tserv.exe s

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
15message.dat.exe100%AviraWORM/Stration.C

Dropped Files

SourceDetectionScannerLabelLink
C:\Windows\tserv.exe100%AviraWORM/Stration.C

Unpacked PE Files

SourceDetectionScannerLabelLink
6.0.tserv.exe.400000.3.unpack100%AviraWORM/Stration.C
6.0.tserv.exe.400000.2.unpack100%AviraWORM/Stration.C
4.0.15message.dat.exe.400000.0.unpack100%AviraWORM/Stration.C
4.2.15message.dat.exe.400000.0.unpack100%AviraWORM/Stration.C
6.2.tserv.exe.400000.0.unpack100%AviraWORM/Stration.C
6.1.tserv.exe.400000.0.unpack100%AviraWORM/Stration.C
6.0.tserv.exe.400000.0.unpack100%AviraWORM/Stration.C
6.0.tserv.exe.400000.1.unpack100%AviraWORM/Stration.C

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
98.136.101.11778doc.msg.exec577b6b3fadc5bed74eba616f7d7a55aa1308cd94709f7529046383d53784128maliciousBrowse
    23Update-KB3956-x86.exe2fba3d6f375b7b0c31f3329d158dde2bceb69f6da6af19d0fe01c4cf8a48ef9fmaliciousBrowse
      19docs.tx.exe60682db3158fe13f7eacd23a088fc71ab479d726769837fd39e8ed3bb5389ab0maliciousBrowse
        3Update-KB2248-x86.exee8deb13dba3ad1149414c2278b5552c42ae85b0c87bbe05f6065c1b279ecf5f2maliciousBrowse
          4test.log.exe4fe82253159922959725fffc4d3660a50697c9b29a8f778c18d305d24209cdfamaliciousBrowse
            1Update-KB8062-x86.exec719e8677693ee14c834ade4be2c48cff932ccb1a6301b33c80746e2d98d4314maliciousBrowse
              15test.tx.exebfa7233d740e09256b015727ec0d338465825c17968c83642e30b29138ced5f6maliciousBrowse
                1Update-KB8484-x86.exe2a270a329b82ae32a7c221801e5986569a9002367eb2ae223c4c6289cb7a7649maliciousBrowse
                  20test.lo.exe4fd1ce1b59c0bf0fa96012d96131f7c0dabe0dd9a1961becf10f6788b105b938maliciousBrowse
                    17Update-KB5906-x86.exe49924968f0cea26e7692425e08b08aa5dd163f1914b372cfddaaef97813e2589maliciousBrowse
                      15message.da.exe1f00d6c3212086256ab6648766c50fc80a65196999ee5ce79667fbbcb6811affmaliciousBrowse
                        15Update-KB7250-x86.exebd243041899e74b194a45f76063cdaed96fbfc606ce6c6cef247c74eb6d44cd1maliciousBrowse
                          11test.tx.execfe1e1387b0fa4383cf26d6ab25463d8b033030bea24386860f65658359e3141maliciousBrowse
                            19Update-KB4953-x86.exe3c08677f96a643dcc36980b420317d2b5a6c0af8ebe69c77637b29d0f285be8dmaliciousBrowse
                              27data.elm.exea1a6333985c3eb341eccd98f0f20bfc1886e410bf9ef78d07097755d54216b98maliciousBrowse
                                13data.tx.exe8fa40f7af4a9e754168e705d21523cf73c031f9fd04f1d76a9740b5b1989c884maliciousBrowse
                                  3file.tx.exe0267f42f64556a64baff849efe885699545473b03cbfa5b0deeab710636d4a8amaliciousBrowse
                                    5readme.el.exe2b2c0bf0c7c15ac2a760cff102fc5462c8f9e8ed31c71ce030b1d7f02908d705maliciousBrowse
                                      18Update-KB2437-x86.exe888aa0cc3365d00b0f78903be29d6580953ecaefba96bc6d8dd8e59b5c7246f6maliciousBrowse
                                        11Update-KB5312-x86.exe27292642f36de07105f13e34ee36a7a24fb3ec64d0d595a74732a3d6129b7562maliciousBrowse
