Analysis Report _README_.hta

Overview

General Information

Sample Name:	_README_.hta
Analysis ID:	358574
MD5:	a295730ebb333c25f60e89b138c5339a
SHA1:	0f801ce60dc3e87de26b9a81cc27a92a59ed834e
SHA256:	f8aecc5461cfcca774dab51e8473b1265a8030e2de8a76629a42fe82003f8f09
Infos:
Most interesting Screenshot:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Found Tor onion address

JA3 SSL client fingerprint seen in connection with other malware

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Classification

Signatures

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 104.21.50.61:443 -> 192.168.2.3:49722 version: TLS 1.2

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2023425 ET TROJAN Ransomware/Cerber Onion Domain Lookup 192.168.2.3:58823 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2023425 ET TROJAN Ransomware/Cerber Onion Domain Lookup 192.168.2.3:57568 -> 8.8.8.8:53

Found Tor onion address

Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EFEF
Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EFEFN
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF%y
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EFEy
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EFUy
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF
Source: mshta.exe, 00000004.00000002.524208160.0000000008AAF000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EFth
Source: mshta.exe, 00000004.00000002.524208160.0000000008AAF000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF+&
Source: mshta.exe, 00000004.00000002.524208160.0000000008AAF000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.onion/69CE-E9A2-A922-008C-16EF
Source: _README_.hta	String found in binary or memory: <p><span class="info"><span class="updating">Please wait...</span><a id="megaurl" class="url" href="http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF</a><span class="hr"></span><a href="http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF</a><span class="hr"></span><a href="http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF</a></span></p>
Source: _README_.hta	String found in binary or memory: <li>type or copy the address <br><span class="info">http://ffoqr3ug7m726zou.onion/69CE-E9A2-A922-008C-16EF</span><br> in this browser address bar;</li>
Source: _README_.hta	String found in binary or memory: ...</span><a class="url" href="http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF</a><span class="hr"></span><a href="http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF</a><span class="hr"></span><a href="http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF</a></span></p>
Source: _README_.hta	String found in binary or memory: <br><span class="info">http://ffoqr3ug7m726zou.onion/69CE-E9A2-A922-008C-16EF</span><br>
Source: _README_.hta	String found in binary or memory: <br><span class="info">http://ffoqr3ug7m726zou.onion/69CE-E9A2-A922-008C-16EF</span><br></li>
Source: _README_.hta	String found in binary or memory: <p><span class="info"><span class="updating">Even geduld aub...</span><a class="url" href="http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF</a><span class="hr"></span><a href="http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF</a><span class="hr"></span><a href="http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF</a></span></p>
Source: _README_.hta	String found in binary or memory: <li>typ of kopieer het adres <br><span class="info">http://ffoqr3ug7m726zou.onion/69CE-E9A2-A922-008C-16EF</span><br> in de adresbalk van uw browser;</li>
Source: _README_.hta	String found in binary or memory: t, attendez...</span><a class="url" href="http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF</a><span class="hr"></span><a href="http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF</a><span class="hr"></span><a href="http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF</a></span></p>
Source: _README_.hta	String found in binary or memory: adresse <br><span class="info">http://ffoqr3ug7m726zou.onion/69CE-E9A2-A922-008C-16EF</span><br> dans cette barre d
Source: _README_.hta	String found in binary or memory: <p><span class="info"><span class="updating">Warten Sie mal...</span><a class="url" href="http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF</a><span class="hr"></span><a href="http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF</a><span class="hr"></span><a href="http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF</a></span></p>
Source: _README_.hta	String found in binary or memory: <li>tippen oder kopieren Sie die Adresse <br><span class="info">http://ffoqr3ug7m726zou.onion/69CE-E9A2-A922-008C-16EF</span><br> in diese Browser-Adressleiste;</li>
Source: _README_.hta	String found in binary or memory: <p><span class="info"><span class="updating">Attendere prego...</span><a class="url" href="http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF</a><span class="hr"></span><a href="http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF</a><span class="hr"></span><a href="http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF</a></span></p>
Source: _README_.hta	String found in binary or memory: <li>digitare o copiare l'indirizzo <br><span class="info">http://ffoqr3ug7m726zou.onion/69CE-E9A2-A922-008C-16EF</span><br> nella barra degli indirizzi di questo browser;</li>
Source: _README_.hta	String found in binary or memory: ...</span><a class="url" href="http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF</a><span class="hr"></span><a href="http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF</a><span class="hr"></span><a href="http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF</a></span></p>
Source: _README_.hta	String found in binary or memory: <li>wpisz lub skopiuj adres <br><span class="info">http://ffoqr3ug7m726zou.onion/69CE-E9A2-A922-008C-16EF</span><br> do paska adresu przegl
Source: _README_.hta	String found in binary or memory: <p><span class="info"><span class="updating">Por favor, espere...</span><a class="url" href="http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF</a><span class="hr"></span><a href="http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF</a><span class="hr"></span><a href="http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF</a></span></p>
Source: _README_.hta	String found in binary or memory: o <br><span class="info">http://ffoqr3ug7m726zou.onion/69CE-E9A2-A922-008C-16EF</span><br> nesta barra de endere
Source: _README_.hta	String found in binary or memory: <p><span class="info"><span class="updating">Por favor espera...</span><a class="url" href="http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF</a><span class="hr"></span><a href="http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF</a><span class="hr"></span><a href="http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF</a></span></p>
Source: _README_.hta	String found in binary or memory: n <br><span class="info">http://ffoqr3ug7m726zou.onion/69CE-E9A2-A922-008C-16EF</span><br> en la barra de direcciones de este navegador;</li>
Source: _README_.hta	String found in binary or memory: tfen bekle...</span><a class="url" href="http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF</a><span class="hr"></span><a href="http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF</a><span class="hr"></span><a href="http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF</a></span></p>
Source: _README_.hta	String found in binary or memory: n adres <br><span class="info">http://ffoqr3ug7m726zou.onion/69CE-E9A2-A922-008C-16EF</span><br>

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic

HTTP traffic detected: GET /v1/btc/main/addrs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1614317242174 HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.blockcypher.comConnection: Keep-Alive

Source: _README_.hta	String found in binary or memory: <p>If you have any problems during installation or use of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the search bar "Install Tor Browser Windows" and you will find a lot of training videos about Tor Browser installation and use.</p> equals www.youtube.com (Youtube)
Source: _README_.hta	String found in binary or memory: <p>Indien uw problemen heeft tijdens de installatie of het gebruik van Tor Browser, ga dan naar <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> en typ in de zoekbalk equals www.youtube.com (Youtube)
Source: _README_.hta	String found in binary or memory: <p>Se si riscontrano problemi durante l'installazione o l'utilizzo di Tor Browser, visitare <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> e immettere "install tor browser windows" nella barra di ricerca per trovare numerosi video esplicativi sull'installazione e utilizzo di Tor Browser.</p> equals www.youtube.com (Youtube)
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: _README_.hta	String found in binary or memory: <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> equals www.youtube.com (Youtube)
Source: _README_.hta	String found in binary or memory: do portalu <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> i wpisz w wyszukiwarce equals www.youtube.com (Youtube)
Source: _README_.hta	String found in binary or memory: <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> equals www.youtube.com (Youtube)
Source: _README_.hta	String found in binary or memory: hrend der Installation von Tor Browser Probleme haben, besuchen Sie bitte <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> und geben als Suchanforderung "tor browser Windows installieren" ein und Sie erhalten in den Suchergebnossen viele Anleitungsvideos equals www.youtube.com (Youtube)
Source: mshta.exe, 00000004.00000002.524208160.0000000008AAF000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com equals www.youtube.com (Youtube)
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows equals www.youtube.com (Youtube)
Source: mshta.exe, 00000004.00000002.524208160.0000000008AAF000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows; equals www.youtube.com (Youtube)
Source: _README_.hta	String found in binary or memory: n, o durante el uso del Navegador Tor, visite <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> y escriba la solicitud en la barra de b equals www.youtube.com (Youtube)
Source: _README_.hta	String found in binary or memory: o do Tor Browser, visite <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> e insira o pedido na barra de pesquisa equals www.youtube.com (Youtube)
Source: _README_.hta	String found in binary or memory: rken herhangi bir sorununuz olursa <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> adresine gidin ve arama equals www.youtube.com (Youtube)
Source: _README_.hta	String found in binary or memory: utilisation de Tor Browser, veuillez visiter <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> et saisir la demande dans la barre de recherche equals www.youtube.com (Youtube)
Source: mshta.exe, 00000004.00000002.529111827.000000000B86A000.00000004.00000001.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: ffoqr3ug7m726zou.0cgaez.top

Source: mshta.exe, 00000004.00000002.529323493.000000000B9E0000.00000002.00000001.sdmp	String found in binary or memory: http://%s.com
Source: mshta.exe, 00000004.00000002.525407727.0000000009C6A000.00000004.00000001.sdmp	String found in binary or memory: http://_blanknone.topinlineurlspannone
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp	String found in binary or memory: http://api.blockcypher.com/v
Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp	String found in binary or memory: http://api.blockcypher.com/v1/btc/main/a8
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp, _README_.hta	String found in binary or memory: http://api.blockcypher.com/v1/btc/main/addrs/
Source: mshta.exe, 00000004.00000002.530058365.000000000BD43000.00000004.00000040.sdmp	String found in binary or memory: http://api.blockcypher.com/v1/btc/main/addrs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1614317242174
Source: mshta.exe, 00000004.00000003.210958453.000000000688A000.00000004.00000001.sdmp	String found in binary or memory: http://api.blockcypher.com/v1/btc/main/addrs/t
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp, _README_.hta	String found in binary or memory: http://api.blockcypher.com/v1/btc/main/txs/
Source: mshta.exe, 00000004.00000002.525407727.0000000009C6A000.00000004.00000001.sdmp	String found in binary or memory: http://api.blockcypher.com/v1/btc/main/txs/http://api.blockcypher.com/v1/btc/main/addrs/3
Source: mshta.exe, 00000004.00000003.210958453.000000000688A000.00000004.00000001.sdmp	String found in binary or memory: http://api.blockcypher.com/v1/btc/main/txs/tx
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: mshta.exe, 00000004.00000002.529323493.000000000B9E0000.00000002.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp, mshta.exe, 00000004.00000003.210958453.000000000688A000.00000004.00000001.sdmp, _README_.hta	String found in binary or memory: http://btc.blockr.io/api/v1/address/txs/
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp	String found in binary or memory: http://btc.blockr.io/api/v1/address/txs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1614317242033
Source: mshta.exe, 00000004.00000002.525407727.0000000009C6A000.00000004.00000001.sdmp	String found in binary or memory: http://btc.blockr.io/api/v1/address/txs/3
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp, _README_.hta	String found in binary or memory: http://btc.blockr.io/api/v1/tx/info/
Source: mshta.exe, 00000004.00000003.213082994.0000000009C77000.00000004.00000001.sdmp	String found in binary or memory: http://btc.blockr.io/api/v1/tx/info/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt
Source: mshta.exe, 00000004.00000003.210958453.000000000688A000.00000004.00000001.sdmp	String found in binary or memory: http://btc.blockr.io/api/v1/tx/info/tx
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: mshta.exe, 00000004.00000002.529249101.000000000B958000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncE
Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529249101.000000000B958000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Cloudf$=
Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: mshta.exe, 00000004.00000002.529249101.000000000B958000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: mshta.exe, 00000004.00000002.529249101.000000000B958000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.3
Source: mshta.exe, 00000004.00000002.529275430.000000000B993000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareInc
Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: mshta.exe, 00000004.00000003.211394365.000000000688B000.00000004.00000001.sdmp	String found in binary or memory: http://en.wikip
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: _README_.hta	String found in binary or memory: http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF
Source: mshta.exe, 00000004.00000002.529184716.000000000B8FA000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF8
Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp, mshta.exe, 00000004.00000002.528958054.000000000B7E9000.00000004.00000001.sdmp, mshta.exe, 00000004.00000002.525429644.0000000009C7A000.00000004.00000001.sdmp, mshta.exe, 00000004.00000002.524669906.0000000008AFE000.00000004.00000001.sdmp, _README_.hta	String found in binary or memory: http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF?iframe
Source: mshta.exe, 00000004.00000002.525429644.0000000009C7A000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF?iframe1
Source: mshta.exe, 00000004.00000002.524669906.0000000008AFE000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF?iframe7
Source: mshta.exe, 00000004.00000002.524669906.0000000008AFE000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF?iframe=
Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF?iframeAIA
Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF?iframeD
Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF?iframeEHE
Source: mshta.exe, 00000004.00000002.529184716.000000000B8FA000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF?iframeH
Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF?iframe_H/
Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF?iframekH
Source: mshta.exe, 00000004.00000003.219699667.0000000009C75000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF?iframeres://ieframe.dll/navcancl.htm#htt
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EFEx
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EFuy
Source: _README_.hta	String found in binary or memory: http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF5y
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EFey
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EFux
Source: _README_.hta	String found in binary or memory: http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF%y
Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EFEF
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EFEy
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EFUy
Source: mshta.exe, 00000004.00000002.524208160.0000000008AAF000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EFth
Source: _README_.hta	String found in binary or memory: http://ffoqr3ug7m726zou.onion/69CE-E9A2-A922-008C-16EF
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: mshta.exe, 00000004.00000002.529249101.000000000B958000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: mshta.exe, 00000004.00000002.529323493.000000000B9E0000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: mshta.exe, 00000004.00000002.529323493.000000000B9E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.docUrl.com/bar.htm
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: mshta.exe, 00000004.00000002.529275430.000000000B993000.00000004.00000001.sdmp	String found in binary or memory: https://chain.so/
Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp	String found in binary or memory: https://chain.so/X
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp, _README_.hta	String found in binary or memory: https://chain.so/api/v2/get_tx_outputs/btc/
Source: mshta.exe, 00000004.00000002.525407727.0000000009C6A000.00000004.00000001.sdmp	String found in binary or memory: https://chain.so/api/v2/get_tx_outputs/btc/3
Source: mshta.exe, 00000004.00000003.210958453.000000000688A000.00000004.00000001.sdmp	String found in binary or memory: https://chain.so/api/v2/get_tx_outputs/btc/tx
Source: mshta.exe, 00000004.00000002.524374463.0000000008AD2000.00000004.00000001.sdmp	String found in binary or memory: https://chain.so/api/v2/get_tx_spent/btc/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1614317242580
Source: mshta.exe, 00000004.00000003.219618569.0000000009EB9000.00000004.00000001.sdmp	String found in binary or memory: https://chain.so/api/v2/get_tx_spent/btc/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1614317242580D
Source: mshta.exe, 00000004.00000002.524374463.0000000008AD2000.00000004.00000001.sdmp	String found in binary or memory: https://chain.so/api/v2/get_tx_spent/btc/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1614317242580G=
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp	String found in binary or memory: https://chain.so/api/v2/get_tx_spent/btc/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1614317242580b
Source: mshta.exe, 00000004.00000002.529184716.000000000B8FA000.00000004.00000001.sdmp	String found in binary or memory: https://chain.so/api/v2/get_tx_spent/btc/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1614317242580frame
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp	String found in binary or memory: https://chain.so/api/v2/get_tx_spent/btc/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1614317242580z
Source: mshta.exe, 00000004.00000002.529275430.000000000B993000.00000004.00000001.sdmp	String found in binary or memory: https://chain.so/m
Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp	String found in binary or memory: https://chain.so/t
Source: mshta.exe, 00000004.00000002.524669906.0000000008AFE000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com
Source: mshta.exe, 00000004.00000002.529249101.000000000B958000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: mshta.exe, 00000004.00000002.529184716.000000000B8FA000.00000004.00000001.sdmp	String found in binary or memory: https://sochain.com/
Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp, mshta.exe, 00000004.00000002.529249101.000000000B958000.00000004.00000001.sdmp	String found in binary or memory: https://sochain.com/api/v2/get_tx_spent/btc/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1614317242580
Source: mshta.exe, 00000004.00000002.524374463.0000000008AD2000.00000004.00000001.sdmp	String found in binary or memory: https://sochain.com/api/v2/get_tx_spent/btc/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1614317242580#
Source: mshta.exe, 00000004.00000002.529249101.000000000B958000.00000004.00000001.sdmp	String found in binary or memory: https://sochain.com/api/v2/get_tx_spent/btc/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1614317242580#Z
Source: mshta.exe, 00000004.00000002.529249101.000000000B958000.00000004.00000001.sdmp	String found in binary or memory: https://sochain.com/api/v2/get_tx_spent/btc/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1614317242580M
Source: mshta.exe, 00000004.00000002.529249101.000000000B958000.00000004.00000001.sdmp	String found in binary or memory: https://sochain.com/api/v2/get_tx_spent/btc/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1614317242580SX
Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp	String found in binary or memory: https://sochain.com/api/v2/get_tx_spent/btc/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1614317242580m
Source: mshta.exe, 00000004.00000002.524208160.0000000008AAF000.00000004.00000001.sdmp, _README_.hta	String found in binary or memory: https://www.baidu.com
Source: mshta.exe, 00000004.00000002.523942404.0000000008AA0000.00000004.00000001.sdmp, _README_.hta	String found in binary or memory: https://www.baidu.com/s?wd=%E6%80%8E%E4%B9%88%E5%AE%89%E8%A3%85%20tor%20%E6%B5%8F%E8%A7%88%E5%99%A8
Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: _README_.hta	String found in binary or memory: https://www.torproject.org/download/download-easy.html.en
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp	String found in binary or memory: https://www.torproject.org/download/download-easy.html.en%x
Source: mshta.exe, 00000004.00000002.529184716.000000000B8FA000.00000004.00000001.sdmp	String found in binary or memory: https://www.torproject.org/download/download-easy.html.en(
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp	String found in binary or memory: https://www.torproject.org/download/download-easy.html.en5x
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp	String found in binary or memory: https://www.torproject.org/download/download-easy.html.enUx
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp	String found in binary or memory: https://www.torproject.org/download/download-easy.html.enex
Source: mshta.exe, 00000004.00000002.524208160.0000000008AAF000.00000004.00000001.sdmp	String found in binary or memory: https://www.torproject.org/download/download-easy.html.ent
Source: _README_.hta	String found in binary or memory: https://www.youtube.com
Source: _README_.hta	String found in binary or memory: https://www.youtube.com/results?search_query=Install

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443

Source: unknown

HTTPS traffic detected: 104.21.50.61:443 -> 192.168.2.3:49722 version: TLS 1.2

System Summary:

Searches for the Microsoft Outlook file path

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: classification engine

Classification label: mal52.evad.winHTA@4/17@6/2

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF2363864BE1807E55.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5596 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\mshta.exe -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5596 CREDAT:17410 /prefetch:2	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Source: mshta.exe, 00000004.00000002.530073206.000000000BD50000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWq
Source: mshta.exe, 00000004.00000002.524374463.0000000008AD2000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW8$
Source: mshta.exe, 00000004.00000002.530073206.000000000BD50000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: mshta.exe, 00000004.00000002.530073206.000000000BD50000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: mshta.exe, 00000004.00000002.530073206.000000000BD50000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

HIPS / PFW / Operating System Protection Evasion:

Source: mshta.exe, 00000004.00000002.515569969.0000000003A80000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: mshta.exe, 00000004.00000002.515569969.0000000003A80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: mshta.exe, 00000004.00000002.515569969.0000000003A80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: mshta.exe, 00000004.00000002.515569969.0000000003A80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.50.61	unknown	United States		13335	CLOUDFLARENETUS	false
104.20.21.251	unknown	United States		13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
chain.so	104.21.50.61	true
api.blockcypher.com	104.20.21.251	true
sochain.com	172.67.69.167	true
ffoqr3ug7m726zou.0cgaez.top	unknown	unknown
btc.blockr.io	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://api.blockcypher.com/v1/btc/main/addrs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1614317242174	false		high

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 104.21.50.61:443 -> 192.168.2.3:49722 version: TLS 1.2

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2023425 ET TROJAN Ransomware/Cerber Onion Domain Lookup 192.168.2.3:58823 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2023425 ET TROJAN Ransomware/Cerber Onion Domain Lookup 192.168.2.3:57568 -> 8.8.8.8:53

Found Tor onion address

Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EFEF
Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EFEFN
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF%y
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EFEy
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EFUy
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF
Source: mshta.exe, 00000004.00000002.524208160.0000000008AAF000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EFth
Source: mshta.exe, 00000004.00000002.524208160.0000000008AAF000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF+&
Source: mshta.exe, 00000004.00000002.524208160.0000000008AAF000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.onion/69CE-E9A2-A922-008C-16EF
Source: _README_.hta	String found in binary or memory: <p><span class="info"><span class="updating">Please wait...</span><a id="megaurl" class="url" href="http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF</a><span class="hr"></span><a href="http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF</a><span class="hr"></span><a href="http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF</a></span></p>
Source: _README_.hta	String found in binary or memory: <li>type or copy the address <br><span class="info">http://ffoqr3ug7m726zou.onion/69CE-E9A2-A922-008C-16EF</span><br> in this browser address bar;</li>
Source: _README_.hta	String found in binary or memory: ...</span><a class="url" href="http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF</a><span class="hr"></span><a href="http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF</a><span class="hr"></span><a href="http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF</a></span></p>
Source: _README_.hta	String found in binary or memory: <br><span class="info">http://ffoqr3ug7m726zou.onion/69CE-E9A2-A922-008C-16EF</span><br>
Source: _README_.hta	String found in binary or memory: <br><span class="info">http://ffoqr3ug7m726zou.onion/69CE-E9A2-A922-008C-16EF</span><br></li>
Source: _README_.hta	String found in binary or memory: <p><span class="info"><span class="updating">Even geduld aub...</span><a class="url" href="http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF</a><span class="hr"></span><a href="http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF</a><span class="hr"></span><a href="http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF</a></span></p>
Source: _README_.hta	String found in binary or memory: <li>typ of kopieer het adres <br><span class="info">http://ffoqr3ug7m726zou.onion/69CE-E9A2-A922-008C-16EF</span><br> in de adresbalk van uw browser;</li>
Source: _README_.hta	String found in binary or memory: t, attendez...</span><a class="url" href="http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF</a><span class="hr"></span><a href="http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF</a><span class="hr"></span><a href="http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF</a></span></p>
Source: _README_.hta	String found in binary or memory: adresse <br><span class="info">http://ffoqr3ug7m726zou.onion/69CE-E9A2-A922-008C-16EF</span><br> dans cette barre d
Source: _README_.hta	String found in binary or memory: <p><span class="info"><span class="updating">Warten Sie mal...</span><a class="url" href="http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF</a><span class="hr"></span><a href="http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF</a><span class="hr"></span><a href="http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF</a></span></p>
Source: _README_.hta	String found in binary or memory: <li>tippen oder kopieren Sie die Adresse <br><span class="info">http://ffoqr3ug7m726zou.onion/69CE-E9A2-A922-008C-16EF</span><br> in diese Browser-Adressleiste;</li>
Source: _README_.hta	String found in binary or memory: <p><span class="info"><span class="updating">Attendere prego...</span><a class="url" href="http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF</a><span class="hr"></span><a href="http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF</a><span class="hr"></span><a href="http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF</a></span></p>
Source: _README_.hta	String found in binary or memory: <li>digitare o copiare l'indirizzo <br><span class="info">http://ffoqr3ug7m726zou.onion/69CE-E9A2-A922-008C-16EF</span><br> nella barra degli indirizzi di questo browser;</li>
Source: _README_.hta	String found in binary or memory: ...</span><a class="url" href="http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF</a><span class="hr"></span><a href="http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF</a><span class="hr"></span><a href="http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF</a></span></p>
Source: _README_.hta	String found in binary or memory: <li>wpisz lub skopiuj adres <br><span class="info">http://ffoqr3ug7m726zou.onion/69CE-E9A2-A922-008C-16EF</span><br> do paska adresu przegl
Source: _README_.hta	String found in binary or memory: <p><span class="info"><span class="updating">Por favor, espere...</span><a class="url" href="http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF</a><span class="hr"></span><a href="http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF</a><span class="hr"></span><a href="http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF</a></span></p>
Source: _README_.hta	String found in binary or memory: o <br><span class="info">http://ffoqr3ug7m726zou.onion/69CE-E9A2-A922-008C-16EF</span><br> nesta barra de endere
Source: _README_.hta	String found in binary or memory: <p><span class="info"><span class="updating">Por favor espera...</span><a class="url" href="http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF</a><span class="hr"></span><a href="http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF</a><span class="hr"></span><a href="http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF</a></span></p>
Source: _README_.hta	String found in binary or memory: n <br><span class="info">http://ffoqr3ug7m726zou.onion/69CE-E9A2-A922-008C-16EF</span><br> en la barra de direcciones de este navegador;</li>
Source: _README_.hta	String found in binary or memory: tfen bekle...</span><a class="url" href="http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF</a><span class="hr"></span><a href="http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF</a><span class="hr"></span><a href="http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF" target="_blank">http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF</a></span></p>
Source: _README_.hta	String found in binary or memory: n adres <br><span class="info">http://ffoqr3ug7m726zou.onion/69CE-E9A2-A922-008C-16EF</span><br>

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic

Source: _README_.hta	String found in binary or memory: <p>If you have any problems during installation or use of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the search bar "Install Tor Browser Windows" and you will find a lot of training videos about Tor Browser installation and use.</p> equals www.youtube.com (Youtube)
Source: _README_.hta	String found in binary or memory: <p>Indien uw problemen heeft tijdens de installatie of het gebruik van Tor Browser, ga dan naar <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> en typ in de zoekbalk equals www.youtube.com (Youtube)
Source: _README_.hta	String found in binary or memory: <p>Se si riscontrano problemi durante l'installazione o l'utilizzo di Tor Browser, visitare <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> e immettere "install tor browser windows" nella barra di ricerca per trovare numerosi video esplicativi sull'installazione e utilizzo di Tor Browser.</p> equals www.youtube.com (Youtube)
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: _README_.hta	String found in binary or memory: <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> equals www.youtube.com (Youtube)
Source: _README_.hta	String found in binary or memory: do portalu <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> i wpisz w wyszukiwarce equals www.youtube.com (Youtube)
Source: _README_.hta	String found in binary or memory: <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> equals www.youtube.com (Youtube)
Source: _README_.hta	String found in binary or memory: hrend der Installation von Tor Browser Probleme haben, besuchen Sie bitte <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> und geben als Suchanforderung "tor browser Windows installieren" ein und Sie erhalten in den Suchergebnossen viele Anleitungsvideos equals www.youtube.com (Youtube)
Source: mshta.exe, 00000004.00000002.524208160.0000000008AAF000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com equals www.youtube.com (Youtube)
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows equals www.youtube.com (Youtube)
Source: mshta.exe, 00000004.00000002.524208160.0000000008AAF000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows; equals www.youtube.com (Youtube)
Source: _README_.hta	String found in binary or memory: n, o durante el uso del Navegador Tor, visite <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> y escriba la solicitud en la barra de b equals www.youtube.com (Youtube)
Source: _README_.hta	String found in binary or memory: o do Tor Browser, visite <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> e insira o pedido na barra de pesquisa equals www.youtube.com (Youtube)
Source: _README_.hta	String found in binary or memory: rken herhangi bir sorununuz olursa <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> adresine gidin ve arama equals www.youtube.com (Youtube)
Source: _README_.hta	String found in binary or memory: utilisation de Tor Browser, veuillez visiter <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> et saisir la demande dans la barre de recherche equals www.youtube.com (Youtube)
Source: mshta.exe, 00000004.00000002.529111827.000000000B86A000.00000004.00000001.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: ffoqr3ug7m726zou.0cgaez.top

Source: mshta.exe, 00000004.00000002.529323493.000000000B9E0000.00000002.00000001.sdmp	String found in binary or memory: http://%s.com
Source: mshta.exe, 00000004.00000002.525407727.0000000009C6A000.00000004.00000001.sdmp	String found in binary or memory: http://_blanknone.topinlineurlspannone
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp	String found in binary or memory: http://api.blockcypher.com/v
Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp	String found in binary or memory: http://api.blockcypher.com/v1/btc/main/a8
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp, _README_.hta	String found in binary or memory: http://api.blockcypher.com/v1/btc/main/addrs/
Source: mshta.exe, 00000004.00000002.530058365.000000000BD43000.00000004.00000040.sdmp	String found in binary or memory: http://api.blockcypher.com/v1/btc/main/addrs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1614317242174
Source: mshta.exe, 00000004.00000003.210958453.000000000688A000.00000004.00000001.sdmp	String found in binary or memory: http://api.blockcypher.com/v1/btc/main/addrs/t
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp, _README_.hta	String found in binary or memory: http://api.blockcypher.com/v1/btc/main/txs/
Source: mshta.exe, 00000004.00000002.525407727.0000000009C6A000.00000004.00000001.sdmp	String found in binary or memory: http://api.blockcypher.com/v1/btc/main/txs/http://api.blockcypher.com/v1/btc/main/addrs/3
Source: mshta.exe, 00000004.00000003.210958453.000000000688A000.00000004.00000001.sdmp	String found in binary or memory: http://api.blockcypher.com/v1/btc/main/txs/tx
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: mshta.exe, 00000004.00000002.529323493.000000000B9E0000.00000002.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp, mshta.exe, 00000004.00000003.210958453.000000000688A000.00000004.00000001.sdmp, _README_.hta	String found in binary or memory: http://btc.blockr.io/api/v1/address/txs/
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp	String found in binary or memory: http://btc.blockr.io/api/v1/address/txs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1614317242033
Source: mshta.exe, 00000004.00000002.525407727.0000000009C6A000.00000004.00000001.sdmp	String found in binary or memory: http://btc.blockr.io/api/v1/address/txs/3
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp, _README_.hta	String found in binary or memory: http://btc.blockr.io/api/v1/tx/info/
Source: mshta.exe, 00000004.00000003.213082994.0000000009C77000.00000004.00000001.sdmp	String found in binary or memory: http://btc.blockr.io/api/v1/tx/info/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt
Source: mshta.exe, 00000004.00000003.210958453.000000000688A000.00000004.00000001.sdmp	String found in binary or memory: http://btc.blockr.io/api/v1/tx/info/tx
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: mshta.exe, 00000004.00000002.529249101.000000000B958000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncE
Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529249101.000000000B958000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Cloudf$=
Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: mshta.exe, 00000004.00000002.529249101.000000000B958000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: mshta.exe, 00000004.00000002.529249101.000000000B958000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.3
Source: mshta.exe, 00000004.00000002.529275430.000000000B993000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareInc
Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: mshta.exe, 00000004.00000003.211394365.000000000688B000.00000004.00000001.sdmp	String found in binary or memory: http://en.wikip
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: _README_.hta	String found in binary or memory: http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF
Source: mshta.exe, 00000004.00000002.529184716.000000000B8FA000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF8
Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp, mshta.exe, 00000004.00000002.528958054.000000000B7E9000.00000004.00000001.sdmp, mshta.exe, 00000004.00000002.525429644.0000000009C7A000.00000004.00000001.sdmp, mshta.exe, 00000004.00000002.524669906.0000000008AFE000.00000004.00000001.sdmp, _README_.hta	String found in binary or memory: http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF?iframe
Source: mshta.exe, 00000004.00000002.525429644.0000000009C7A000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF?iframe1
Source: mshta.exe, 00000004.00000002.524669906.0000000008AFE000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF?iframe7
Source: mshta.exe, 00000004.00000002.524669906.0000000008AFE000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF?iframe=
Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF?iframeAIA
Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF?iframeD
Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF?iframeEHE
Source: mshta.exe, 00000004.00000002.529184716.000000000B8FA000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF?iframeH
Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF?iframe_H/
Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF?iframekH
Source: mshta.exe, 00000004.00000003.219699667.0000000009C75000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EF?iframeres://ieframe.dll/navcancl.htm#htt
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EFEx
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.0cgaez.top/69CE-E9A2-A922-008C-16EFuy
Source: _README_.hta	String found in binary or memory: http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EF5y
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EFey
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.64ghwz.top/69CE-E9A2-A922-008C-16EFux
Source: _README_.hta	String found in binary or memory: http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EF%y
Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EFEF
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EFEy
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EFUy
Source: mshta.exe, 00000004.00000002.524208160.0000000008AAF000.00000004.00000001.sdmp	String found in binary or memory: http://ffoqr3ug7m726zou.onion.to/69CE-E9A2-A922-008C-16EFth
Source: _README_.hta	String found in binary or memory: http://ffoqr3ug7m726zou.onion/69CE-E9A2-A922-008C-16EF
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: mshta.exe, 00000004.00000002.529249101.000000000B958000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: mshta.exe, 00000004.00000002.529323493.000000000B9E0000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: mshta.exe, 00000004.00000002.529323493.000000000B9E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.docUrl.com/bar.htm
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: mshta.exe, 00000004.00000002.524950570.0000000008C46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: mshta.exe, 00000004.00000002.529581895.000000000BAD3000.00000002.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: mshta.exe, 00000004.00000002.529275430.000000000B993000.00000004.00000001.sdmp	String found in binary or memory: https://chain.so/
Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp	String found in binary or memory: https://chain.so/X
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp, _README_.hta	String found in binary or memory: https://chain.so/api/v2/get_tx_outputs/btc/
Source: mshta.exe, 00000004.00000002.525407727.0000000009C6A000.00000004.00000001.sdmp	String found in binary or memory: https://chain.so/api/v2/get_tx_outputs/btc/3
Source: mshta.exe, 00000004.00000003.210958453.000000000688A000.00000004.00000001.sdmp	String found in binary or memory: https://chain.so/api/v2/get_tx_outputs/btc/tx
Source: mshta.exe, 00000004.00000002.524374463.0000000008AD2000.00000004.00000001.sdmp	String found in binary or memory: https://chain.so/api/v2/get_tx_spent/btc/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1614317242580
Source: mshta.exe, 00000004.00000003.219618569.0000000009EB9000.00000004.00000001.sdmp	String found in binary or memory: https://chain.so/api/v2/get_tx_spent/btc/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1614317242580D
Source: mshta.exe, 00000004.00000002.524374463.0000000008AD2000.00000004.00000001.sdmp	String found in binary or memory: https://chain.so/api/v2/get_tx_spent/btc/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1614317242580G=
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp	String found in binary or memory: https://chain.so/api/v2/get_tx_spent/btc/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1614317242580b
Source: mshta.exe, 00000004.00000002.529184716.000000000B8FA000.00000004.00000001.sdmp	String found in binary or memory: https://chain.so/api/v2/get_tx_spent/btc/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1614317242580frame
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp	String found in binary or memory: https://chain.so/api/v2/get_tx_spent/btc/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1614317242580z
Source: mshta.exe, 00000004.00000002.529275430.000000000B993000.00000004.00000001.sdmp	String found in binary or memory: https://chain.so/m
Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp	String found in binary or memory: https://chain.so/t
Source: mshta.exe, 00000004.00000002.524669906.0000000008AFE000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com
Source: mshta.exe, 00000004.00000002.529249101.000000000B958000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: mshta.exe, 00000004.00000002.529184716.000000000B8FA000.00000004.00000001.sdmp	String found in binary or memory: https://sochain.com/
Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp, mshta.exe, 00000004.00000002.529249101.000000000B958000.00000004.00000001.sdmp	String found in binary or memory: https://sochain.com/api/v2/get_tx_spent/btc/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1614317242580
Source: mshta.exe, 00000004.00000002.524374463.0000000008AD2000.00000004.00000001.sdmp	String found in binary or memory: https://sochain.com/api/v2/get_tx_spent/btc/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1614317242580#
Source: mshta.exe, 00000004.00000002.529249101.000000000B958000.00000004.00000001.sdmp	String found in binary or memory: https://sochain.com/api/v2/get_tx_spent/btc/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1614317242580#Z
Source: mshta.exe, 00000004.00000002.529249101.000000000B958000.00000004.00000001.sdmp	String found in binary or memory: https://sochain.com/api/v2/get_tx_spent/btc/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1614317242580M
Source: mshta.exe, 00000004.00000002.529249101.000000000B958000.00000004.00000001.sdmp	String found in binary or memory: https://sochain.com/api/v2/get_tx_spent/btc/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1614317242580SX
Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp	String found in binary or memory: https://sochain.com/api/v2/get_tx_spent/btc/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1614317242580m
Source: mshta.exe, 00000004.00000002.524208160.0000000008AAF000.00000004.00000001.sdmp, _README_.hta	String found in binary or memory: https://www.baidu.com
Source: mshta.exe, 00000004.00000002.523942404.0000000008AA0000.00000004.00000001.sdmp, _README_.hta	String found in binary or memory: https://www.baidu.com/s?wd=%E6%80%8E%E4%B9%88%E5%AE%89%E8%A3%85%20tor%20%E6%B5%8F%E8%A7%88%E5%99%A8
Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: _README_.hta	String found in binary or memory: https://www.torproject.org/download/download-easy.html.en
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp	String found in binary or memory: https://www.torproject.org/download/download-easy.html.en%x
Source: mshta.exe, 00000004.00000002.529184716.000000000B8FA000.00000004.00000001.sdmp	String found in binary or memory: https://www.torproject.org/download/download-easy.html.en(
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp	String found in binary or memory: https://www.torproject.org/download/download-easy.html.en5x
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp	String found in binary or memory: https://www.torproject.org/download/download-easy.html.enUx
Source: mshta.exe, 00000004.00000002.524257058.0000000008AC3000.00000004.00000001.sdmp	String found in binary or memory: https://www.torproject.org/download/download-easy.html.enex
Source: mshta.exe, 00000004.00000002.524208160.0000000008AAF000.00000004.00000001.sdmp	String found in binary or memory: https://www.torproject.org/download/download-easy.html.ent
Source: _README_.hta	String found in binary or memory: https://www.youtube.com
Source: _README_.hta	String found in binary or memory: https://www.youtube.com/results?search_query=Install

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443

Source: unknown

HTTPS traffic detected: 104.21.50.61:443 -> 192.168.2.3:49722 version: TLS 1.2

System Summary:

Searches for the Microsoft Outlook file path

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: classification engine

Classification label: mal52.evad.winHTA@4/17@6/2

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF2363864BE1807E55.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5596 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\mshta.exe -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5596 CREDAT:17410 /prefetch:2	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Source: mshta.exe, 00000004.00000002.530073206.000000000BD50000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: mshta.exe, 00000004.00000002.529225157.000000000B92F000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWq
Source: mshta.exe, 00000004.00000002.524374463.0000000008AD2000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW8$
Source: mshta.exe, 00000004.00000002.530073206.000000000BD50000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: mshta.exe, 00000004.00000002.530073206.000000000BD50000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: mshta.exe, 00000004.00000002.530073206.000000000BD50000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

HIPS / PFW / Operating System Protection Evasion:

Source: mshta.exe, 00000004.00000002.515569969.0000000003A80000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: mshta.exe, 00000004.00000002.515569969.0000000003A80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: mshta.exe, 00000004.00000002.515569969.0000000003A80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: mshta.exe, 00000004.00000002.515569969.0000000003A80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior

ID:	358574
Product:	CloudBasic
Start time:	21:26:27
Start date:	25.02.2021
Sample:	_README_.hta
Cookbook:	defaultwindowshtmlcookbook.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	a295730ebb333c25f60e89b138c5339a
SHA1:	0f801ce60dc3e87de26b9a81cc27a92a59ed834e
SHA256:	f8aecc5461cfcca774dab51e8473b1265a8030e2de8a76629a42fe82003f8f09
Filetype:	HyperText Markup Language (15015/1) 20.56%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{468DF488-77F3-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	0288DE4A12421EA84DB0E05A9C53F3FC	0D475F325EB1B5157C8C749DEB3F636CE6B48CAB	C64B72C7732E789AE0D3560002455EA4690C2E28E9A356073891D2EC083790C7
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{468DF48A-77F3-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	EEEEA0F94420C6F330BFEAB6D25DA7E4	CD744D9839627B03B523C283943F55C227D6D6ED	76D1FAAE90E8464E77A36F460B979F047903993FB05D3FA9644A57136C3E6981
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\NewErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	DFEABDE84792228093A5A270352395B6	E41258C9576721025926326F76063C2305586F76	77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\errorPageStrings[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	D65EC06F21C379C87040B83CC1ABAC6B	208D0A0BB775661758394BE7E4AFB18357E46C8B	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\dnserrordiagoff[1]	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	7E81A79F38695E467A49EE41DD24146D	035E110C36BF3072525B05394F73D1BA54D0D316	A705D1E0916A79B0D6E60C41A9CE301ED95B3FC00E927F940AB27061C208A536
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\navcancl[1]	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	4BCFE9F8DB04948CDDB5E31FE6A7F984	42464C70FC16F3F361C2419751ACD57D51613CDF	BEE0439FCF31DE76D6E2D7FD377A24A34AC8763D5BF4114DA5E1663009E24228
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\bullet[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	26F971D87CA00E23BD2D064524AEF838	7440BEFF2F4F8FABC9315608A13BF26CABAD27D9	1D8E5FD3C1FD384C0A7507E7283C7FE8F65015E521B84569132A7EABEDC9D41D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\errorPageStrings[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	D65EC06F21C379C87040B83CC1ABAC6B	208D0A0BB775661758394BE7E4AFB18357E46C8B	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	9234071287E637F85D721463C488704C	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\ErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	F4FE1CB77E758E1BA56B8A8EC20417C5	F4EDA06901EDB98633A686B11D02F4925F827BF0	8D018639281B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\background_gradient[1]	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, frames 3	20F0110ED5E4E0D5384A496E4880139B	51F5FC61D8BF19100DF0F8AADAA57FCD9C086255	1471693BE91E53C2640FE7BAEECBC624530B088444222D93F2815DFCE1865D5B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	9234071287E637F85D721463C488704C	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\info_48[1]	PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced	5565250FCC163AA3A79F0B746416CE69	B97CC66471FCDEE07D0EE36C7FB03F342C231F8F	51129C6C98A82EA491F89857C31146ECEC14C4AF184517450A7A20C699C84859
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\navcancl[1]	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	4BCFE9F8DB04948CDDB5E31FE6A7F984	42464C70FC16F3F361C2419751ACD57D51613CDF	BEE0439FCF31DE76D6E2D7FD377A24A34AC8763D5BF4114DA5E1663009E24228
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log	ASCII text, with CRLF line terminators	FE59F84B849AE6DA816C51CA09FC1B21	8FABFCD85C9B66D9529009E3C1D558B75BB727DF	5CAD014E50163B92B5F061EA49142D8AAF11BD7AA089B9646442A6D19A1C685E
C:\Users\user\AppData\Local\Temp\~DF0764BFA3308680EE.TMP	data	A0D7EA912FC3A31A3F48DF8FB8570E53	8DC44ADED638EAE0C2CB5D0B6048D9481E85F0AD	A487382F1564573A4D1D634C5C5093EBAD0B6B6D538831BA4413ABFCB2EE18AB
C:\Users\user\AppData\Local\Temp\~DF2363864BE1807E55.TMP	data	B60C1E6EFD6DC771A043A69C54B62C22	270092670EFF4258420B857F91F998B559EEE964	462272191D1F1CDE9D95D153E0E4EC8006E05E04153470909588DB58BAE33F30

Analysis Report _README_.hta

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs