Loading ...

Play interactive tourEdit tour

Analysis Report shipping document INV+PL.exe

Overview

General Information

Sample Name:shipping document INV+PL.exe
Analysis ID:255451
MD5:ca4fbf42b3da386f10f5c82afe65a0bf
SHA1:8fd29038564832e3f356db1a7d6cf3464c3e07cc
SHA256:ce4764b6234abdbe6f67d1f7c8a54fc7908208a2aec45b6135407cf2e87e67c2

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected FormBook malware
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • shipping document INV+PL.exe (PID: 7164 cmdline: 'C:\Users\user\Desktop\shipping document INV+PL.exe' MD5: CA4FBF42B3DA386F10F5C82AFE65A0BF)
    • shipping document INV+PL.exe (PID: 6496 cmdline: {path} MD5: CA4FBF42B3DA386F10F5C82AFE65A0BF)
      • explorer.exe (PID: 3420 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • raserver.exe (PID: 6124 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 2AADF65E395BFBD0D9B71D7279C8B5EC)
          • cmd.exe (PID: 4200 cmdline: /c del 'C:\Users\user\Desktop\shipping document INV+PL.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 3516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
shipping document INV+PL.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x11bb1:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.1542225108.0000000000BF0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000009.00000002.1542225108.0000000000BF0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15805:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x152f1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15907:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x15a7f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa6fa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1456c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb3f3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b577:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c57a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000009.00000002.1542225108.0000000000BF0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x184e9:$sqlite3step: 68 34 1C 7B E1
    • 0x185fc:$sqlite3step: 68 34 1C 7B E1
    • 0x18518:$sqlite3text: 68 38 2A 90 C5
    • 0x1863d:$sqlite3text: 68 38 2A 90 C5
    • 0x1852b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18653:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000000.1275491890.00000000001E2000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x119b1:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    00000009.00000002.1542250043.0000000000C20000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 32 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.shipping document INV+PL.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.shipping document INV+PL.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8af8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14a05:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x144f1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14b07:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14c7f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x98fa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1376c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa5f3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a777:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b77a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.shipping document INV+PL.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x176e9:$sqlite3step: 68 34 1C 7B E1
        • 0x177fc:$sqlite3step: 68 34 1C 7B E1
        • 0x17718:$sqlite3text: 68 38 2A 90 C5
        • 0x1783d:$sqlite3text: 68 38 2A 90 C5
        • 0x1772b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17853:$sqlite3blob: 68 53 D8 7F 8C
        1.2.shipping document INV+PL.exe.3f0000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
        • 0x11bb1:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
        3.0.shipping document INV+PL.exe.400000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
        • 0x11bb1:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
        Click to see the 14 entries

        Sigma Overview

        No Sigma rule has matched

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000009.00000002.1542225108.0000000000BF0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.1542250043.0000000000C20000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.1369258422.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.1541572890.0000000000800000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.1370718511.0000000000CC0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000001.1304222671.0000000000400000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.1369448187.0000000000830000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1313866763.000000000366A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 3.2.shipping document INV+PL.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.shipping document INV+PL.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.shipping document INV+PL.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.shipping document INV+PL.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Machine Learning detection for sampleShow sources
        Source: shipping document INV+PL.exeJoe Sandbox ML: detected
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 4x nop then pop ebx3_2_00407AFA
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 4x nop then pop esi3_2_004173DD
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 4x nop then pop ebx3_1_00407AFA
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 4x nop then pop esi3_1_004173DD
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop ebx9_2_00807AFB
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop esi9_2_008173DD
        Source: global trafficHTTP traffic detected: GET /bw43/?EZA0pp=5kAUIOJSPVJfD/OGih14HiimzApRBQ8jhXVairVRDF2Un+ffzD5rfiINhEFPVkSJWrl6&DxoHR=Azr8XrW HTTP/1.1Host: www.regulars6.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /bw43/?EZA0pp=5kAUIOJSPVJfD/OGih14HiimzApRBQ8jhXVairVRDF2Un+ffzD5rfiINhEFPVkSJWrl6&DxoHR=Azr8XrW HTTP/1.1Host: www.regulars6.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