                                          98.137.159.2735Update-KB5111-x86.exe28239e44b20ebafd365c5ca95896ffee9d9443fb237f015af01aa411096e741fmaliciousBrowse
                                            55.x.exed7826837a61f95c583459402ea0e7ad39013c92abea85a8ec81ba518a222116bmaliciousBrowse
                                              3Update-KB2248-x86.exee8deb13dba3ad1149414c2278b5552c42ae85b0c87bbe05f6065c1b279ecf5f2maliciousBrowse
                                                30Update-KB5046-x86.exef092fcfabfaa449ce7086c7aa2ae877594bc63bac2d41013aadeeb51386335d7maliciousBrowse
                                                  17Update-KB3890-x86.exe43b6881d4b76346b76004de97926ee783da42809c8c8041be1ab7a3b4f3408c1maliciousBrowse
                                                    20test.lo.exe4fd1ce1b59c0bf0fa96012d96131f7c0dabe0dd9a1961becf10f6788b105b938maliciousBrowse
                                                      7message.el.exe24e61ea4d81eaec8d3cac9f0fd9420d42a3fabada4c20470c3b0ab3e22c9dcb7maliciousBrowse
                                                        15data.tx.exe50491e27c4a3524f157f610bd37bc22da1656702d7ab8eb24f5a65f22a1c7d4fmaliciousBrowse
                                                          17Update-KB2218-x86.exeed637e3f1b1918596f3681d7b5955f3fe8220376a4b8dc559b0442e52440e561maliciousBrowse
                                                            17Update-KB5906-x86.exe49924968f0cea26e7692425e08b08aa5dd163f1914b372cfddaaef97813e2589maliciousBrowse
                                                              21Update-KB3546-x86.exe06a5587448fa5410dddc3546ee978b1f574a49a3730518e49c648e5756f6d5b6maliciousBrowse
                                                                12doc.da.exe5c36659cae3e3722d7d315e2663aac0a7d0fe575b9807e25a4ed844795c0ae54maliciousBrowse
                                                                  25docs.da.exe5cf9e7c4451453020c6e23896d88a503bd3eb3fe1d8c5d0444fe8a8bc8edf1a4maliciousBrowse
                                                                    27data.elm.exea1a6333985c3eb341eccd98f0f20bfc1886e410bf9ef78d07097755d54216b98maliciousBrowse
                                                                      23Update-KB4750-x86.exe239943d7184bcb33745e86b09f646593e69e5f77284702414a99dc9b388a2d4bmaliciousBrowse
                                                                        13data.tx.exe8fa40f7af4a9e754168e705d21523cf73c031f9fd04f1d76a9740b5b1989c884maliciousBrowse
                                                                          5readme.el.exe2b2c0bf0c7c15ac2a760cff102fc5462c8f9e8ed31c71ce030b1d7f02908d705maliciousBrowse
                                                                            11Update-KB3656-x86.exe0c15c0974c19d0c372e1451b3b2dc7de9c837e65684471e1573fa292fe7434e2maliciousBrowse
                                                                              25Update-KB6546-x86.exe1ba6174b5780bad0e7284db6acc6e0f7c43c8cc8d4662d44a68ca1f1e51857c4maliciousBrowse
                                                                                5docs.msg.exe74c086d4162a7b6bb61f542ea161e6ac8e5979bf9742c9d1e48581c7cc354499maliciousBrowse

