Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:22.0.0
Analysis ID:72253
Start date:13.08.2018
Start time:14:01:37
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 7m 37s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:payload (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • GSI enabled (VBA)
  • GSI enabled (Javascript)
  • GSI enabled (Java)
Analysis stop reason:Timeout
Detection:MAL
Classification:mal72.bank.evad.winEXE@6/12@0/2
EGA Information:
  • Successful, ratio: 50%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 70
  • Number of non-executed functions: 25
Cookbook Comments:
  • Adjust boot time
  • Correcting counters for adjusted boot time
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WmiPrvSE.exe
  • Execution Graph export aborted for target iexplore.exe, PID 3828 because there are no executed function
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.

Detection

StrategyScoreRangeReportingDetection
Threshold720 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: payload.exevirustotal: Detection: 53%Perma Link

Networking:

barindex
Creates a COM Internet Explorer objectShow sources
Source: C:\Users\user\Desktop\payload.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\Users\user\Desktop\payload.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\Users\user\Desktop\payload.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
Source: C:\Users\user\Desktop\payload.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
Source: C:\Users\user\Desktop\payload.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgidJump to behavior
Source: C:\Users\user\Desktop\payload.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgidJump to behavior
Source: C:\Users\user\Desktop\payload.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgIDJump to behavior
Source: C:\Users\user\Desktop\payload.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgidJump to behavior
Source: C:\Users\user\Desktop\payload.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgidJump to behavior
Source: C:\Users\user\Desktop\payload.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgIDJump to behavior
Source: C:\Users\user\Desktop\payload.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\Users\user\Desktop\payload.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\Users\user\Desktop\payload.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\payload.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\payload.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
Source: C:\Users\user\Desktop\payload.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
Source: C:\Users\user\Desktop\payload.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
Source: C:\Users\user\Desktop\payload.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 195.123.212.153
Source: unknownTCP traffic detected without corresponding DNS query: 195.123.212.153
Source: unknownTCP traffic detected without corresponding DNS query: 195.123.212.153
Source: unknownTCP traffic detected without corresponding DNS query: 195.123.212.153
Source: unknownTCP traffic detected without corresponding DNS query: 195.123.212.153
Source: unknownTCP traffic detected without corresponding DNS query: 195.123.212.153
Source: unknownTCP traffic detected without corresponding DNS query: 195.123.212.153
Source: unknownTCP traffic detected without corresponding DNS query: 195.123.212.153
Source: unknownTCP traffic detected without corresponding DNS query: 195.123.212.153
Source: unknownTCP traffic detected without corresponding DNS query: 195.123.212.153
Source: unknownTCP traffic detected without corresponding DNS query: 195.123.212.153
Source: unknownTCP traffic detected without corresponding DNS query: 195.123.212.153
Social media urls found in memory dataShow sources
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmpString found in binary or memory: http://www.facebook.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmpString found in binary or memory: http://www.facebook.com/favicon.ico
Downloads filesShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\favicon[2].icoJump to behavior
Found strings which match to known social media urlsShow sources
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <SuggestionsURL>http://ie.search.yahoo.com/os?command={SearchTerms}</SuggestionsURL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <FavoriteIcon>http://search.yahoo.co.jp/favicon.ico</FavoriteIcon> equals www.yahoo.com (Yahoo)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <FavoriteIcon>http://search.yahoo.com/favicon.ico</FavoriteIcon> equals www.yahoo.com (Yahoo)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <URL>http://br.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <URL>http://de.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <URL>http://es.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <URL>http://espanol.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <URL>http://fr.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <URL>http://in.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <URL>http://it.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <URL>http://kr.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <URL>http://ru.search.yahoo.com</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <URL>http://sads.myspace.com/</URL> equals www.myspace.com (Myspace)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <URL>http://search.cn.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <URL>http://search.yahoo.co.jp</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <URL>http://search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <URL>http://tw.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <URL>http://uk.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: iexplore.exe, 00000003.00000002.22415684901.02B50000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317207664.030D0000.00000008.sdmpString found in binary or memory: Free Hotmail.url equals www.hotmail.com (Hotmail)
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Urls found in memory or binary dataShow sources
Source: iexplore.exe, 00000004.00000002.22315840574.0227F000.00000004.sdmp, iexplore.exe, 00000004.00000002.22318106587.03265000.00000004.sdmp, httpErrorPagesScripts[1].4.drString found in binary or memory: file://
Source: iexplore.exe, 00000003.00000002.22413263035.00306000.00000004.sdmp, iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: file:///C:/Users/Herb%20Blackburn/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Conte
Source: iexplore.exe, 00000004.00000002.22314241403.00314000.00000004.sdmpString found in binary or memory: file:///C:/Windows/system32/ieframe.dllz
Source: iexplore.exe, 00000003.00000002.22413107787.0029E000.00000004.sdmp, iexplore.exe, 00000003.00000002.22416027227.02DF0000.00000004.sdmp, iexplore.exe, 00000003.00000002.22416127969.02E39000.00000004.sdmpString found in binary or memory: file:///C:/jbxinitvm.au3
Source: iexplore.exe, 00000003.00000002.22416127969.02E39000.00000004.sdmpString found in binary or memory: file:///C:/jbxinitvm.au3hy
Source: iexplore.exe, 00000003.00000002.22416659049.031AB000.00000004.sdmpString found in binary or memory: file:///C:/jbxinitvm.au3xinitvm.au3
Source: iexplore.exe, 00000003.00000002.22416027227.02DF0000.00000004.sdmpString found in binary or memory: file:///C:/jbxinitvm.au3yu1SPS