        Source: unknownDNS traffic detected: queries for: www.onelife2k17.com
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 31 Jul 2020 22:27:04 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 328Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 62 77 34 33 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /bw43/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
        Source: explorer.exe, 00000005.00000000.1344583693.0000000012B70000.00000002.00000001.sdmpString found in binary or memory: http://%s.com
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://amazon.fr/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344583693.0000000012B70000.00000002.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busca.orange.es/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://cnet.search.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1333361560.0000000007EC1000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://es.ask.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://find.joins.com/
        Source: shipping document INV+PL.exe, 00000000.00000002.1317192935.0000000005540000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.1343758082.0000000011070000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://rover.ebay.com
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.about.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.in/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.auone.jp/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.de/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.es/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.in/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.it/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.interpark.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.nate.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.nifty.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.sify.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search.yam.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://suche.aol.de/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344583693.0000000012B70000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://web.ask.com/
        Source: explorer.exe, 00000005.00000000.1344583693.0000000012B70000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.com
        Source: explorer.exe, 00000005.00000000.1325665292.0000000004970000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.de/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
        Source: shipping document INV+PL.exe, 00000000.00000002.1317192935.0000000005540000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.1343758082.0000000011070000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.ask.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
        Source: explorer.exe, 00000005.00000000.1339436032.000000000CF81000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
        Source: shipping document INV+PL.exe, 00000000.00000002.1317192935.0000000005540000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.1343758082.0000000011070000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.docUrl.com/bar.htm
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
        Source: shipping document INV+PL.exe, 00000000.00000002.1317192935.0000000005540000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.1343758082.0000000011070000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: explorer.exe, 00000005.00000000.1343758082.0000000011070000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: shipping document INV+PL.exe, 00000000.00000002.1317192935.0000000005540000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.1343758082.0000000011070000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: shipping document INV+PL.exe, 00000000.00000002.1317192935.0000000005540000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.1343758082.0000000011070000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: shipping document INV+PL.exe, 00000000.00000002.1317192935.0000000005540000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.1343758082.0000000011070000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: shipping document INV+PL.exe, 00000000.00000002.1317192935.0000000005540000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.1343758082.0000000011070000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: shipping document INV+PL.exe, 00000000.00000002.1317192935.0000000005540000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.1343758082.0000000011070000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: shipping document INV+PL.exe, 00000000.00000002.1317192935.0000000005540000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.1343758082.0000000011070000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: shipping document INV+PL.exe, 00000000.00000002.1317192935.0000000005540000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.1343758082.0000000011070000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: shipping document INV+PL.exe, 00000000.00000002.1317192935.0000000005540000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.1343758082.0000000011070000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: shipping document INV+PL.exe, 00000000.00000002.1317192935.0000000005540000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.1343758082.0000000011070000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: shipping document INV+PL.exe, 00000000.00000002.1317192935.0000000005540000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.1343758082.0000000011070000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: shipping document INV+PL.exe, 00000000.00000002.1317192935.0000000005540000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.1343758082.0000000011070000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: shipping document INV+PL.exe, 00000000.00000002.1317192935.0000000005540000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.1343758082.0000000011070000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