                                                                                  Domains

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                  mta7.am0.yahoodns.net21doc.el.exe7573ca4746b37ef2420967e1cade1bc5f9a1bae0218f0b61e486ca5574b86976maliciousBrowse
                                                                                  • 74.6.137.63
                                                                                  .exedb6369568b7de81e617bbe390490dc88ccd862e9e5bfcf117a522daeb0ccb156maliciousBrowse
                                                                                  • 98.136.102.54
                                                                                  29Update-KB1750-x86.exe655ea4f24da22ac5572edec7f64bf74e0b48f24ba102cc3edb2f6db675251d1bmaliciousBrowse
                                                                                  • 98.136.102.54
                                                                                  51Update-KB8281-x86.exef491c4a1e4ac2cb4dbc22e07af95b5630ab837263f4dc3ee1414fd7503a6404cmaliciousBrowse
                                                                                  • 98.136.102.54
                                                                                  78doc.msg.exec577b6b3fadc5bed74eba616f7d7a55aa1308cd94709f7529046383d53784128maliciousBrowse
                                                                                  • 98.137.159.28
                                                                                  23Update-KB3830-x86.exe8e96230adbb28f480a8478962b2ffebac366fa5d08aa3c2cf90e70103cd91392maliciousBrowse
                                                                                  • 98.137.159.28
                                                                                  35Update-KB5111-x86.exe28239e44b20ebafd365c5ca95896ffee9d9443fb237f015af01aa411096e741fmaliciousBrowse
                                                                                  • 98.137.159.27
                                                                                  23Update-KB3956-x86.exe2fba3d6f375b7b0c31f3329d158dde2bceb69f6da6af19d0fe01c4cf8a48ef9fmaliciousBrowse
                                                                                  • 98.136.102.55
                                                                                  20Update-KB7452-x86.exefd74a860dca67bbc2b1f4490ae42e6b5764241cfb3ec619399706ae158461789maliciousBrowse
                                                                                  • 98.137.159.25
                                                                                  19docs.tx.exe60682db3158fe13f7eacd23a088fc71ab479d726769837fd39e8ed3bb5389ab0maliciousBrowse
                                                                                  • 98.136.102.55
                                                                                  55.x.exed7826837a61f95c583459402ea0e7ad39013c92abea85a8ec81ba518a222116bmaliciousBrowse
                                                                                  • 74.6.137.65
                                                                                  3Update-KB2248-x86.exee8deb13dba3ad1149414c2278b5552c42ae85b0c87bbe05f6065c1b279ecf5f2maliciousBrowse
                                                                                  • 98.137.159.24
                                                                                  30Update-KB5046-x86.exef092fcfabfaa449ce7086c7aa2ae877594bc63bac2d41013aadeeb51386335d7maliciousBrowse
                                                                                  • 74.6.137.65
                                                                                  56file.txt.exe0364075aa6ef1cb7b43634ff3a54386687fe3e3d11d5b9a38b764c1d3895b71emaliciousBrowse
                                                                                  • 67.195.229.58
                                                                                  63test.log.exeb228e316c1f41106e9101372474563afb2e17a4c95b567cc5d25e88127593191maliciousBrowse
                                                                                  • 98.137.159.25
                                                                                  5body.ms.exed490923e6b4b7ad9d5cffd25daf6c9fb0fcddc0eb1809747c0126471901475c3maliciousBrowse
                                                                                  • 98.137.159.28
                                                                                  4test.log.exe4fe82253159922959725fffc4d3660a50697c9b29a8f778c18d305d24209cdfamaliciousBrowse
                                                                                  • 98.137.159.26
                                                                                  1Update-KB8062-x86.exec719e8677693ee14c834ade4be2c48cff932ccb1a6301b33c80746e2d98d4314maliciousBrowse
                                                                                  • 66.218.85.52
                                                                                  17Update-KB2684-x86.exe4fe94d2df46f088396c4467c905d5eb1c86443eb1b1e5b43462477ad075b0103maliciousBrowse
                                                                                  • 98.137.159.25
                                                                                  7Update-KB8734-x86.exeed7fa49063d2462bb1939f5d7ba3260ae481bfe7227113f2706be12aced4e5b1maliciousBrowse
                                                                                  • 74.6.137.63