Source: iexplore.exe, 00000004.00000002.22314241403.00314000.00000004.sdmpString found in binary or memory: file://C:
Source: payload.exe, 00000001.00000002.22428521610.01280000.00000040.sdmp, iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://
Source: iexplore.exe, 00000003.00000002.22415684901.02B50000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317207664.030D0000.00000008.sdmpString found in binary or memory: http://%s.com
Source: payload.exe, 00000001.00000002.22428521610.01280000.00000040.sdmpString found in binary or memory: http://%u%u%uContent-Type:
Source: payload.exe, 00000001.00000002.22427998653.00233000.00000004.sdmp, payload.exe, 00000001.00000002.22430756742.02158000.00000004.sdmp, iexplore.exe, 00000004.00000002.22314352931.00361000.00000004.sdmp, iexplore.exe, 00000004.00000002.22314482374.003AE000.00000004.sdmp, iexplore.exe, 00000004.00000002.22318359293.032C7000.00000004.sdmp, iexplore.exe, 00000004.00000002.22318397906.03314000.00000004.sdmp, iexplore.exe, 00000004.00000003.22310462693.03314000.00000004.sdmpString found in binary or memory: http://195.123.212.153
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: http://195.123.212.153/favicon.ico
Source: iexplore.exe, 00000003.00000002.22412641605.00191000.00000004.sdmpString found in binary or memory: http://195.123.212.153/favicon.icoMtl3U/L_2FsHjU_2B/fln6DdL7zs4yZZ/4hfHSkPPHl92jnOFJxKzw/58YJbFk_2BN
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: http://195.123.212.153/favicon.icoe
Source: iexplore.exe, 00000003.00000002.22416127969.02E39000.00000004.sdmp, iexplore.exe, 00000003.00000003.22309213233.02E39000.00000004.sdmpString found in binary or memory: http://195.123.212.153/favicon.icokID=403856&language=
Source: iexplore.exe, 00000003.00000002.22412641605.00191000.00000004.sdmpString found in binary or memory: http://195.123.212.153/favicon.icop4Mtl3U/L
Source: iexplore.exe, 00000004.00000002.22314352931.00361000.00000004.sdmpString found in binary or memory: http://195.123.212.153/images/EPbDdp4Mtl3U/L_2FsHjU_2B/fln6DdL7zs4yZZ/4hfHSkPPHl92
Source: {E2BC0F93-9EF0-11E8-B7AC-B2C276BF9C88}.dat.3.dr, ~DF094EE36918159728.TMP.3.drString found in binary or memory: http://195.123.212.153/images/EPbDdp4Mtl3U/L_2FsHjU_2B/fln6DdL7zs4yZZ/4hfHSkPPHl92jnOFJxKzw/58YJbFk_
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://amazon.fr/
Source: iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://api.bing.com/qsml.aspx?query=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://ariadna.elmundo.es/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://arianna.libero.it/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://asp.usatoday.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://auone.jp/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415684901.02B50000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317207664.030D0000.00000008.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://br.search.yahoo.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://browse.guardian.co.uk/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://busca.buscape.com.br/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://busca.igbusca.com.br/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://busca.orange.es/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://busca.uol.com.br/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://buscador.lycos.es/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://buscador.terra.com.br/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://buscador.terra.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://buscador.terra.es/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://buscar.ozu.es/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://buscar.ya.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://cerca.lycos.it/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://cn.bing.com/favicon.ico
Source: iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://cn.bing.com/search?q=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://cnet.search.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://corp.naukri.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: http://crl.comodo.net/UTN-USERFirst-Hardware.crl0q
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: iexplore.exe, 00000003.00000002.22413107787.0029E000.00000004.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
Source: iexplore.exe, 00000003.00000002.22413107787.0029E000.00000004.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: http://crt.comodoca.com/UTNAddTrustServerCA.crt0$
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://cs.wikipedia.org/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://cs.wikipedia.org/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://cs.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: iexplore.exe, 00000003.00000002.22416127969.02E39000.00000004.sdmpString found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://de.search.yahoo.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://de.wikipedia.org/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://de.wikipedia.org/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://de.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://en.wikipedia.org/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://en.wikipedia.org/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://en.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://es.ask.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://es.search.yahoo.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://es.wikipedia.org/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://es.wikipedia.org/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://es.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://find.joins.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://fr.search.yahoo.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://fr.wikipedia.org/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://fr.wikipedia.org/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://fr.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://google.pchome.com.tw/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://home.altervista.org/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://in.search.yahoo.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://it.search.dada.net/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://it.search.yahoo.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://it.wikipedia.org/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://it.wikipedia.org/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://it.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://ja.wikipedia.org/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://ja.wikipedia.org/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://ja.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://jobsearch.monster.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://kr.search.yahoo.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://list.taobao.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://mail.live.com/
Source: iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://msk.afisha.ru/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://nl.wikipedia.org/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://nl.wikipedia.org/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://nl.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: iexplore.exe, 00000003.00000002.22413107787.0029E000.00000004.sdmpString found in binary or memory: http://ocsp.digicert.com0:
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: iexplore.exe, 00000003.00000002.22413107787.0029E000.00000004.sdmpString found in binary or memory: http://ocsp.msocsp.com0
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://p.zhongsou.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://pl.wikipedia.org/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://pl.wikipedia.org/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://pl.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://price.ru/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://price.ru/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://pt.wikipedia.org/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://pt.wikipedia.org/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://pt.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://recherche.linternaute.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://recherche.tf1.fr/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://rover.ebay.com
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://ru.search.yahoo.com
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://ru.wikipedia.org/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://ru.wikipedia.org/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://ru.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://sads.myspace.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.about.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.alice.it/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.aol.co.uk/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.aol.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.aol.in/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.atlas.cz/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.auction.co.kr/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.auone.jp/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.books.com.tw/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.centrum.cz/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.chol.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.cn.yahoo.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.daum.net/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.dreamwiz.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.ebay.co.uk/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.ebay.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.ebay.de/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.ebay.es/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.ebay.fr/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.ebay.in/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.ebay.it/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.empas.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.espn.go.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.gamer.com.tw/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.gismeteo.ru/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.goo.ne.jp/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.hanafos.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.interpark.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.ipop.co.kr/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
Source: iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
Source: iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
Source: iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.livedoor.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.lycos.co.uk/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.lycos.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
Source: iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.nate.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.naver.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.nifty.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.orange.co.uk/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.rediff.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.seznam.cz/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.sify.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.yahoo.co.jp
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.yahoo.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search.yam.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search1.taobao.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://search2.estadao.com.br/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://searchresults.news.com.au/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://service2.bfast.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://si.wikipedia.org/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://si.wikipedia.org/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://si.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://suche.aol.de/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://suche.freenet.de/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://suche.lycos.de/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://suche.t-online.de/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://suche.web.de/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415684901.02B50000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317207664.030D0000.00000008.sdmpString found in binary or memory: http://treyresearch.net
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://tw.search.yahoo.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://udn.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://udn.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://uk.ask.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://uk.search.yahoo.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://vachercher.lycos.fr/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://video.globo.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://web.ask.com/
Source: iexplore.exe, 00000003.00000002.22415684901.02B50000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317207664.030D0000.00000008.sdmpString found in binary or memory: http://www.%s.com
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.abril.com.br/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.alarabiya.net/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.amazon.co.jp/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.amazon.co.uk/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.amazon.de/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.arrakis.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.asharqalawsat.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.ask.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.baidu.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22412912648.00258000.00000004.sdmp, iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000003.00000002.22416027227.02DF0000.00000004.sdmp, iexplore.exe, 00000003.00000003.22170339022.002D6000.00000004.sdmp, iexplore.exe, 00000003.00000003.22308839057.002D6000.00000004.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.bing.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22413107787.0029E000.00000004.sdmp, iexplore.exe, 00000003.00000003.22170339022.002D6000.00000004.sdmpString found in binary or memory: http://www.bing.com/favicon.icoA33DD