        Source: shipping document INV+PL.exe, 00000000.00000002.1317192935.0000000005540000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.1343758082.0000000011070000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.in/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.br/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.cz/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.de/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.es/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.fr/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.it/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.pl/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.ru/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.google.si/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
        Source: shipping document INV+PL.exe, 00000000.00000002.1317192935.0000000005540000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.1343758082.0000000011070000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.orange.fr/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
        Source: shipping document INV+PL.exe, 00000000.00000002.1317192935.0000000005540000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.1343758082.0000000011070000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: shipping document INV+PL.exe, 00000000.00000002.1317192935.0000000005540000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.1343758082.0000000011070000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: shipping document INV+PL.exe, 00000000.00000002.1317192935.0000000005540000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.1343758082.0000000011070000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
        Source: explorer.exe, 00000005.00000000.1343758082.0000000011070000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
        Source: shipping document INV+PL.exe, 00000000.00000002.1317192935.0000000005540000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.1343758082.0000000011070000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
        Source: shipping document INV+PL.exe, 00000000.00000002.1317192935.0000000005540000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.1343758082.0000000011070000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
        Source: shipping document INV+PL.exe, 00000000.00000002.1317192935.0000000005540000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.1343758082.0000000011070000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
        Source: explorer.exe, 00000005.00000000.1344883156.0000000012C63000.00000002.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico

        E-Banking Fraud:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000009.00000002.1542225108.0000000000BF0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.1542250043.0000000000C20000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.1369258422.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.1541572890.0000000000800000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.1370718511.0000000000CC0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000001.1304222671.0000000000400000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.1369448187.0000000000830000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1313866763.000000000366A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 3.2.shipping document INV+PL.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.shipping document INV+PL.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.1.shipping document INV+PL.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.shipping document INV+PL.exe.400000.0.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Detected FormBook malwareShow sources
        Source: C:\Windows\SysWOW64\raserver.exeDropped file: C:\Users\user\AppData\Roaming\25419Q79\254logri.iniJump to dropped file
        Source: C:\Windows\SysWOW64\raserver.exeDropped file: C:\Users\user\AppData\Roaming\25419Q79\254logrv.iniJump to dropped file
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000009.00000002.1542225108.0000000000BF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000009.00000002.1542225108.0000000000BF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000009.00000002.1542250043.0000000000C20000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000009.00000002.1542250043.0000000000C20000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000003.00000002.1369258422.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000003.00000002.1369258422.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000009.00000002.1541572890.0000000000800000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000009.00000002.1541572890.0000000000800000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000003.00000002.1370718511.0000000000CC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000003.00000002.1370718511.0000000000CC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000003.00000001.1304222671.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000003.00000001.1304222671.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000003.00000002.1369448187.0000000000830000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000003.00000002.1369448187.0000000000830000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000000.00000002.1313866763.000000000366A000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000000.00000002.1313866763.000000000366A000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 3.2.shipping document INV+PL.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 3.2.shipping document INV+PL.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 3.1.shipping document INV+PL.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 3.1.shipping document INV+PL.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 3.1.shipping document INV+PL.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 3.1.shipping document INV+PL.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 3.2.shipping document INV+PL.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 3.2.shipping document INV+PL.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Executable has a suspicious name (potential lure to open the executable)Show sources
        Source: shipping document INV+PL.exeStatic file information: Suspicious name
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: shipping document INV+PL.exe
        Source: C:\Windows\SysWOW64\raserver.exeProcess Stats: CPU usage > 98%
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_0041A060 NtReadFile,3_2_0041A060
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_0041A0E0 NtClose,3_2_0041A0E0
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_0041A190 NtAllocateVirtualMemory,3_2_0041A190
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00419FB0 NtCreateFile,3_2_00419FB0
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_0041A05C NtReadFile,3_2_0041A05C
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_0041A002 NtCreateFile,NtReadFile,3_2_0041A002
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_0041A0DA NtClose,3_2_0041A0DA
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_0041A18A NtAllocateVirtualMemory,3_2_0041A18A
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00419FAA NtCreateFile,3_2_00419FAA
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EE98F0 NtReadVirtualMemory,LdrInitializeThunk,3_2_00EE98F0
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EE9860 NtQuerySystemInformation,LdrInitializeThunk,3_2_00EE9860
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EE9840 NtDelayExecution,LdrInitializeThunk,3_2_00EE9840
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EE99A0 NtCreateSection,LdrInitializeThunk,3_2_00EE99A0
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EE9910 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_00EE9910
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EE9A50 NtCreateFile,LdrInitializeThunk,3_2_00EE9A50
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EE9A20 NtResumeThread,LdrInitializeThunk,3_2_00EE9A20
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EE9A00 NtProtectVirtualMemory,LdrInitializeThunk,3_2_00EE9A00
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EE95D0 NtClose,LdrInitializeThunk,3_2_00EE95D0
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EE9540 NtReadFile,LdrInitializeThunk,3_2_00EE9540
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EE96E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_00EE96E0
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EE9660 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_00EE9660
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EE97A0 NtUnmapViewOfSection,LdrInitializeThunk,3_2_00EE97A0
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EE9780 NtMapViewOfSection,LdrInitializeThunk,3_2_00EE9780
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EE9710 NtQueryInformationToken,LdrInitializeThunk,3_2_00EE9710
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EE98A0 NtWriteVirtualMemory,3_2_00EE98A0
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EEB040 NtSuspendThread,3_2_00EEB040
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EE9820 NtEnumerateKey,3_2_00EE9820
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EE99D0 NtCreateProcessEx,3_2_00EE99D0
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EE9950 NtQueueApcThread,3_2_00EE9950
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EE9A80 NtOpenDirectoryObject,3_2_00EE9A80
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EE9A10 NtQuerySection,3_2_00EE9A10
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EEA3B0 NtGetContextThread,3_2_00EEA3B0
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EE9B00 NtSetValueKey,3_2_00EE9B00
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EE95F0 NtQueryInformationFile,3_2_00EE95F0
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EE9560 NtWriteFile,3_2_00EE9560
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EE9520 NtWaitForSingleObject,3_2_00EE9520
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EEAD30 NtSetContextThread,3_2_00EEAD30
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EE96D0 NtCreateKey,3_2_00EE96D0
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EE9670 NtQueryInformationProcess,3_2_00EE9670
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EE9650 NtQueryValueKey,3_2_00EE9650
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EE9610 NtEnumerateValueKey,3_2_00EE9610
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EE9FE0 NtCreateMutant,3_2_00EE9FE0
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EE9760 NtOpenProcess,3_2_00EE9760
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EE9770 NtSetInformationFile,3_2_00EE9770
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EEA770 NtOpenThread,3_2_00EEA770
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EE9730 NtQueryVirtualMemory,3_2_00EE9730
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EEA710 NtOpenProcessToken,3_2_00EEA710
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_1_0041A060 NtReadFile,3_1_0041A060
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_1_0041A0E0 NtClose,3_1_0041A0E0
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_1_0041A190 NtAllocateVirtualMemory,3_1_0041A190
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_1_00419FB0 NtCreateFile,3_1_00419FB0
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_1_0041A05C NtReadFile,3_1_0041A05C
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_1_0041A002 NtCreateFile,NtReadFile,3_1_0041A002
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_1_0041A0DA NtClose,3_1_0041A0DA
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_1_0041A18A NtAllocateVirtualMemory,3_1_0041A18A
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047F9560 NtWriteFile,LdrInitializeThunk,9_2_047F9560
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047F9540 NtReadFile,LdrInitializeThunk,9_2_047F9540
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047F95D0 NtClose,LdrInitializeThunk,9_2_047F95D0
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047F9660 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_047F9660
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047F9650 NtQueryValueKey,LdrInitializeThunk,9_2_047F9650