                                                                                  mta6.am0.yahoodns.net21doc.el.exe7573ca4746b37ef2420967e1cade1bc5f9a1bae0218f0b61e486ca5574b86976maliciousBrowse
                                                                                  • 98.137.159.26
                                                                                  29Update-KB1750-x86.exe655ea4f24da22ac5572edec7f64bf74e0b48f24ba102cc3edb2f6db675251d1bmaliciousBrowse
                                                                                  • 67.195.229.58
                                                                                  51Update-KB8281-x86.exef491c4a1e4ac2cb4dbc22e07af95b5630ab837263f4dc3ee1414fd7503a6404cmaliciousBrowse
                                                                                  • 98.136.102.55
                                                                                  78doc.msg.exec577b6b3fadc5bed74eba616f7d7a55aa1308cd94709f7529046383d53784128maliciousBrowse
                                                                                  • 74.6.137.64
                                                                                  23Update-KB3830-x86.exe8e96230adbb28f480a8478962b2ffebac366fa5d08aa3c2cf90e70103cd91392maliciousBrowse
                                                                                  • 98.136.102.54
                                                                                  35Update-KB5111-x86.exe28239e44b20ebafd365c5ca95896ffee9d9443fb237f015af01aa411096e741fmaliciousBrowse
                                                                                  • 67.195.229.59
                                                                                  23Update-KB3956-x86.exe2fba3d6f375b7b0c31f3329d158dde2bceb69f6da6af19d0fe01c4cf8a48ef9fmaliciousBrowse
                                                                                  • 98.136.101.117
                                                                                  20Update-KB7452-x86.exefd74a860dca67bbc2b1f4490ae42e6b5764241cfb3ec619399706ae158461789maliciousBrowse
                                                                                  • 67.195.229.58
                                                                                  19docs.tx.exe60682db3158fe13f7eacd23a088fc71ab479d726769837fd39e8ed3bb5389ab0maliciousBrowse
                                                                                  • 98.136.102.54
                                                                                  55.x.exed7826837a61f95c583459402ea0e7ad39013c92abea85a8ec81ba518a222116bmaliciousBrowse
                                                                                  • 98.137.159.28
                                                                                  3Update-KB2248-x86.exee8deb13dba3ad1149414c2278b5552c42ae85b0c87bbe05f6065c1b279ecf5f2maliciousBrowse
                                                                                  • 98.137.159.24
                                                                                  30Update-KB5046-x86.exef092fcfabfaa449ce7086c7aa2ae877594bc63bac2d41013aadeeb51386335d7maliciousBrowse
                                                                                  • 98.136.102.54
                                                                                  56file.txt.exe0364075aa6ef1cb7b43634ff3a54386687fe3e3d11d5b9a38b764c1d3895b71emaliciousBrowse
                                                                                  • 98.136.102.54
                                                                                  63test.log.exeb228e316c1f41106e9101372474563afb2e17a4c95b567cc5d25e88127593191maliciousBrowse
                                                                                  • 74.6.137.64
                                                                                  5body.ms.exed490923e6b4b7ad9d5cffd25daf6c9fb0fcddc0eb1809747c0126471901475c3maliciousBrowse
                                                                                  • 67.195.228.141
                                                                                  4test.log.exe4fe82253159922959725fffc4d3660a50697c9b29a8f778c18d305d24209cdfamaliciousBrowse
                                                                                  • 98.136.101.117
                                                                                  1Update-KB8062-x86.exec719e8677693ee14c834ade4be2c48cff932ccb1a6301b33c80746e2d98d4314maliciousBrowse
                                                                                  • 98.137.159.26
                                                                                  70creditcar.exec7eebcfa941dfe6298e89b8353adfece14f4e54f8119956d8ab5cba75cdee8bbmaliciousBrowse
                                                                                  • 98.137.159.24
                                                                                  17Update-KB2684-x86.exe4fe94d2df46f088396c4467c905d5eb1c86443eb1b1e5b43462477ad075b0103maliciousBrowse
                                                                                  • 67.195.228.141
                                                                                  7Update-KB8734-x86.exeed7fa49063d2462bb1939f5d7ba3260ae481bfe7227113f2706be12aced4e5b1maliciousBrowse
                                                                                  • 74.6.137.64

