1 Reply Latest reply on Nov 20, 2013 10:06 AM by Peter M

    rare urls found in memory dump analysis

    ogoname

      I installed windows 7 with updates, captured memory with Dumpit  and analyzed it with volatility and nothing found, then I Installed McAffe AV, captured memory again and nothing appears, but after apply the av definition upgrade capture memory and analyzed it I found this urls when I searched for strings with .cn  as a filter and these are linked with the mcshield process, my customer wants to know if this is like a malware issue

       

      http://gd8bb.cn/x2/xx.html
      http://d10gc.cn/x2/xx.html
      http://bigtoprocks.cn:8080/index.php
      http://www.haogs.cn
      http://www.haogs.cn/html/
      http://search.msn.com.cn/spresults.aspx?q={searchTerms}&FORM=QBPH
      http://www.zhongyicts.com.cn
      http://www.zhongyicts.com.cn
      http://www.zhongyicts.com.cn
      http://www.88ii.cn
      http://www.88ii.cn
      http://www.8899.cn
      http://www.foxking.cn
      http://www.gexinghua.cn
      http://www.gexinghua.cn
      http://www.gexinghua.cn
      http://www.gexinghua.cn
      http://www.gexinghua.cn
      http://pv.autohome.com.cn/pv.ashx?
      http://g.cn&title=2016
      http://bb3s.cn
      http://ppkok.cn
      http://www.hellokav.cn/ppva_maidong0075.exe
      http://vip.oot.cn/temp/
      http://1111.850860.cn
      HTTP://XXX.LLXXCX.CN/
      http://0002.6658588.cn
      http://gova.0891e.com.cn
      http://windowsups.cn
      http://64500.cn
      http://www.360.cn/?360MS
      http://tj.boxcpm.cn
      http://xcwhgx.cn
      http://mynick.cn/spl/exe.php
      http://www.ac66.cn
      http://datai1.cn/
      http://www.517317.cn
      http://www.xinyouyu.cn/wm/index.htm
      http://NtKrnlpa.cn/rc/
      http://xiao.kisshong0452.cn/main.htm
      http://www.480332.cn/1/index.htm
      http://www.3ehaolihai.cn/down.htm
      http://www.xinxinbaidu.com.cn/htm/mm.htm
      http://www.ac86.cn/66/index.htm
      http://www.666535.cn/168.htm
      http://www.68aa.cn/mu/index.htm
      http://www.popo321.cn/1/1.htm
      http://www.851733.cn/htm/htm.htm
      http://www.94to25.cn/down.htm
      http://www.ac66.cn/88/index.htm
      http://www.q520.cn/qq/index.htm
      http://www.xinxinbaidu.com.cn/htm/mm.htm
      http://tech.google-serv.cn/index.htm
      http://c.xdrj.cn
      http://windowsups.cn
      http://1.520sb.cn/
      http://www.02.net.cn/s
      http://winzipices.cn/
      HTTP://WWW.158DM.CN/A1.HTM
      http://vvvpz.cn/sv/load.php
      http://domx1.cn/arend_psy/load.php
      http://www.cnhack.cn/soft/dw|
      http://044.cn
      http://www.360.cn/?360MSt
      http://qq.ee28.cn/htm/
      http://promixgroup.cn/in.cgi?cocacola91
      http://www.ririwow.cn
      http://ganni360.cn/ms.htm?666
      http://www0.douhunqn.cn/csrss/
      http://porgacig.cn/sss/
      http://sexbases.cn/
      http://www.if56.cn/kan.htm
      http://www.52gxy.cn/gua3.
      http://nx.51ylb.cn/soft/soft/
      http://blog.myspace.cn/e~
      http://union.115ku.cn/8616
      http://blog.myspace.cn/e/
      http://www.hzch.com.cn/
      HTTP://05505.CN/TONGJI/
      http://www.ejlb.cn
      http://www.ejlb.cn
      http://www.8koo.cn/
      http://www.8koo.cn/
      http://www.8koo.cn/
      http://www.8koo.cn/
      http://www.31g.cn/
      http://www.31g.cn/
      http://www.31g.cn/
      http://www.31g.cn/
      http://www.00c.cn
      http://www.00c.cn
      http://litecarfinestsite.cn/in.cgi?income71
      http://tixwagoq.cn/in.cgi?14
      http://www.downit.cn

       

      Do you know why those appears?

        • 1. Re: rare urls found in memory dump analysis
          Peter M

          You posted about this on the 14th.  I doubt anyone here will know the answer.  You appear to be using a Corporate product so why not contact the support portal?   My first instinct tells me they are probably URL's on some watch list in the database so I doubt it has anything to do with malware.