Source: iexplore.exe, 00000003.00000002.22416127969.02E39000.00000004.sdmp, iexplore.exe, 00000003.00000003.22309213233.02E39000.00000004.sdmpString found in binary or memory: http://www.bing.com/favicon.icoLinkID=403856&language=
Source: iexplore.exe, 00000003.00000003.22170313574.002D1000.00000004.sdmpString found in binary or memory: http://www.bing.com/favicon.icoc=IE-SearchBox&FORM=IENTSRguage
Source: iexplore.exe, 00000003.00000002.22416127969.02E39000.00000004.sdmpString found in binary or memory: http://www.bing.com/favicon.icoorer
Source: iexplore.exe, 00000003.00000003.22170339022.002D6000.00000004.sdmpString found in binary or memory: http://www.bing.com/favicon.icose
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.bing.com/maps/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.bing.com/maps/default.aspx
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.bing.com/maps/geotager.aspx
Source: iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.bing.com/safety/warning
Source: iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.bing.com/search?q=
Source: iexplore.exe, 00000003.00000002.22412912648.00258000.00000004.sdmpString found in binary or memory: http://www.bing.com/search?q=%7BsearchTerms%7D&src=IE-SearchBox&FORM=IESR02
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.cdiscount.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.ceneo.pl/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.cjmall.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.cnet.co.uk/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.dailymail.co.uk/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: iexplore.exe, 00000003.00000002.22413107787.0029E000.00000004.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.etmall.com.tw/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.excite.co.jp/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.expedia.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.facebook.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.facebook.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.gmarket.co.kr/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.google.co.in/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.google.co.jp/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.google.co.uk/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.google.com.br/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.google.com.sa/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.google.com.tw/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.google.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.google.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.google.cz/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.google.de/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.google.es/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.google.fr/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.google.it/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.google.pl/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.google.ru/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.google.si/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.iask.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.kkbox.com.tw/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.merlin.com.pl/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.mtv.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.najdi.si/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.neckermann.de/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.orange.fr/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.ozon.ru/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.paginasamarillas.es/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.priceminister.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: http://www.public-trust.com/CPS/OmniRoot.html0
Source: iexplore.exe, 00000003.00000002.22416127969.02E39000.00000004.sdmpString found in binary or memory: http://www.public-trust.com/cgi-bin/CRL/2018/cdp.crl0
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.rambler.ru/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.recherche.aol.fr/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.rtl.de/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.servicios.clarin.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.shopzilla.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.sogou.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.soso.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.taobao.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.target.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.target.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.tchibo.de/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.tesco.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.univision.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: http://www.usertrust.com1
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.walmart.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.weather.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.weather.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.yandex.ru/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www.yandex.ru/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www3.fnac.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://yellowpages.superpages.com/
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://yellowpages.superpages.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: http://z.about.com/m/a08.ico
Source: payload.exe, 00000001.00000002.22428521610.01280000.00000040.sdmp, iexplore.exe, 00000003.00000002.22415890904.02C09000.00000008.sdmp, iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmp, iexplore.exe, 00000004.00000002.22318106587.03265000.00000004.sdmp, httpErrorPagesScripts[1].4.drString found in binary or memory: https://
Source: payload.exe, 00000001.00000002.22428521610.01280000.00000040.sdmpString found in binary or memory: https://POST
Source: iexplore.exe, 00000004.00000002.22317162021.02DE0000.00000008.sdmpString found in binary or memory: https://en.wikipedia.org/wiki/XSLT/Muenchian_grouping
Source: iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: https://example.com
Source: iexplore.exe, 00000003.00000002.22413107787.0029E000.00000004.sdmpString found in binary or memory: https://r20swj13mr.microsoft
Source: iexplore.exe, 00000003.00000002.22416420384.02EB7000.00000004.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Source: iexplore.exe, 00000003.00000002.22416127969.02E39000.00000004.sdmpString found in binary or memory: https://www.bing.com/D
Source: iexplore.exe, 00000003.00000002.22416073967.02E20000.00000004.sdmpString found in binary or memory: https://www.bing.com/favicon.ico
Source: iexplore.exe, 00000003.00000002.22416073967.02E20000.00000004.sdmpString found in binary or memory: https://www.bing.com/favicon.icoml
Source: iexplore.exe, 00000003.00000002.22413107787.0029E000.00000004.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: iexplore.exe, 00000004.00000002.22317741145.03189000.00000008.sdmpString found in binary or memory: https://www.example.com.
Source: iexplore.exe, 00000003.00000002.22416027227.02DF0000.00000004.sdmpString found in binary or memory: https://www.msn.com/spartan/ientp?locale=en-US&market=US&enableregulatorypsm=0&NTLogo=1
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443