                                                                                  ASN

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                  YAHOO-NE1-YahooUS63document.exea49fb7827643752502825d141e7b09c19518b759b758d52c0a1cca3a11750376maliciousBrowse
                                                                                  • 98.137.157.43
                                                                                  23messag.exeb78fc25962efa644aceeaf35783b23f2d64c3029d769761f17789d71957b6296maliciousBrowse
                                                                                  • 98.136.96.73
                                                                                  21doc.el.exe7573ca4746b37ef2420967e1cade1bc5f9a1bae0218f0b61e486ca5574b86976maliciousBrowse
                                                                                  • 98.137.159.25
                                                                                  1letter.exeb9392e4692bc363bc0f4622906323da1dd4de98dd4c46900afe6f614030cf080maliciousBrowse
                                                                                  • 98.136.96.73
                                                                                  15lRsrqQajV0.exe701d4dd949f8c06fd5a3ab9df722b770601bc2e6249a7d0e9ef6b022ecd610cbmaliciousBrowse
                                                                                  • 98.137.157.43
                                                                                  43bHfYUtGowC.exed50d485d9071cfe4e37416649c73ceb4058d10c071bfcd023e5a4b02fd94069bmaliciousBrowse
                                                                                  • 98.136.96.73
                                                                                  62document.html .exeda7d480c80dd0dfb1db590652995abbba36d1572c8e92a7f562ec7f4a8833660maliciousBrowse
                                                                                  • 98.136.96.73
                                                                                  29Update-KB1750-x86.exe655ea4f24da22ac5572edec7f64bf74e0b48f24ba102cc3edb2f6db675251d1bmaliciousBrowse
                                                                                  • 98.137.159.24
                                                                                  51Update-KB8281-x86.exef491c4a1e4ac2cb4dbc22e07af95b5630ab837263f4dc3ee1414fd7503a6404cmaliciousBrowse
                                                                                  • 98.137.159.25
                                                                                  78doc.msg.exec577b6b3fadc5bed74eba616f7d7a55aa1308cd94709f7529046383d53784128maliciousBrowse
                                                                                  • 98.137.159.28
                                                                                  .exee37b56142c050c4502d4d9f2d7cc0c4734e35a324adf9d8888cca4688aace783maliciousBrowse
                                                                                  • 98.137.157.43
                                                                                  53lette.exe67a7fa44e5ae248329868b2c32cac14178ef28b3a1c1e63fb902e006b449a708maliciousBrowse
                                                                                  • 98.136.96.73
                                                                                  20all_documen.exe2e1ac44958cd68a36451b7d7c3a0afb23b7fb3a2b0c92f64ca6c62b24eb50097maliciousBrowse
                                                                                  • 98.137.159.26
                                                                                  23Update-KB3830-x86.exe8e96230adbb28f480a8478962b2ffebac366fa5d08aa3c2cf90e70103cd91392maliciousBrowse
                                                                                  • 98.137.159.28
                                                                                  22ghostviewer@youtube.exe96d625d90c9a039acb82a8b5e55fc43dc992857fd8626fe09e00689ae4299cd4maliciousBrowse
                                                                                  • 98.136.96.73
                                                                                  35Update-KB5111-x86.exe28239e44b20ebafd365c5ca95896ffee9d9443fb237f015af01aa411096e741fmaliciousBrowse
                                                                                  • 98.137.159.26
                                                                                  23Update-KB3956-x86.exe2fba3d6f375b7b0c31f3329d158dde2bceb69f6da6af19d0fe01c4cf8a48ef9fmaliciousBrowse
                                                                                  • 98.137.159.25
                                                                                  20Update-KB7452-x86.exefd74a860dca67bbc2b1f4490ae42e6b5764241cfb3ec619399706ae158461789maliciousBrowse
                                                                                  • 98.137.159.25
                                                                                  55.x.exed7826837a61f95c583459402ea0e7ad39013c92abea85a8ec81ba518a222116bmaliciousBrowse
                                                                                  • 98.136.96.73
                                                                                  34XnXgcYha3A.exef69b53d9b2f2d9543a8d02f1ac4424bcae8c0990edc50e4f5ef762fcd0ae3d6amaliciousBrowse
                                                                                  • 98.136.96.73
