Loading ...

Play interactive tourEdit tour

Analysis Report https://mapcovid.info/covidbase.jar

Overview

General Information

Sample URL:https://mapcovid.info/covidbase.jar

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: rundll32 run dll from internet
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Exploit detected, runtime environment dropped PE file
Exploit detected, runtime environment starts unknown processes
Machine Learning detection for dropped file
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Allocates a big amount of memory (probably used for heap spraying)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Rundll32 Activity
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • cmd.exe (PID: 1300 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://mapcovid.info/covidbase.jar' > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • conhost.exe (PID: 4764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • wget.exe (PID: 2572 cmdline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://mapcovid.info/covidbase.jar' MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
  • cmd.exe (PID: 1944 cmdline: C:\Windows\system32\cmd.exe /c 7za.exe x -y -oC:\jar 'C:\Users\user\Desktop\download\covidbase.jar' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • 7za.exe (PID: 4432 cmdline: 7za.exe x -y -oC:\jar 'C:\Users\user\Desktop\download\covidbase.jar' MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
  • cmd.exe (PID: 3632 cmdline: 'C:\Windows\System32\cmd.exe' /c java.exe -jar 'C:\Users\user\Desktop\download\covidbase.jar' Covid_Base >> C:\cmdlinestart.log 2>&1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • conhost.exe (PID: 4736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • java.exe (PID: 5096 cmdline: java.exe -jar 'C:\Users\user\Desktop\download\covidbase.jar' Covid_Base MD5: 6871F6B74CA631B95B6CE1DEEFB487E7)
      • icacls.exe (PID: 4860 cmdline: C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M MD5: FF0D1D4317A44C951240FAE75075D501)
        • conhost.exe (PID: 4488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • data.exe (PID: 400 cmdline: 'C:\Users\user\AppData\Local\Temp\data.exe' MD5: 393A0E52DCE28A358B5F56488C903DCD)
        • conhost.exe (PID: 3840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • wermgr.exe (PID: 5480 cmdline: C:\Windows\system32\wermgr.exe MD5: FF214585BF10206E21EA8EBA202FACFD)
      • rundll32.exe (PID: 2972 cmdline: rundll32 url.dll,FileProtocolHandler https://covid19.who.int MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • iexplore.exe (PID: 3764 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' https://covid19.who.int/ MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
          • iexplore.exe (PID: 4868 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3764 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview


System Summary:

barindex
Sigma detected: rundll32 run dll from internetShow sources
Source: Process startedAuthor: Joe Security: Data: Command: rundll32 url.dll,FileProtocolHandler https://covid19.who.int, CommandLine: rundll32 url.dll,FileProtocolHandler https://covid19.who.int, CommandLine|base64offset|contains: ], Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: java.exe -jar 'C:\Users\user\Desktop\download\covidbase.jar' Covid_Base , ParentImage: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_2755781\java.exe, ParentProcessId: 5096, ProcessCommandLine: rundll32 url.dll,FileProtocolHandler https://covid19.who.int, ProcessId: 2972
Sigma detected: Suspicious Rundll32 ActivityShow sources
Source: Process startedAuthor: juju4: Data: Command: rundll32 url.dll,FileProtocolHandler https://covid19.who.int, CommandLine: rundll32 url.dll,FileProtocolHandler https://covid19.who.int, CommandLine|base64offset|contains: ], Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: java.exe -jar 'C:\Users\user\Desktop\download\covidbase.jar' Covid_Base , ParentImage: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_2755781\java.exe, ParentProcessId: 5096, ProcessCommandLine: rundll32 url.dll,FileProtocolHandler https://covid19.who.int, ProcessId: 2972

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: covidbase.infoGoogle Safe Browsing: Label: phishing
Multi AV Scanner detection for domain / URLShow sources
Source: covidbase.infoVirustotal: Detection: 8%Perma Link
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\data.exeVirustotal: Detection: 17%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: https://mapcovid.info/covidbase.jarVirustotal: Detection: 11%Perma Link
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\data.exeJoe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\data.exeCode function: 13_2_00857080 CryptAcquireContextA,CryptAcquireContextA,_wprintf,_wprintf,_wprintf,_wprintf,_wprintf,_wprintf,_wprintf,_wprintf,_wprintf,_wprintf,CryptAcquireContextA,13_2_00857080

Software Vulnerabilities:

barindex
Exploit detected, runtime environment starts unknown processesShow sources
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_2755781\java.exeProcess created: C:\Users\user\AppData\Local\Temp\data.exeJump to behavior
Source: iexplore.exeMemory has grown: Private usage: 3MB later: 402MB

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2404316 ET CNC Feodo Tracker Reported CnC Server TCP group 9 192.168.2.6:49739 -> 185.90.61.9:443
Source: unknownTCP traffic detected without corresponding DNS query: 185.90.61.9
Source: unknownTCP traffic detected without corresponding DNS query: 185.90.61.9
Source: unknownTCP traffic detected without corresponding DNS query: 185.90.61.9
Source: C:\Users\user\AppData\Local\Temp\data.exeCode function: 13_2_008577B0 _memset,GetProcessHeap,HeapAlloc,_wprintf,GetComputerNameW,WSAGetLastError,_wprintf,socket,WSAGetLastError,_wprintf,bind,WSAGetLastError,_wprintf,getsockname,WSAGetLastError,_wprintf,_memset,_wprintf,GetProcessHeap,HeapAlloc,GetLastError,_wprintf,WSASetServiceW,WSAGetLastError,_wprintf,listen,WSAGetLastError,_wprintf,_wprintf,accept,GetProcessHeap,HeapAlloc,recv,_wprintf,WSAGetLastError,_wprintf,_wprintf,_wprintf,closesocket,WSAGetLastError,_wprintf,WSAGetLastError,_wprintf,GetLastError,_wprintf,closesocket,closesocket,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,13_2_008577B0
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: msapplication.xml0.16.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa095bb1a,0x01d644de</date><accdate>0xa095bb1a,0x01d644de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.16.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa095bb1a,0x01d644de</date><accdate>0xa095bb1a,0x01d644de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.16.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa0a029a8,0x01d644de</date><accdate>0xa0a029a8,0x01d644de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.16.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa0a029a8,0x01d644de</date><accdate>0xa0a029a8,0x01d644de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.16.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa0a57390,0x01d644de</date><accdate>0xa0a57390,0x01d644de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.16.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa0a57390,0x01d644de</date><accdate>0xa0a82223,0x01d644de</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknownDNS traffic detected: queries for: mapcovid.info
Source: java.exe, 00000008.00000002.489564994.0000000004989000.00000004.00000001.sdmpString found in binary or memory: HTTP://WWW.CHAMBERSIGN.ORG
Source: data.exe, 0000000D.00000000.480156458.0000000000872000.00000002.00020000.sdmp, data.exe.8.drString found in binary or memory: http://%s.bogus
Source: data.exe, 0000000D.00000000.480156458.0000000000872000.00000002.00020000.sdmp, data.exe.8.drString found in binary or memory: http://%s.boguswbk
Source: rundll32.exe, 0000000E.00000002.488391317.0000000004600000.00000002.00000001.sdmpString found in binary or memory: http://%s.com
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://amazon.fr/
Source: java.exe, 00000008.00000002.490869080.0000000004A73000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: wget.exe, 00000003.00000002.438096086.0000000002C08000.00000004.00000001.sdmp, java.exe, 00000008.00000002.490869080.0000000004A73000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488391317.0000000004600000.00000002.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: java.exe, 00000008.00000002.495029350.0000000009B97000.00000004.00000001.sdmpString found in binary or memory: http://bugreport.sun.com/bugreport/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://busca.orange.es/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
Source: java.exe, 00000008.00000002.490869080.0000000004A73000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/
Source: wget.exe, 00000003.00000002.438096086.0000000002C08000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
Source: java.exe, 00000008.00000002.490869080.0000000004A73000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0-
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://cnet.search.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
Source: java.exe, 00000008.00000002.497918855.0000000009CA8000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html
Source: java.exe, 00000008.00000002.497918855.0000000009CA8000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: java.exe, 00000008.00000002.490869080.0000000004A73000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org
Source: wget.exe, 00000003.00000002.438096086.0000000002C08000.00000004.00000001.sdmp, java.exe, 00000008.00000002.490869080.0000000004A73000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
Source: java.exe, 00000008.00000002.490869080.0000000004A73000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org
Source: wget.exe, 00000003.00000002.438096086.0000000002C08000.00000004.00000001.sdmp, java.exe, 00000008.00000002.490869080.0000000004A73000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: java.exe, 00000008.00000002.497918855.0000000009CA8000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl
Source: java.exe, 00000008.00000002.497918855.0000000009CA8000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: java.exe, 00000008.00000002.496620443.0000000009BCB000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: 7za.exe, 00000005.00000003.443952752.0000000000070000.00000004.00000001.sdmp, java.exe, 00000008.00000002.494269692.0000000009B6D000.00000004.00000001.sdmp, WORLD_HEALTH_ORGANIZATION.RSA.5.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: 7za.exe, 00000005.00000003.443952752.0000000000070000.00000004.00000001.sdmp, java.exe, 00000008.00000002.494269692.0000000009B6D000.00000004.00000001.sdmp, WORLD_HEALTH_ORGANIZATION.RSA.5.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: wget.exe, java.exe, 00000008.00000002.497918855.0000000009CA8000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: wget.exe, 00000003.00000003.435064233.0000000002BC4000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl$
Source: wget.exe, 00000003.00000002.436076221.0000000000D78000.00000004.00000020.sdmp, java.exe, 00000008.00000002.497918855.0000000009CA8000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: java.exe, 00000008.00000002.490869080.0000000004A73000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl
Source: wget.exe, 00000003.00000002.438096086.0000000002C08000.00000004.00000001.sdmp, java.exe, 00000008.00000002.490869080.0000000004A73000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: java.exe, 00000008.00000002.496620443.0000000009BCB000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl
Source: 7za.exe, 00000005.00000003.443952752.0000000000070000.00000004.00000001.sdmp, java.exe, 00000008.00000002.494269692.0000000009B6D000.00000004.00000001.sdmp, WORLD_HEALTH_ORGANIZATION.RSA.5.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: java.exe, 00000008.00000002.497918855.0000000009CA8000.00000004.00000001.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: java.exe, 00000008.00000002.497918855.0000000009CA8000.00000004.00000001.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: java.exe, 00000008.00000002.497918855.0000000009CA8000.00000004.00000001.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: java.exe, 00000008.00000002.497918855.0000000009CA8000.00000004.00000001.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: java.exe, 00000008.00000002.496620443.0000000009BCB000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt
Source: 7za.exe, 00000005.00000003.443952752.0000000000070000.00000004.00000001.sdmp, java.exe, 00000008.00000002.494269692.0000000009B6D000.00000004.00000001.sdmp, WORLD_HEALTH_ORGANIZATION.RSA.5.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://es.ask.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://find.joins.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
Source: java.exe, 00000008.00000002.490869080.0000000004A73000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com
Source: wget.exe, 00000003.00000002.438096086.0000000002C08000.00000004.00000001.sdmp, java.exe, 00000008.00000002.490869080.0000000004A73000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
Source: java.exe, 00000008.00000002.495055776.0000000009B9C000.00000004.00000001.sdmpString found in binary or memory: http://java.oracle.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
Source: java.exe, java.exe, 00000008.00000002.497291008.0000000009C07000.00000004.00000001.sdmpString found in binary or memory: http://null.oracle.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: java.exe, 00000008.00000002.494269692.0000000009B6D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com
Source: 7za.exe, 00000005.00000003.443952752.0000000000070000.00000004.00000001.sdmp, java.exe, 00000008.00000002.511965199.0000000014B12000.00000004.00000001.sdmp, WORLD_HEALTH_ORGANIZATION.RSA.5.drString found in binary or memory: http://ocsp.comodoca.com0
Source: java.exe, 00000008.00000002.490869080.0000000004A73000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org
Source: wget.exe, 00000003.00000002.438096086.0000000002C08000.00000004.00000001.sdmp, java.exe, 00000008.00000002.490869080.0000000004A73000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
Source: java.exe, 00000008.00000002.494269692.0000000009B6D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com
Source: 7za.exe, 00000005.00000003.443952752.0000000000070000.00000004.00000001.sdmp, java.exe, 00000008.00000002.494159998.0000000009B50000.00000004.00000001.sdmp, WORLD_HEALTH_ORGANIZATION.RSA.5.drString found in binary or memory: http://ocsp.sectigo.com0
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: java.exe, 00000008.00000002.497918855.0000000009CA8000.00000004.00000001.sdmpString found in binary or memory: http://policy.camerfirma.com
Source: java.exe, 00000008.00000002.497918855.0000000009CA8000.00000004.00000001.sdmpString found in binary or memory: http://policy.camerfirma.com0
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: java.exe, 00000008.00000002.497918855.0000000009CA8000.00000004.00000001.sdmpString found in binary or memory: http://repository.swisssign.com/
Source: java.exe, 00000008.00000002.497918855.0000000009CA8000.00000004.00000001.sdmpString found in binary or memory: http://repository.swisssign.com/0
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://rover.ebay.com