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047F9610 NtEnumerateValueKey,LdrInitializeThunk,9_2_047F9610
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047F96E0 NtFreeVirtualMemory,LdrInitializeThunk,9_2_047F96E0
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047F96D0 NtCreateKey,LdrInitializeThunk,9_2_047F96D0
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047F9770 NtSetInformationFile,LdrInitializeThunk,9_2_047F9770
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047F9710 NtQueryInformationToken,LdrInitializeThunk,9_2_047F9710
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047F9FE0 NtCreateMutant,LdrInitializeThunk,9_2_047F9FE0
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047F9780 NtMapViewOfSection,LdrInitializeThunk,9_2_047F9780
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047F9860 NtQuerySystemInformation,LdrInitializeThunk,9_2_047F9860
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047F9840 NtDelayExecution,LdrInitializeThunk,9_2_047F9840
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,9_2_047F9910
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047F99A0 NtCreateSection,LdrInitializeThunk,9_2_047F99A0
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047F9A50 NtCreateFile,LdrInitializeThunk,9_2_047F9A50
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047F9B00 NtSetValueKey,LdrInitializeThunk,9_2_047F9B00
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047FAD30 NtSetContextThread,9_2_047FAD30
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047F9520 NtWaitForSingleObject,9_2_047F9520
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047F95F0 NtQueryInformationFile,9_2_047F95F0
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047F9670 NtQueryInformationProcess,9_2_047F9670
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047FA770 NtOpenThread,9_2_047FA770
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047F9760 NtOpenProcess,9_2_047F9760
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047F9730 NtQueryVirtualMemory,9_2_047F9730
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047FA710 NtOpenProcessToken,9_2_047FA710
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047F97A0 NtUnmapViewOfSection,9_2_047F97A0
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047FB040 NtSuspendThread,9_2_047FB040
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047F9820 NtEnumerateKey,9_2_047F9820
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047F98F0 NtReadVirtualMemory,9_2_047F98F0
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047F98A0 NtWriteVirtualMemory,9_2_047F98A0
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047F9950 NtQueueApcThread,9_2_047F9950
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047F99D0 NtCreateProcessEx,9_2_047F99D0
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047F9A20 NtResumeThread,9_2_047F9A20
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047F9A10 NtQuerySection,9_2_047F9A10
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047F9A00 NtProtectVirtualMemory,9_2_047F9A00
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047F9A80 NtOpenDirectoryObject,9_2_047F9A80
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047FA3B0 NtGetContextThread,9_2_047FA3B0
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0081A0E0 NtClose,9_2_0081A0E0
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0081A060 NtReadFile,9_2_0081A060
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0081A190 NtAllocateVirtualMemory,9_2_0081A190
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00819FB0 NtCreateFile,9_2_00819FB0
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0081A0DA NtClose,9_2_0081A0DA
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0081A002 NtCreateFile,NtReadFile,9_2_0081A002
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0081A05C NtReadFile,9_2_0081A05C
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0081A18A NtAllocateVirtualMemory,9_2_0081A18A
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00819FAA NtCreateFile,9_2_00819FAA
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 0_2_001E775D0_2_001E775D
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 0_2_00A9C9E40_2_00A9C9E4
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 0_2_00A9EDA00_2_00A9EDA0
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 0_2_00A9EDB00_2_00A9EDB0
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 1_2_003F775D1_2_003F775D
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 2_2_002B775D2_2_002B775D
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_0041E8043_2_0041E804
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_004010303_2_00401030
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00402D903_2_00402D90
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00409FC03_2_00409FC0
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00402FB03_2_00402FB0
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00409FBC3_2_00409FBC
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00F728EC3_2_00F728EC
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00ED20A03_2_00ED20A0
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00F720A83_2_00F720A8
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EBB0903_2_00EBB090
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00F7E8243_2_00F7E824
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00ECA8303_2_00ECA830
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00F610023_2_00F61002
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EC99BF3_2_00EC99BF
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EC41203_2_00EC4120
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EAF9003_2_00EAF900
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00F722AE3_2_00F722AE
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00F5FA2B3_2_00F5FA2B
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00F6DBD23_2_00F6DBD2
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00F603DA3_2_00F603DA
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EDEBB03_2_00EDEBB0
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00ECAB403_2_00ECAB40
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00F72B283_2_00F72B28
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00F6D4663_2_00F6D466
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EB841F3_2_00EB841F
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EBD5E03_2_00EBD5E0
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00F725DD3_2_00F725DD
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00ED25813_2_00ED2581
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00F71D553_2_00F71D55
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EA0D203_2_00EA0D20
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00F72D073_2_00F72D07
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00F72EF73_2_00F72EF7
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00EC6E303_2_00EC6E30
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00F6D6163_2_00F6D616
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00F71FF13_2_00F71FF1
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_2_00F7DFCE3_2_00F7DFCE
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_1_0041E8043_1_0041E804
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_1_004010303_1_00401030
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: 3_1_00402D903_1_00402D90
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047C841F9_2_047C841F
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0487D4669_2_0487D466
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_048825DD9_2_048825DD
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047B0D209_2_047B0D20
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04882D079_2_04882D07
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047CD5E09_2_047CD5E0
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04881D559_2_04881D55
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047E25819_2_047E2581
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047D6E309_2_047D6E30
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04882EF79_2_04882EF7
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0487D6169_2_0487D616
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04881FF19_2_04881FF1
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_048820A89_2_048820A8
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_048828EC9_2_048828EC
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_048710029_2_04871002
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047E20A09_2_047E20A0
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047CB0909_2_047CB090
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047D41209_2_047D4120
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047BF9009_2_047BF900
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_048822AE9_2_048822AE
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0487DBD29_2_0487DBD2
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04882B289_2_04882B28
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_047EEBB09_2_047EEBB0
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00802D909_2_00802D90
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00802FB09_2_00802FB0
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00809FBC9_2_00809FBC
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00809FC09_2_00809FC0
        Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 047BB150 appears 35 times
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: String function: 0041BE30 appears 38 times
        Source: C:\Users\user\Desktop\shipping document INV+PL.exeCode function: String function: 00EAB150 appears 66 times
        Source: shipping document INV+PL.exe, 00000000.00000002.1307528265.0000000002611000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSparta.dll. vs shipping document INV+PL.exe
        Source: shipping document INV+PL.exe, 00000000.00000002.1304990525.000000000024A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameQuoUn.exe< vs shipping document INV+PL.exe
        Source: shipping document INV+PL.exe, 00000000.00000002.1323059000.0000000008880000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLoreal.exe4 vs shipping document INV+PL.exe
        Source: shipping document INV+PL.exe, 00000001.00000002.1302340994.000000000045A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameQuoUn.exe< vs shipping document INV+PL.exe
        Source: shipping document INV+PL.exe, 00000002.00000000.1302921920.000000000031A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameQuoUn.exe< vs shipping document INV+PL.exe
        Source: shipping document INV+PL.exe, 00000003.00000000.1303731210.000000000046A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameQuoUn.exe< vs shipping document INV+PL.exe
        Source: shipping document INV+PL.exe, 00000003.00000002.1371133921.0000000000D59000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameraserver.exej% vs shipping document INV+PL.exe
        Source: shipping document INV+PL.exe, 00000003.00000002.1373259174.000000000112F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs shipping document INV+PL.exe
        Source: shipping document INV+PL.exeBinary or memory string: OriginalFilenameQuoUn.exe< vs shipping document INV+PL.exe
        Source: shipping document INV+PL.exe, type: SAMPLEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: 00000009.00000002.1542225108.0000000000BF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000009.00000002.1542225108.0000000000BF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000000.1275491890.00000000001E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: 00000009.00000002.1542250043.0000000000C20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000009.00000002.1542250043.0000000000C20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000003.00000002.1369258422.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000003.00000002.1369258422.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000009.00000002.1544472679.0000000004CBF000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: 00000002.00000000.1302854656.00000000002B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: 00000009.00000002.1541572890.0000000000800000.00000040.00000001.sdmp, type: MEMORY<