E-Banking Fraud:

barindex
Detected Ursnif banking trojanShow sources
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_00401B1C1_2_00401B1C

System Summary:

barindex
Starts Internet Explorer in hidden modeShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeWindow hidden: window name: IEFrameJump to behavior
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_0040134B memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,memset,1_2_0040134B
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_004015E5 NtCreateSection,memset,RtlNtStatusToDosError,ZwClose,1_2_004015E5
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_00401203 LdrLoadDll,LdrGetProcedureAddress,NtProtectVirtualMemory,GetModuleHandleA,memcpy,1_2_00401203
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_0040218D memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,1_2_0040218D
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_004015A6 NtMapViewOfSection,RtlNtStatusToDosError,1_2_004015A6
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_004025C0 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,1_2_004025C0
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_00402653 GetModuleHandleA,GetCursorPos,GetModuleHandleA,GetModuleHandleA,NtGetContextThread,NtGetContextThread,1_2_00402653
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_00402603 NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,1_2_00402603
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_00402F99 NtQueryVirtualMemory,1_2_00402F99
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_0040259F NtGetContextThread,RtlNtStatusToDosError,1_2_0040259F
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_00402D2C NtGetContextThread,1_2_00402D2C
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_012A3B68 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,1_2_012A3B68
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_012AE040 NtProtectVirtualMemory,NtProtectVirtualMemory,1_2_012AE040
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_012AE018 NtProtectVirtualMemory,NtProtectVirtualMemory,1_2_012AE018
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_00402D781_2_00402D78
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_012A29221_2_012A2922
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_012A8F3C1_2_012A8F3C
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\payload.exeCode function: String function: 00402BB3 appears 134 times
Source: C:\Users\user\Desktop\payload.exeCode function: String function: 00401CAE appears 156 times
Source: C:\Users\user\Desktop\payload.exeCode function: String function: 00402E18 appears 155 times
Searches the installation path of Mozilla FirefoxShow sources
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\54.0.1 (x86 en-US)\Main Install DirectoryJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal72.bank.evad.winEXE@6/12@0/2
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_012A5103 CoCreateInstance,1_2_012A5103
Creates files inside the user directoryShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Users\HERBBL~1\AppData\Local\Temp\~DF281A968BBB46B987.TMPJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: payload.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\payload.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: payload.exevirustotal: Detection: 53%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\payload.exe 'C:\Users\user\Desktop\payload.exe'
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3772 CREDAT:275457 /prefetch:2
Source: unknownProcess created: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3772 CREDAT:275457 /prefetch:2Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -newJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\payload.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_00402D67 push ecx; ret 1_2_00402D77
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_012A8F2B push ecx; ret 1_2_012A8F3B
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_004019C6 push eax; ret 1_1_00401AD3
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_00402AD7 push eax; ret 1_1_00401355
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_00402AD7 push eax; ret 1_1_00402B50
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_004015CA push eax; ret 1_1_00401629
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_0040274E push eax; ret 1_1_004027C9
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_00402AD0 push dword ptr [00404000h]; ret 1_1_00402AD6
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_00401AD4 push eax; ret 1_1_00401B81
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_00401557 push eax; ret 1_1_004015BF
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_00401557 push eax; ret 1_1_004026E6
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_004027D7 push eax; ret 1_1_004023EE
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_004027D7 push eax; ret 1_1_0040285E
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_0040225D push eax; ret 1_1_004019C0
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_0040225D push eax; ret 1_1_004022E3
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_00402B5D push eax; ret 1_1_00402BAE
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_004024DE push eax; ret 1_1_0040256C
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_00402CDE push eax; ret 1_1_00402D87
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_00401364 push eax; ret 1_1_004013FD
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_00401364 push eax; ret 1_1_00402C41
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_00401FE4 push eax; ret 1_1_00402060
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_004026E8 push eax; ret 1_1_0040273F
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_004026E8 push eax; ret 1_1_00402AC3
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_00402868 push eax; ret 1_1_00402901
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_004022EC push eax; ret 1_1_00402384
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_004022EC push eax; ret 1_1_0040267C
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_00402070 push eax; ret 1_1_00401D9B
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_00402070 push eax; ret 1_1_004020E6
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_004023F0 push eax; ret 1_1_0040244F
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_00401BF1 push eax; ret 1_1_00401C9E
Source: C:\Users\user\Desktop\payload.exeCode function: 1_1_004020F1 push eax; ret 1_1_00402178

Hooking and other Techniques for Hiding and Protection:

barindex
Writes registry values via WMIShow sources
Source: C:\Users\user\Desktop\payload.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\payload.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\payload.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\payload.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\payload.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetStringValue
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes / dynamic malware analysis system (cursor check)Show sources
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_004010701_2_00401070
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Users\user\Desktop\payload.exeWindow / User API: threadDelayed 646Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\Desktop\payload.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_1-3081
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\payload.exe TID: 3712Thread sleep count: 646 > 30Jump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 3712Thread sleep time: -38760000s >= -60000sJump to behavior
Source: C:\Users\user\Desktop\payload.exe TID: 3768Thread sleep time: -60000s >= -60000sJump to behavior
Program exit pointsShow sources
Source: C:\Users\user\Desktop\payload.exeAPI call chain: ExitProcess graph end nodegraph_1-3044
Source: C:\Users\user\Desktop\payload.exeAPI call chain: ExitProcess graph end nodegraph_1-3036

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\payload.exeSystem information queried: KernelDebuggerInformationJump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_00401203 LdrLoadDll,LdrGetProcedureAddress,NtProtectVirtualMemory,GetModuleHandleA,memcpy,1_2_00401203

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: payload.exe, 00000001.00000002.22428381697.00530000.00000002.sdmpBinary or memory string: Progman
Source: payload.exe, 00000001.00000002.22428381697.00530000.00000002.sdmpBinary or memory string: Program Manager
Source: payload.exe, 00000001.00000002.22428381697.00530000.00000002.sdmpBinary or memory string: Shell_TrayWnd

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_012A44A2 cpuid 1_2_012A44A2
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_012A1BC6 GetSystemTimeAsFileTime,HeapFree,1_2_012A1BC6
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\payload.exeCode function: 1_2_00401AA8 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,1_2_00401AA8
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\payload.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 72253 Sample: payload Startdate: 13/08/2018 Architecture: WINDOWS Score: 72 22 Multi AV Scanner detection for submitted file 2->22 7 payload.exe 2->7         started        10 iexplore.exe 23 47 2->10         started        process3 dnsIp4 24 Detected Ursnif banking trojan 7->24 26 Tries to detect sandboxes / dynamic malware analysis system (cursor check) 7->26 28 Writes registry values via WMI 7->28 30 Creates a COM Internet Explorer object 7->30 18 cs9.wpc.v0cdn.net 152.199.19.161, 443, 49170, 49171 ANSBB-ASNNET-1-AdvancedNetworksServicesIncUS United States 10->18 32 Starts Internet Explorer in hidden mode 10->32 13 iexplore.exe 14 10->13         started        signatures5 process6 dnsIp7 20 195.123.212.153, 80 ITL-LV Ukraine 13->20 16 ssvagent.exe 6 13->16         started        process8

Simulations

Behavior and APIs

TimeTypeDescription
14:03:27API Interceptor1109x Sleep call for process: iexplore.exe modified
14:03:27API Interceptor738x Sleep call for process: payload.exe modified
14:03:29API Interceptor1x Sleep call for process: ssvagent.exe modified

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
payload.exe54%virustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
cs9.wpc.v0cdn.net0%virustotalBrowse

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Screenshots