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.about.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.in/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.auone.jp/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.de/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.es/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.in/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.it/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.interpark.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.nate.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.nifty.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.sify.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search.yam.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://suche.aol.de/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488391317.0000000004600000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
Source: java.exe, 00000008.00000002.497918855.0000000009CA8000.00000004.00000001.sdmpString found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl
Source: java.exe, 00000008.00000002.497918855.0000000009CA8000.00000004.00000001.sdmpString found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://web.ask.com/
Source: rundll32.exe, 0000000E.00000002.488391317.0000000004600000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.com
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
Source: msapplication.xml.16.drString found in binary or memory: http://www.amazon.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.de/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.ask.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: java.exe, 00000008.00000002.497918855.0000000009CA8000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl
Source: java.exe, 00000008.00000002.497918855.0000000009CA8000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: java.exe, 00000008.00000002.497918855.0000000009CA8000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl
Source: java.exe, 00000008.00000002.497918855.0000000009CA8000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: java.exe, 00000008.00000002.489564994.0000000004989000.00000004.00000001.sdmpString found in binary or memory: http://www.chambersign.org
Source: java.exe, 00000008.00000002.497918855.0000000009CA8000.00000004.00000001.sdmpString found in binary or memory: http://www.chambersign.org1
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.docUrl.com/bar.htm
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.in/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.br/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
Source: msapplication.xml1.16.drString found in binary or memory: http://www.google.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.cz/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.de/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.es/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.fr/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.it/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.pl/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.ru/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.si/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
Source: msapplication.xml2.16.drString found in binary or memory: http://www.live.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
Source: msapplication.xml3.16.drString found in binary or memory: http://www.nytimes.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.orange.fr/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
Source: java.exe, 00000008.00000002.497918855.0000000009CA8000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadis.bm
Source: java.exe, 00000008.00000002.497918855.0000000009CA8000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadis.bm0
Source: java.exe, 00000008.00000002.497918855.0000000009CA8000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps
Source: java.exe, 00000008.00000002.497918855.0000000009CA8000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
Source: msapplication.xml4.16.drString found in binary or memory: http://www.reddit.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
Source: msapplication.xml5.16.drString found in binary or memory: http://www.twitter.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
Source: msapplication.xml6.16.drString found in binary or memory: http://www.wikipedia.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
Source: msapplication.xml7.16.drString found in binary or memory: http://www.youtube.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
Source: rundll32.exe, 0000000E.00000002.488876010.00000000046F3000.00000002.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico
Source: js[1].js.17.drString found in binary or memory: https://ade.googlesyndication.com/ddm/activity
Source: js[1].js.17.drString found in binary or memory: https://adservice.google.com/ddm/regclk
Source: analytics[1].js.17.drString found in binary or memory: https://ampcid.google.com/v1/publisher:getClientId
Source: rundll32.exe, 0000000E.00000002.486246832.0000000000040000.00000004.00000020.sdmp, Covid_Base.class.5.drString found in binary or memory: https://covid19.who.int
Source: rundll32.exe, 0000000E.00000002.486246832.0000000000040000.00000004.00000020.sdmp, {C88D1007-B0D1-11EA-AAE7-9CC1A2A860C6}.dat.16.drString found in binary or memory: https://covid19.who.int/
Source: rundll32.exe, 0000000E.00000002.486246832.0000000000040000.00000004.00000020.sdmpString found in binary or memory: https://covid19.who.int/03
Source: rundll32.exe, 0000000E.00000002.486246832.0000000000040000.00000004.00000020.sdmpString found in binary or memory: https://covid19.who.int/1
Source: rundll32.exe, 0000000E.00000002.486766838.0000000000AA0000.00000004.00000020.sdmpString found in binary or memory: https://covid19.who.int/C:
Source: rundll32.exe, 0000000E.00000002.486246832.0000000000040000.00000004.00000020.sdmpString found in binary or memory: https://covid19.who.int/E
Source: rundll32.exe, 0000000E.00000002.486246832.0000000000040000.00000004.00000020.sdmpString found in binary or memory: https://covid19.who.int/G
Source: {C88D1007-B0D1-11EA-AAE7-9CC1A2A860C6}.dat.16.drString found in binary or memory: https://covid19.who.int/Root
Source: {C88D1007-B0D1-11EA-AAE7-9CC1A2A860C6}.dat.16.drString found in binary or memory: https://covid19.who.int/XWHO
Source: rundll32.exe, 0000000E.00000002.486246832.0000000000040000.00000004.00000020.sdmpString found in binary or memory: https://covid19.who.int/Z
Source: rundll32.exe, 0000000E.00000002.486246832.0000000000040000.00000004.00000020.sdmpString found in binary or memory: https://covid19.who.int/d
Source: imagestore.dat.17.drString found in binary or memory: https://covid19.who.int/favicon-32x32.png
Source: rundll32.exe, 0000000E.00000002.486246832.0000000000040000.00000004.00000020.sdmpString found in binary or memory: https://covid19.who.int/lt
Source: rundll32.exe, 0000000E.00000002.486246832.0000000000040000.00000004.00000020.sdmpString found in binary or memory: https://covid19.who.int/tw
Source: rundll32.exe, 0000000E.00000002.486246832.0000000000040000.00000004.00000020.sdmpString found in binary or memory: https://covid19.who.int?
Source: rundll32.exe, 0000000E.00000002.486766838.0000000000AA0000.00000004.00000020.sdmp, rundll32.exe, 0000000E.00000002.486246832.0000000000040000.00000004.00000020.sdmpString found in binary or memory: https://covid19.who.intC:
Source: java.exe, 00000008.00000002.485259930.0000000000BE0000.00000004.00000020.sdmpString found in binary or memory: https://covid19.who.intersC:
Source: java.exe, 00000008.00000002.510697696.0000000014A60000.00000004.00000001.sdmpString found in binary or memory: https://covid19.who.intrR
Source: java.exe, 00000008.00000002.485757386.000000000464E000.00000004.00000001.sdmp, Covid_Base.class.5.drString found in binary or memory: https://covidbase.info/data.exe
Source: js[1].js.17.drString found in binary or memory: https://github.com/krux/postscribe/blob/master/LICENSE.
Source: {C88D1007-B0D1-11EA-AAE7-9CC1A2A860C6}.dat.16.dr, widget[1].js.17.drString found in binary or memory: https://live-chat-static.sprinklr.com/chat/qLkPXre8F/static/js/main.28681c35.js
Source: {C88D1007-B0D1-11EA-AAE7-9CC1A2A860C6}.dat.16.dr, widget[1].js.17.drString found in binary or memory: https://live-chat-static.sprinklr.com/chat/qLkPXre8F/static/js/vendor.c87be9c0.chunk.js
Source: wget.exe, 00000003.00000002.436053492.0000000000D70000.00000004.00000020.sdmp, cmdline.out.3.drString found in binary or memory: https://mapcovid.info/covidbase.jar
Source: wget.exe, 00000003.00000003.435064233.0000000002BC4000.00000004.00000001.sdmpString found in binary or memory: https://mapcovid.info/covidbase.jarK
Source: java.exe, 00000008.00000002.497918855.0000000009CA8000.00000004.00000001.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com
Source: java.exe, 00000008.00000002.497918855.0000000009CA8000.00000004.00000001.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: js[1].js.17.drString found in binary or memory: https://pagead2.googlesyndication.com
Source: js[1].js.17.drString found in binary or memory: https://pagead2.googlesyndication.com/
Source: widget[1].js.17.drString found in binary or memory: https://prod-who-live-chat.sprinklr.com
Source: java.exe, 00000008.00000002.496620443.0000000009BCB000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS
Source: 7za.exe, 00000005.00000003.443952752.0000000000070000.00000004.00000001.sdmp, java.exe, 00000008.00000002.494269692.0000000009B6D000.00000004.00000001.sdmp, WORLD_HEALTH_ORGANIZATION.RSA.5.drString found in binary or memory: https://sectigo.com/CPS0
Source: analytics[1].js.17.drString found in binary or memory: https://stats.g.doubleclick.net/j/collect
Source: analytics[1].js.17.drString found in binary or memory: https://stats.g.doubleclick.net/r/collect?t=dc&aip=1&_r=3&
Source: js[1].js.17.drString found in binary or memory: https://www.google-analytics.com/analytics.js
Source: analytics[1].js.17.drString found in binary or memory: https://www.google-analytics.com/gtm/js?id=
Source: analytics[1].js.17.drString found in binary or memory: https://www.google.%/ads/ga-audiences
Source: js[1].js.17.drString found in binary or memory: https://www.google.com
Source: js[1].js.17.drString found in binary or memory: https://www.google.com/pagead/conversion_async.js
Source: js[1].js.17.drString found in binary or memory: https://www.google.com/travel/flights/click/conversion/
Source: js[1].js.17.drString found in binary or memory: https://www.googletraveladservices.com/travel/clk/pagead/conversion/
Source: js[1].js.17.drString found in binary or memory: https://www.googletraveladservices.com/travel/vacations/clk/pagead/conversion/
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443

System Summary:

barindex
Source: C:\Users\user\AppData\Local\Temp\data.exeProcess Stats: CPU usage > 98%
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_3_02BC6E993_3_02BC6E99
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_3_02BC70693_3_02BC7069
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_00D8F55A3_2_00D8F55A
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_2755781\java.exeCode function: 8_3_14B2CFE68_3_14B2CFE6
Source: C:\Users\user\AppData\Local\Temp\data.exeCode function: 13_2_0085110013_2_00851100
Source: C:\Users\user\AppData\Local\Temp\data.exeCode function: 13_2_00865C4813_2_00865C48
Source: C:\Users\user\AppData\Local\Temp\data.exeCode function: 13_2_0086687513_2_00866875
Source: C:\Users\user\AppData\Local\Temp\data.exeCode function: 13_2_0086619913_2_00866199
Source: C:\Users\user\AppData\Local\Temp\data.exeCode function: 13_2_008675AD13_2_008675AD
Source: C:\Users\user\AppData\Local\Temp\data.exeCode function: 13_2_0085C90B13_2_0085C90B
Source: C:\Users\user\AppData\Local\Temp\data.exeCode function: 13_2_008656F613_2_008656F6
Source: C:\Users\user\AppData\Local\Temp\data.exeCode function: String function: 00858EC8 appears 1558 times
Source: C:\Users\user\AppData\Local\Temp\data.exeCode function: String function: 0085B870 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\data.exeCode function: String function: 00858E21 appears 41 times
Source: data.exe.8.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: data.exe.8.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: data.exe.8.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: data.exe.8.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
Source: classification engineClassification label: mal100.expl.evad.win@25/66@9/9
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\cmdline.outJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4736:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4764:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3840:120:WilError_01
Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{E3686179-282F-B609-09B7-C17217796795}
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4488:120:WilError_01
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_2755781\java.exeFile created: C:\Users\user\AppData\Local\Temp\hsperfdata_userJump to behavior