                                                                                  YAHOO-GQ1-YahooUS39transcrip.exe752923505b46d88f13c2bee952851153aa1ef9414f2e2390bb61cbdd3bb35799maliciousBrowse
                                                                                  • 208.71.45.11
                                                                                  17yeH6QNgQKp.exe5f050a73c2a21bbaefb28b6584945864c36ac8c29e52092813edec305dcb9553maliciousBrowse
                                                                                  • 208.71.45.11
                                                                                  https://bitly.com/2ADBPismaliciousBrowse
                                                                                  • 208.71.44.31
                                                                                  53README.EXE107b7598049b5fbafcfe721e7caf27a0410a4d3ed027a92b5bf4a1c8e78ab160maliciousBrowse
                                                                                  • 208.71.45.11
                                                                                  gescanntes-Dokument-39759521822.docdc39a7c3de4a13ca1ddd43b16f161430a017d82d347bb06e622ac246d301ff78maliciousBrowse
                                                                                  • 67.195.61.46
                                                                                  26uBsya2ooof.exe43219e0766b8d29ac766bec695c0f4c75ce93993936cbfddf5cabfa104bdbe47maliciousBrowse
                                                                                  • 208.71.45.11
                                                                                  777SqyBFAEcE.exe02400dcc633b5541cf9ce6aef93cc45464dcac2faf432cf4fe8eab892fe2af09maliciousBrowse
                                                                                  • 208.71.45.11
                                                                                  .exe720450804b1899a581eb974f9aae66fd9185826f229fb9b9745cf00adcd5d6afmaliciousBrowse
                                                                                  • 98.136.144.138
                                                                                  3tex.exe302fede01da1fced3645239a43436304aa56d10badd33378d4ab76ecbe8afac7maliciousBrowse
                                                                                  • 98.136.144.138
                                                                                  23On8YogEnJM.exeb28183e8623c4d0536745d0250bc2b7bee1a9d2c4ace248101f970bc83772686maliciousBrowse
                                                                                  • 98.136.144.138
                                                                                  65hrD9XUCkn8.exe1a452ba33ee454c5b0ea016751e420673f8de03aedfdff0c8fac486d2f1be9f1maliciousBrowse
                                                                                  • 98.136.144.138
                                                                                  59documen.exec919e05003c9691532aa95510fc095e84fc91cfa20ceeca210962ca1c52edf2cmaliciousBrowse
                                                                                  • 98.136.144.138
                                                                                  5mai.exe3a70c854f8fa149ffb459b325c5378f880adb3c311ddd04292dc3aeabea5ced3maliciousBrowse
                                                                                  • 98.136.144.138
                                                                                  41instructio.exee050b5220ef6e3c9b2615a9d132be118d557e509f121867460f9a53a417888d9maliciousBrowse
                                                                                  • 98.136.144.138
                                                                                  13attachment.doc .exeb4ed93eb6cb4c26bad0d4ccd85a78768ba6b8e0b0a710722f1aef72514e060d3maliciousBrowse
                                                                                  • 98.136.144.138
                                                                                  69mai.exe6b0169937e5ea4d7193baad8d63717677c93287cc322d29e044d0960e9eac03amaliciousBrowse
                                                                                  • 98.136.103.26
                                                                                  72ine.exe2f5d5628565b7fb96d79e4aea9309b0a616e4d35ae9e3e29b87d29fa2f3d48d0maliciousBrowse
                                                                                  • 98.136.144.138
                                                                                  17LETTE.exe0aa40af96285e988536ede2c150f31aefb7a653dee7b22b289b95716445538fdmaliciousBrowse
                                                                                  • 98.136.144.138
                                                                                  http://churchofchristintheglade.com/resume.phpmaliciousBrowse
                                                                                  • 67.195.61.46
                                                                                  11readm.exef2014ef3490e471a54c7400cfc8f96047a0d3a06f0278fde6be433538e019eadmaliciousBrowse
                                                                                  • 98.136.144.138

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Screenshots

                                                                                  Thumbnails

                                                                                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.