Loading ...

Play interactive tourEdit tour

Analysis Report Confirmation voucher.exe

Overview

General Information

Sample Name:Confirmation voucher.exe
Analysis ID:255254
MD5:7c239ebd95edce558af5ab4ba444a20e
SHA1:72b95da770016af3be66101db42c191d60685d7f
SHA256:0cd1ca47d2e04de65562e1ba4d8ce4545ee486999f8f0eb7adc880c7fb7fc9b8

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM autoit script
Yara detected FormBook
Allocates memory in foreign processes
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sleep loop found (likely to delay execution)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Confirmation voucher.exe (PID: 7112 cmdline: 'C:\Users\user\Desktop\Confirmation voucher.exe' MD5: 7C239EBD95EDCE558AF5AB4BA444A20E)
    • okxjgnm.pif (PID: 6396 cmdline: 'C:\Users\user\AppData\Roaming\52828230\okxjgnm.pif' xllpdbhw.ifs MD5: D3FFBDE7EA1BCB2D0A6E6E12B0306625)
      • RegSvcs.exe (PID: 7008 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
      • RegSvcs.exe (PID: 6996 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
        • explorer.exe (PID: 3420 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • wscript.exe (PID: 1716 cmdline: C:\Windows\SysWOW64\wscript.exe MD5: 7075DD7B9BE8807FCA93ACD86F724884)
            • cmd.exe (PID: 5764 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\RegSvcs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 2472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.1362807994.0000000004E9E000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000003.1362807994.0000000004E9E000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8b58:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8dc2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14a45:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14531:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14b47:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x14cbf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x993a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x137ac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa633:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19db7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1adba:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000003.1362807994.0000000004E9E000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x176c9:$sqlite3step: 68 34 1C 7B E1
    • 0x177dc:$sqlite3step: 68 34 1C 7B E1
    • 0x176f8:$sqlite3text: 68 38 2A 90 C5
    • 0x1781d:$sqlite3text: 68 38 2A 90 C5
    • 0x1770b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x17833:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000003.1361982631.0000000004E44000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000003.1361982631.0000000004E44000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9348:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x95b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x35f50:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x361ba:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15235:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x41e3d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14d21:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x41929:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15337:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x41f3f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x154af:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x420b7:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa12a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x36d32:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x13f9c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x40ba4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xae23:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x37a2b:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1a5a7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x471af:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1b5aa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 77 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      8.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        8.2.RegSvcs.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        8.2.RegSvcs.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18429:$sqlite3step: 68 34 1C 7B E1
        • 0x1853c:$sqlite3step: 68 34 1C 7B E1
        • 0x18458:$sqlite3text: 68 38 2A 90 C5
        • 0x1857d:$sqlite3text: 68 38 2A 90 C5
        • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
        8.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          8.2.RegSvcs.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ab8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x149a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14491:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14aa7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14c1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x989a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1370c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa593:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19d17:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ad1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000003.1362807994.0000000004E9E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.1361982631.0000000004E44000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.1361817589.0000000004E17000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.1360615075.0000000004DEB000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.1364134015.0000000004E16000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.1362019342.0000000004E70000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.1361093859.0000000004C87000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.1555203386.0000000003470000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.1361267539.0000000004DBE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.1361449823.0000000004D91000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.1555820796.00000000034A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.1364263842.0000000004C87000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.1364043741.0000000004DEB000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.1360179593.0000000004D91000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1421443248.0000000001200000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.1547808664.0000000000F10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.1364190308.0000000004DBE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.1362777547.0000000004ECA000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.1363860503.0000000004E44000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.1363815130.0000000004E9D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.1363702039.0000000004E71000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1420819466.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.1361857085.0000000004E17000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1421415163.00000000011D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.1364219994.0000000004D91000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.1361742037.0000000004DEB000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.1362846311.0000000004ECA000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: C:\Users\user\Desktop\Confirmation voucher.exeCode function: 0_2_0138A2C3 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0138A2C3
          Source: C:\Users\user\Desktop\Confirmation voucher.exeCode function: 0_2_0139A536 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0139A536
          Source: C:\Users\user\Desktop\Confirmation voucher.exeCode function: 0_2_013A7D69 FindFirstFileExA,0_2_013A7D69
          Source: C:\Users\user\AppData\Roaming\52828230\okxjgnm.pifCode function: 1_2_00A9399B GetFileAttributesW,FindFirstFileW,FindClose,1_2_00A9399B
          Source: C:\Users\user\AppData\Roaming\52828230\okxjgnm.pifCode function: 1_2_00AABCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,1_2_00AABCB3
          Source: C:\Users\user\AppData\Roaming\52828230\okxjgnm.pifCode function: 1_2_00AB2408 FindFirstFileW,LdrInitializeThunk,Sleep,FindNextFileW,FindClose,1_2_00AB2408
          Source: global trafficHTTP traffic detected: GET /hx232/?Nt4pdn=FH7l7pR0f&onq8=00Kt5hk1A/nu9JYvVYUET8gi+JsJlJE+fg4AifYgmMxa4QtRiQe/uMYUrJ207y9mQQiR HTTP/1.1Host: www.meadowvalenorth.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: C:\Users\user\AppData\Roaming\52828230\okxjgnm.pifCode function: 1_2_00AA2285 InternetQueryDataAvailable,InternetReadFile,1_2_00AA2285
          Source: global trafficHTTP traffic detected: GET /hx232/?Nt4pdn=FH7l7pR0f&onq8=00Kt5hk1A/nu9JYvVYUET8gi+JsJlJE+fg4AifYgmMxa4QtRiQe/uMYUrJ207y9mQQiR HTTP/1.1Host: www.meadowvalenorth.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
          Source: unknownDNS traffic detected: queries for: g.msn.com
          Source: explorer.exe, 00000009.00000000.1400597823.0000000012B70000.00000002.00000001.sdmpString found in binary or memory: http://%s.com
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://amazon.fr/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
          Source: explorer.exe, 00000009.00000000.1400597823.0000000012B70000.00000002.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busca.orange.es/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://cnet.search.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
          Source: okxjgnm.pif.0.drString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
          Source: okxjgnm.pif.0.drString found in binary or memory: http://crl.globalsign.net/Root.crl0
          Source: okxjgnm.pif.0.drString found in binary or memory: http://crl.globalsign.net/Timestamping1.crl0
          Source: okxjgnm.pif.0.drString found in binary or memory: http://crl.globalsign.net/primobject.crl0N
          Source: explorer.exe, 00000009.00000000.1390178940.0000000007EC1000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: okxjgnm.pif.0.drString found in binary or memory: http://crl.globalsign.net/root.crl0
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://es.ask.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://find.joins.com/
          Source: explorer.exe, 00000009.00000000.1399426552.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://rover.ebay.com
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.about.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.in/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.auone.jp/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.de/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.es/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.in/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.it/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.interpark.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.nate.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.nifty.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.sify.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.yam.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
          Source: okxjgnm.pif.0.drString found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09
          Source: okxjgnm.pif.0.drString found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://suche.aol.de/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
          Source: explorer.exe, 00000009.00000000.1400597823.0000000012B70000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://web.ask.com/
          Source: explorer.exe, 00000009.00000000.1400597823.0000000012B70000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.com
          Source: explorer.exe, 00000009.00000000.1382080323.0000000004970000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.de/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1399426552.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.ask.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
          Source: okxjgnm.pif.0.drString found in binary or memory: http://www.autoitscript.com/autoit3/0
          Source: explorer.exe, 00000009.00000000.1388548481.0000000007B03000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1399426552.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.docUrl.com/bar.htm
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1399426552.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000009.00000000.1399426552.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000009.00000000.1399426552.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000009.00000000.1399426552.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000009.00000000.1399426552.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000009.00000000.1399426552.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000009.00000000.1399426552.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000009.00000000.1399426552.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000009.00000000.1399426552.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000009.00000000.1399426552.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000009.00000000.1399426552.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000009.00000000.1399426552.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000009.00000000.1399426552.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000009.00000000.1399426552.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
          Source: okxjgnm.pif.0.drString found in binary or memory: http://www.globalsign.net/repository/0
          Source: okxjgnm.pif.0.drString found in binary or memory: http://www.globalsign.net/repository/03
          Source: okxjgnm.pif.0.drString found in binary or memory: http://www.globalsign.net/repository09
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
          Source: explorer.exe, 00000009.00000000.1399426552.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.in/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.br/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.cz/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.de/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.es/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.fr/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.it/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.pl/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.ru/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.si/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1399426552.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.orange.fr/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
          Source: explorer.exe, 00000009.00000000.1399426552.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000009.00000000.1399426552.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000009.00000000.1399426552.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
          Source: explorer.exe, 00000009.00000000.1399426552.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
          Source: explorer.exe, 00000009.00000000.1399426552.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1399426552.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1399426552.0000000011076000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
          Source: explorer.exe, 00000009.00000000.1401083290.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico
          Source: wscript.exe, 0000000E.00000002.1559980546.000000000596F000.00000004.00000001.sdmpString found in binary or memory: https://www.meadowvalenorth.com/hx232/?Nt4pdn=FH7l7pR0f&onq8=00Kt5hk1A/nu9JYvVYUET8gi
          Source: C:\Users\user\AppData\Roaming\52828230\okxjgnm.pifCode function: 1_2_00ABA0FC OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,1_2_00ABA0FC
          Source: C:\Users\user\AppData\Roaming\52828230\okxjgnm.pifCode function: 1_2_00AA42E1 GetParent,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,PostMessageW,PostMessageW,PostMessageW,1_2_00AA42E1

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000003.1362807994.0000000004E9E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.1361982631.0000000004E44000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.1361817589.0000000004E17000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.1360615075.0000000004DEB000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.1364134015.0000000004E16000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.1362019342.0000000004E70000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.1361093859.0000000004C87000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.1555203386.0000000003470000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.1361267539.0000000004DBE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.1361449823.0000000004D91000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.1555820796.00000000034A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.1364263842.0000000004C87000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.1364043741.0000000004DEB000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.1360179593.0000000004D91000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1421443248.0000000001200000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.1547808664.0000000000F10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.1364190308.0000000004DBE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.1362777547.0000000004ECA000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.1363860503.0000000004E44000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.1363815130.0000000004E9D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.1363702039.0000000004E71000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1420819466.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.1361857085.0000000004E17000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1421415163.00000000011D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.1364219994.0000000004D91000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.1361742037.0000000004DEB000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000003.1362846311.0000000004ECA000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary: